Add didBecomePrototype() calls to global context prototypes
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Jun 2019 21:19:21 +0000 (21:19 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Jun 2019 21:19:21 +0000 (21:19 +0000)
https://bugs.webkit.org/show_bug.cgi?id=199202

Reviewed by Mark Lam.

This fixes some crashes related to asserting that all