Unreviewed, roll out http://trac.webkit.org/changeset/210821
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 Jan 2017 20:25:36 +0000 (20:25 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 Jan 2017 20:25:36 +0000 (20:25 +0000)
It was causing crashes.

Source/JavaScriptCore:

* API/JSAPIWrapperObject.mm:
(JSAPIWrapperObjectHandleOwner::finalize):
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::~JSCallbackObject):
(JSC::JSCallbackObject<Parent>::init):
* API/JSObjectRef.cpp:
(JSObjectGetPrivate):
(JSObjectSetPrivate):
(classInfoPrivate): Deleted.
* bytecode/EvalCodeBlock.cpp:
(JSC::EvalCodeBlock::destroy):
* bytecode/FunctionCodeBlock.cpp:
(JSC::FunctionCodeBlock::destroy):
* bytecode/ModuleProgramCodeBlock.cpp:
(JSC::ModuleProgramCodeBlock::destroy):
* bytecode/ProgramCodeBlock.cpp:
(JSC::ProgramCodeBlock::destroy):
* bytecode/UnlinkedEvalCodeBlock.cpp:
(JSC::UnlinkedEvalCodeBlock::destroy):
* bytecode/UnlinkedFunctionCodeBlock.cpp:
(JSC::UnlinkedFunctionCodeBlock::destroy):
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::destroy):
* bytecode/UnlinkedModuleProgramCodeBlock.cpp:
(JSC::UnlinkedModuleProgramCodeBlock::destroy):
* bytecode/UnlinkedProgramCodeBlock.cpp:
(JSC::UnlinkedProgramCodeBlock::destroy):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::lastChanceToFinalize):
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::allocateSlowCaseImpl):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::sweep):
* jit/JITThunks.cpp:
(JSC::JITThunks::finalize):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::destroy):
* runtime/ExecutableBase.cpp:
(JSC::ExecutableBase::clearCode):
* runtime/JSCellInlines.h:
(JSC::JSCell::classInfo):
(JSC::JSCell::callDestructor):
* runtime/JSLock.h:
(JSC::JSLock::exclusiveThread):
(JSC::JSLock::ownerThread): Deleted.
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::destroy):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::destroy):
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::destroy):
* runtime/JSSegmentedVariableObject.h:
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::destroy):
* runtime/VM.h:
* wasm/js/JSWebAssemblyCallee.cpp:
(JSC::JSWebAssemblyCallee::destroy):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::destroy):
* wasm/js/WebAssemblyToJSCallee.cpp:
(JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
(JSC::WebAssemblyToJSCallee::destroy):

Source/WebCore:

* bindings/js/JSCSSValueCustom.cpp:
(WebCore::JSDeprecatedCSSOMValueOwner::finalize):
* bindings/js/JSDOMIterator.h:
(WebCore::IteratorTraits>::destroy):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@210824 268f45cc-cd09-0410-ab3c-d52691b4dbfc

35 files changed:
Source/JavaScriptCore/API/JSAPIWrapperObject.mm
Source/JavaScriptCore/API/JSCallbackObject.h
Source/JavaScriptCore/API/JSCallbackObjectFunctions.h
Source/JavaScriptCore/API/JSObjectRef.cpp
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp
Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp
Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp
Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp
Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp
Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp
Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp
Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp
Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp
Source/JavaScriptCore/heap/CodeBlockSet.cpp
Source/JavaScriptCore/heap/MarkedAllocator.cpp
Source/JavaScriptCore/heap/MarkedBlock.cpp
Source/JavaScriptCore/jit/JITThunks.cpp
Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp
Source/JavaScriptCore/runtime/ExecutableBase.cpp
Source/JavaScriptCore/runtime/JSCellInlines.h
Source/JavaScriptCore/runtime/JSLock.h
Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
Source/JavaScriptCore/runtime/JSModuleRecord.cpp
Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp
Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h
Source/JavaScriptCore/runtime/SymbolTable.cpp
Source/JavaScriptCore/runtime/VM.h
Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp
Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSCSSValueCustom.cpp
Source/WebCore/bindings/js/JSDOMIterator.h
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

index f301d3e..3f54f43 100644 (file)
@@ -48,7 +48,7 @@ static JSAPIWrapperObjectHandleOwner* jsAPIWrapperObjectHandleOwner()
 
 void JSAPIWrapperObjectHandleOwner::finalize(JSC::Handle<JSC::Unknown> handle, void*)
 {
-    JSC::JSAPIWrapperObject* wrapperObject = static_cast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
+    JSC::JSAPIWrapperObject* wrapperObject = JSC::jsCast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
     if (!wrapperObject->wrappedObject())
         return;
 
index 43749e2..31f2166 100644 (file)
@@ -232,7 +232,6 @@ private:
     static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
 
     std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
-    const ClassInfo* m_classInfo;
 };
 
 } // namespace JSC
index a525f5b..fc8cb3c 100644 (file)
@@ -74,17 +74,11 @@ JSCallbackObject<Parent>::JSCallbackObject(VM& vm, JSClassRef jsClass, Structure
 template <class Parent>
 JSCallbackObject<Parent>::~JSCallbackObject()
 {
-    VM* vm = this->HeapCell::vm();
-    vm->currentlyDestructingCallbackObject = this;
-    ASSERT(m_classInfo);
-    vm->currentlyDestructingCallbackObjectClassInfo = m_classInfo;
     JSObjectRef thisRef = toRef(static_cast<JSObject*>(this));
     for (JSClassRef jsClass = classRef(); jsClass; jsClass = jsClass->parentClass) {
         if (JSObjectFinalizeCallback finalize = jsClass->finalize)
             finalize(thisRef);
     }
-    vm->currentlyDestructingCallbackObject = nullptr;
-    vm->currentlyDestructingCallbackObjectClassInfo = nullptr;
 }
     
 template <class Parent>
@@ -123,8 +117,6 @@ void JSCallbackObject<Parent>::init(ExecState* exec)
         JSObjectInitializeCallback initialize = initRoutines[i];
         initialize(toRef(exec), toRef(this));
     }
-    
-    m_classInfo = this->classInfo();
 }
 
 template <class Parent>
index 5b3d37d..bc96eb1 100644 (file)
@@ -380,38 +380,21 @@ bool JSObjectDeleteProperty(JSContextRef ctx, JSObjectRef object, JSStringRef pr
     return result;
 }
 
-// API objects have private properties, which may get accessed during destruction. This
-// helper lets us get the ClassInfo of an API object from a function that may get called
-// during destruction.
-static const ClassInfo* classInfoPrivate(JSObject* jsObject)
-{
-    VM* vm = jsObject->vm();
-    
-    if (vm->currentlyDestructingCallbackObject != jsObject)
-        return jsObject->classInfo();
-
-    return vm->currentlyDestructingCallbackObjectClassInfo;
-}
-
 void* JSObjectGetPrivate(JSObjectRef object)
 {
     JSObject* jsObject = uncheckedToJS(object);
 
-    const ClassInfo* classInfo = classInfoPrivate(jsObject);
-    
     // Get wrapped object if proxied
-    if (classInfo->isSubClassOf(JSProxy::info())) {
-        jsObject = static_cast<JSProxy*>(jsObject)->target();
-        classInfo = jsObject->classInfo();
-    }
+    if (jsObject->inherits(JSProxy::info()))
+        jsObject = jsCast<JSProxy*>(jsObject)->target();
 
-    if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info()))
-        return static_cast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
-    if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info()))
-        return static_cast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
+    if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info()))
+        return jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
+    if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info()))
+        return jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
 #if JSC_OBJC_API_ENABLED
-    if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info()))
-        return static_cast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
+    if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info()))
+        return jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
 #endif
     
     return 0;
@@ -421,24 +404,20 @@ bool JSObjectSetPrivate(JSObjectRef object, void* data)
 {
     JSObject* jsObject = uncheckedToJS(object);
 
-    const ClassInfo* classInfo = classInfoPrivate(jsObject);
-    
     // Get wrapped object if proxied
-    if (classInfo->isSubClassOf(JSProxy::info())) {
+    if (jsObject->inherits(JSProxy::info()))
         jsObject = jsCast<JSProxy*>(jsObject)->target();
-        classInfo = jsObject->classInfo();
-    }
 
-    if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info())) {
+    if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info())) {
         jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->setPrivate(data);
         return true;
     }
-    if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info())) {
+    if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info())) {
         jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->setPrivate(data);
         return true;
     }
 #if JSC_OBJC_API_ENABLED
-    if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info())) {
+    if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info())) {
         jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->setPrivate(data);
         return true;
     }
index 7193754..006187b 100644 (file)
@@ -1,3 +1,73 @@
+2017-01-17  Filip Pizlo  <fpizlo@apple.com>
+
+        Unreviewed, roll out http://trac.webkit.org/changeset/210821
+        It was causing crashes.
+
+        * API/JSAPIWrapperObject.mm:
+        (JSAPIWrapperObjectHandleOwner::finalize):
+        * API/JSCallbackObject.h:
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
+        (JSC::JSCallbackObject<Parent>::init):
+        * API/JSObjectRef.cpp:
+        (JSObjectGetPrivate):
+        (JSObjectSetPrivate):
+        (classInfoPrivate): Deleted.
+        * bytecode/EvalCodeBlock.cpp:
+        (JSC::EvalCodeBlock::destroy):
+        * bytecode/FunctionCodeBlock.cpp:
+        (JSC::FunctionCodeBlock::destroy):
+        * bytecode/ModuleProgramCodeBlock.cpp:
+        (JSC::ModuleProgramCodeBlock::destroy):
+        * bytecode/ProgramCodeBlock.cpp:
+        (JSC::ProgramCodeBlock::destroy):
+        * bytecode/UnlinkedEvalCodeBlock.cpp:
+        (JSC::UnlinkedEvalCodeBlock::destroy):
+        * bytecode/UnlinkedFunctionCodeBlock.cpp:
+        (JSC::UnlinkedFunctionCodeBlock::destroy):
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::destroy):
+        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
+        (JSC::UnlinkedModuleProgramCodeBlock::destroy):
+        * bytecode/UnlinkedProgramCodeBlock.cpp:
+        (JSC::UnlinkedProgramCodeBlock::destroy):
+        * heap/CodeBlockSet.cpp:
+        (JSC::CodeBlockSet::lastChanceToFinalize):
+        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::allocateSlowCaseImpl):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::sweep):
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::finalize):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::destroy):
+        * runtime/ExecutableBase.cpp:
+        (JSC::ExecutableBase::clearCode):
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::classInfo):
+        (JSC::JSCell::callDestructor):
+        * runtime/JSLock.h:
+        (JSC::JSLock::exclusiveThread):
+        (JSC::JSLock::ownerThread): Deleted.
+        * runtime/JSModuleNamespaceObject.cpp:
+        (JSC::JSModuleNamespaceObject::destroy):
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::destroy):
+        * runtime/JSPropertyNameEnumerator.cpp:
+        (JSC::JSPropertyNameEnumerator::destroy):
+        * runtime/JSSegmentedVariableObject.h:
+        * runtime/SymbolTable.cpp:
+        (JSC::SymbolTable::destroy):
+        * runtime/VM.h:
+        * wasm/js/JSWebAssemblyCallee.cpp:
+        (JSC::JSWebAssemblyCallee::destroy):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::destroy):
+        * wasm/js/WebAssemblyToJSCallee.cpp:
+        (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
+        (JSC::WebAssemblyToJSCallee::destroy):
+
 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
 
         JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
index 5232a0e..c2cccbc 100644 (file)
@@ -39,7 +39,7 @@ const ClassInfo EvalCodeBlock::s_info = {
 
 void EvalCodeBlock::destroy(JSCell* cell)
 {
-    static_cast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
+    jsCast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
 }
 
 } // namespace JSC
index 56eadc6..609674a 100644 (file)
@@ -39,7 +39,7 @@ const ClassInfo FunctionCodeBlock::s_info = {
 
 void FunctionCodeBlock::destroy(JSCell* cell)
 {
-    static_cast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
+    jsCast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
 }
 
 } // namespace JSC
index 3d54c3a..6073366 100644 (file)
@@ -39,7 +39,7 @@ const ClassInfo ModuleProgramCodeBlock::s_info = {
 
 void ModuleProgramCodeBlock::destroy(JSCell* cell)
 {
-    static_cast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
+    jsCast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
 }
 
 } // namespace JSC
index b4fac57..bee5105 100644 (file)
@@ -39,7 +39,7 @@ const ClassInfo ProgramCodeBlock::s_info = {
 
 void ProgramCodeBlock::destroy(JSCell* cell)
 {
-    static_cast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
+    jsCast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
 }
 
 } // namespace JSC
index 07f9916..75c43fb 100644 (file)
@@ -34,7 +34,7 @@ const ClassInfo UnlinkedEvalCodeBlock::s_info = { "UnlinkedEvalCodeBlock", &Base
 
 void UnlinkedEvalCodeBlock::destroy(JSCell* cell)
 {
-    static_cast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
+    jsCast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
 }
 
 }
index 151d560..64d14cd 100644 (file)
@@ -34,7 +34,7 @@ const ClassInfo UnlinkedFunctionCodeBlock::s_info = { "UnlinkedFunctionCodeBlock
 
 void UnlinkedFunctionCodeBlock::destroy(JSCell* cell)
 {
-    static_cast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
+    jsCast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
 }
 
 }
index 066bc67..c11ab95 100644 (file)
@@ -119,7 +119,7 @@ UnlinkedFunctionExecutable::UnlinkedFunctionExecutable(VM* vm, Structure* struct
 
 void UnlinkedFunctionExecutable::destroy(JSCell* cell)
 {
-    static_cast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
+    jsCast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
 }
 
 void UnlinkedFunctionExecutable::visitChildren(JSCell* cell, SlotVisitor& visitor)
index 00f36c0..789887e 100644 (file)
@@ -42,7 +42,7 @@ void UnlinkedModuleProgramCodeBlock::visitChildren(JSCell* cell, SlotVisitor& vi
 
 void UnlinkedModuleProgramCodeBlock::destroy(JSCell* cell)
 {
-    static_cast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
+    jsCast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
 }
 
 }
index 95df299..69346b3 100644 (file)
@@ -42,7 +42,7 @@ void UnlinkedProgramCodeBlock::visitChildren(JSCell* cell, SlotVisitor& visitor)
 
 void UnlinkedProgramCodeBlock::destroy(JSCell* cell)
 {
-    static_cast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
+    jsCast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
 }
 
 }
index 8819a45..b0b928f 100644 (file)
@@ -65,10 +65,10 @@ void CodeBlockSet::lastChanceToFinalize()
 {
     LockHolder locker(&m_lock);
     for (CodeBlock* codeBlock : m_newCodeBlocks)
-        codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
+        codeBlock->classInfo()->methodTable.destroy(codeBlock);
 
     for (CodeBlock* codeBlock : m_oldCodeBlocks)
-        codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
+        codeBlock->classInfo()->methodTable.destroy(codeBlock);
 }
 
 void CodeBlockSet::deleteUnmarkedAndUnreferenced(CollectionScope scope)
@@ -83,7 +83,7 @@ void CodeBlockSet::deleteUnmarkedAndUnreferenced(CollectionScope scope)
             unmarked.append(codeBlock);
         }
         for (CodeBlock* codeBlock : unmarked) {
-            codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
+            codeBlock->classInfo()->methodTable.destroy(codeBlock);
             set.remove(codeBlock);
         }
         unmarked.resize(0);
index 101760b..0280cd7 100644 (file)
@@ -211,7 +211,7 @@ void* MarkedAllocator::allocateSlowCaseImpl(GCDeferralContext* deferralContext,
     
     didConsumeFreeList();
     
-    AllocatingScope helpingHeap(*m_heap);
+    AllocatingScope healpingHeap(*m_heap);
 
     m_heap->collectIfNecessaryOrDefer(deferralContext);
     
index 262d501..87b763f 100644 (file)
@@ -26,7 +26,6 @@
 #include "config.h"
 #include "MarkedBlock.h"
 
-#include "HelpingGCScope.h"
 #include "JSCell.h"
 #include "JSDestructibleObject.h"
 #include "JSCInlines.h"
@@ -196,9 +195,6 @@ FreeList MarkedBlock::Handle::specializedSweep()
 
 FreeList MarkedBlock::Handle::sweep(SweepMode sweepMode)
 {
-    // FIXME: Maybe HelpingGCScope should just be called SweepScope?
-    HelpingGCScope helpingGCScope(*heap());
-    
     m_allocator->setIsUnswept(NoLockingNecessary, this, false);
     
     m_weakSet.sweep();
index 60c3cc7..40c12ce 100644 (file)
@@ -84,7 +84,7 @@ MacroAssemblerCodeRef JITThunks::ctiStub(VM* vm, ThunkGenerator generator)
 
 void JITThunks::finalize(Handle<Unknown> handle, void*)
 {
-    auto* nativeExecutable = static_cast<NativeExecutable*>(handle.get().asCell());
+    auto* nativeExecutable = jsCast<NativeExecutable*>(handle.get().asCell());
     weakRemove(*m_hostFunctionStubMap, std::make_tuple(nativeExecutable->function(), nativeExecutable->constructor(), nativeExecutable->name()), nativeExecutable);
 }
 
index 015e3e3..a2caa45 100644 (file)
@@ -46,7 +46,7 @@ AbstractModuleRecord::AbstractModuleRecord(VM& vm, Structure* structure, const I
 
 void AbstractModuleRecord::destroy(JSCell* cell)
 {
-    AbstractModuleRecord* thisObject = static_cast<AbstractModuleRecord*>(cell);
+    AbstractModuleRecord* thisObject = jsCast<AbstractModuleRecord*>(cell);
     thisObject->AbstractModuleRecord::~AbstractModuleRecord();
 }
 
index 73f1ac5..d31fc48 100644 (file)
@@ -60,36 +60,36 @@ void ExecutableBase::clearCode()
     m_numParametersForCall = NUM_PARAMETERS_NOT_COMPILED;
     m_numParametersForConstruct = NUM_PARAMETERS_NOT_COMPILED;
 
-    if (structure()->classInfo() == FunctionExecutable::info()) {
-        FunctionExecutable* executable = static_cast<FunctionExecutable*>(this);
+    if (classInfo() == FunctionExecutable::info()) {
+        FunctionExecutable* executable = jsCast<FunctionExecutable*>(this);
         executable->m_codeBlockForCall.clear();
         executable->m_codeBlockForConstruct.clear();
         return;
     }
 
-    if (structure()->classInfo() == EvalExecutable::info()) {
-        EvalExecutable* executable = static_cast<EvalExecutable*>(this);
+    if (classInfo() == EvalExecutable::info()) {
+        EvalExecutable* executable = jsCast<EvalExecutable*>(this);
         executable->m_evalCodeBlock.clear();
         executable->m_unlinkedEvalCodeBlock.clear();
         return;
     }
     
-    if (structure()->classInfo() == ProgramExecutable::info()) {
-        ProgramExecutable* executable = static_cast<ProgramExecutable*>(this);
+    if (classInfo() == ProgramExecutable::info()) {
+        ProgramExecutable* executable = jsCast<ProgramExecutable*>(this);
         executable->m_programCodeBlock.clear();
         executable->m_unlinkedProgramCodeBlock.clear();
         return;
     }
 
-    if (structure()->classInfo() == ModuleProgramExecutable::info()) {
-        ModuleProgramExecutable* executable = static_cast<ModuleProgramExecutable*>(this);
+    if (classInfo() == ModuleProgramExecutable::info()) {
+        ModuleProgramExecutable* executable = jsCast<ModuleProgramExecutable*>(this);
         executable->m_moduleProgramCodeBlock.clear();
         executable->m_unlinkedModuleProgramCodeBlock.clear();
         executable->m_moduleEnvironmentSymbolTable.clear();
         return;
     }
     
-    ASSERT(structure()->classInfo() == NativeExecutable::info());
+    ASSERT(classInfo() == NativeExecutable::info());
 }
 
 void ExecutableBase::dump(PrintStream& out) const
index b7f181b..2ffe851 100644 (file)
@@ -267,13 +267,17 @@ inline bool JSCell::canUseFastGetOwnProperty(const Structure& structure)
 
 ALWAYS_INLINE const ClassInfo* JSCell::classInfo() const
 {
-    VM* vm;
-    if (isLargeAllocation())
-        vm = largeAllocation().vm();
-    else
-        vm = markedBlock().vm();
-    ASSERT(vm->heap.mutatorState() == MutatorState::Running || vm->apiLock().ownerThread() != std::this_thread::get_id());
-    return structure(*vm)->classInfo();
+    if (isLargeAllocation()) {
+        LargeAllocation& allocation = largeAllocation();
+        if (allocation.attributes().destruction == NeedsDestruction
+            && !(inlineTypeFlags() & StructureIsImmortal))
+            return static_cast<const JSDestructibleObject*>(this)->classInfo();
+        return structure(*allocation.vm())->classInfo();
+    }
+    MarkedBlock& block = markedBlock();
+    if (block.needsDestruction() && !(inlineTypeFlags() & StructureIsImmortal))
+        return static_cast<const JSDestructibleObject*>(this)->classInfo();
+    return structure(*block.vm())->classInfo();
 }
 
 inline bool JSCell::toBoolean(ExecState* exec) const
@@ -303,7 +307,7 @@ inline void JSCell::callDestructor(VM& vm)
         MethodTable::DestroyFunctionPtr destroy = classInfo->methodTable.destroy;
         destroy(this);
     } else
-        static_cast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
+        jsCast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
     zap();
 }
 
index 31171b4..75ee783 100644 (file)
@@ -99,7 +99,6 @@ public:
         ASSERT(m_hasExclusiveThread);
         return m_ownerThreadID;
     }
-    std::thread::id ownerThread() const { return m_ownerThreadID; }
     JS_EXPORT_PRIVATE void setExclusiveThread(std::thread::id);
     JS_EXPORT_PRIVATE bool currentThreadIsHoldingLock();
 
index b91ee0f..d968c5c 100644 (file)
@@ -83,7 +83,7 @@ void JSModuleNamespaceObject::finishCreation(ExecState* exec, JSGlobalObject* gl
 
 void JSModuleNamespaceObject::destroy(JSCell* cell)
 {
-    JSModuleNamespaceObject* thisObject = static_cast<JSModuleNamespaceObject*>(cell);
+    JSModuleNamespaceObject* thisObject = jsCast<JSModuleNamespaceObject*>(cell);
     thisObject->JSModuleNamespaceObject::~JSModuleNamespaceObject();
 }
 
index 9f73523..b786ff2 100644 (file)
@@ -59,7 +59,7 @@ JSModuleRecord::JSModuleRecord(VM& vm, Structure* structure, const Identifier& m
 
 void JSModuleRecord::destroy(JSCell* cell)
 {
-    JSModuleRecord* thisObject = static_cast<JSModuleRecord*>(cell);
+    JSModuleRecord* thisObject = jsCast<JSModuleRecord*>(cell);
     thisObject->JSModuleRecord::~JSModuleRecord();
 }
 
index dfd9651..67efdf7 100644 (file)
@@ -83,7 +83,7 @@ void JSPropertyNameEnumerator::finishCreation(VM& vm, uint32_t indexedLength, ui
 
 void JSPropertyNameEnumerator::destroy(JSCell* cell)
 {
-    static_cast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
+    jsCast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
 }
 
 void JSPropertyNameEnumerator::visitChildren(JSCell* cell, SlotVisitor& visitor)
index d5c3195..60a7ac1 100644 (file)
@@ -47,8 +47,6 @@ class LLIntOffsetsExtractor;
 // JSSegmentedVariableObject has its own GC tracing functionality, since it knows the
 // exact dimensions of the variables array at all times.
 
-// Except for JSGlobalObject, subclasses of this don't call the destructor and leak memory.
-
 class JSSegmentedVariableObject : public JSSymbolTableObject {
     friend class JIT;
     friend class LLIntOffsetsExtractor;
index 55c6dd2..8101944 100644 (file)
@@ -49,7 +49,7 @@ SymbolTableEntry& SymbolTableEntry::copySlow(const SymbolTableEntry& other)
 
 void SymbolTable::destroy(JSCell* cell)
 {
-    SymbolTable* thisObject = static_cast<SymbolTable*>(cell);
+    SymbolTable* thisObject = jsCast<SymbolTable*>(cell);
     thisObject->SymbolTable::~SymbolTable();
 }
 
index b5f1499..2a82fe0 100644 (file)
@@ -363,9 +363,6 @@ public:
     std::once_flag m_wasmSignatureInformationOnceFlag;
     std::unique_ptr<Wasm::SignatureInformation> m_wasmSignatureInformation;
 #endif
-    
-    JSCell* currentlyDestructingCallbackObject;
-    const ClassInfo* currentlyDestructingCallbackObjectClassInfo;
 
     AtomicStringTable* m_atomicStringTable;
     WTF::SymbolRegistry m_symbolRegistry;
index c27712a..4db9269 100644 (file)
@@ -47,7 +47,7 @@ void JSWebAssemblyCallee::finishCreation(VM& vm, Wasm::Entrypoint&& entrypoint)
 
 void JSWebAssemblyCallee::destroy(JSCell* cell)
 {
-    JSWebAssemblyCallee* thisObject = static_cast<JSWebAssemblyCallee*>(cell);
+    JSWebAssemblyCallee* thisObject = jsCast<JSWebAssemblyCallee*>(cell);
     thisObject->JSWebAssemblyCallee::~JSWebAssemblyCallee();
 }
 
index b695f41..9eff4c4 100644 (file)
@@ -64,7 +64,7 @@ WebAssemblyModuleRecord::WebAssemblyModuleRecord(VM& vm, Structure* structure, c
 
 void WebAssemblyModuleRecord::destroy(JSCell* cell)
 {
-    WebAssemblyModuleRecord* thisObject = static_cast<WebAssemblyModuleRecord*>(cell);
+    WebAssemblyModuleRecord* thisObject = jsCast<WebAssemblyModuleRecord*>(cell);
     thisObject->WebAssemblyModuleRecord::~WebAssemblyModuleRecord();
 }
 
index 4e891a0..24ea801 100644 (file)
@@ -48,8 +48,7 @@ Structure* WebAssemblyToJSCallee::createStructure(VM& vm, JSGlobalObject* global
 
 WebAssemblyToJSCallee::WebAssemblyToJSCallee(VM& vm, Structure* structure)
     : Base(vm, structure)
-{
-}
+{ }
 
 void WebAssemblyToJSCallee::finishCreation(VM& vm)
 {
@@ -58,7 +57,7 @@ void WebAssemblyToJSCallee::finishCreation(VM& vm)
 
 void WebAssemblyToJSCallee::destroy(JSCell* cell)
 {
-    WebAssemblyToJSCallee* thisObject = static_cast<WebAssemblyToJSCallee*>(cell);
+    WebAssemblyToJSCallee* thisObject = jsCast<WebAssemblyToJSCallee*>(cell);
     thisObject->WebAssemblyToJSCallee::~WebAssemblyToJSCallee();
 }
 
index e4130a6..fb781e7 100644 (file)
@@ -1,3 +1,15 @@
+2017-01-17  Filip Pizlo  <fpizlo@apple.com>
+
+        Unreviewed, roll out http://trac.webkit.org/changeset/210821
+        It was causing crashes.
+
+        * bindings/js/JSCSSValueCustom.cpp:
+        (WebCore::JSDeprecatedCSSOMValueOwner::finalize):
+        * bindings/js/JSDOMIterator.h:
+        (WebCore::IteratorTraits>::destroy):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateImplementation):
+
 2017-01-17  Joseph Pecoraro  <pecoraro@apple.com>
 
         Crash when closing tab with debugger paused
index 13e2370..01e3374 100644 (file)
@@ -50,7 +50,7 @@ bool JSDeprecatedCSSOMValueOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Un
 
 void JSDeprecatedCSSOMValueOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    JSDeprecatedCSSOMValue* jsCSSValue = static_cast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
+    JSDeprecatedCSSOMValue* jsCSSValue = jsCast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
     DOMWrapperWorld& world = *static_cast<DOMWrapperWorld*>(context);
     world.m_deprecatedCSSOMValueRoots.remove(&jsCSSValue->wrapped());
     uncacheWrapper(world, &jsCSSValue->wrapped(), jsCSSValue);
index 7c1d5ce..3c5fe0e 100644 (file)
@@ -225,7 +225,7 @@ template<typename JSIterator> JSC::JSValue iteratorForEach(JSC::ExecState& state
 template<typename JSWrapper, typename IteratorTraits>
 void JSDOMIterator<JSWrapper, IteratorTraits>::destroy(JSCell* cell)
 {
-    JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = static_cast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
+    JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = JSC::jsCast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
     thisObject->JSDOMIterator<JSWrapper, IteratorTraits>::~JSDOMIterator();
 }
 
index 71b26d4..b05e4fd 100644 (file)
@@ -4243,7 +4243,7 @@ END
     if (ShouldGenerateWrapperOwnerCode($hasParent, $interface) && !$interface->extendedAttributes->{JSCustomFinalize}) {
         push(@implContent, "void JS${interfaceName}Owner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)\n");
         push(@implContent, "{\n");
-        push(@implContent, "    auto* js${interfaceName} = static_cast<JS${interfaceName}*>(handle.slot()->asCell());\n");
+        push(@implContent, "    auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
         push(@implContent, "    auto& world = *static_cast<DOMWrapperWorld*>(context);\n");
         push(@implContent, "    uncacheWrapper(world, &js${interfaceName}->wrapped(), js${interfaceName});\n");
         push(@implContent, "}\n\n");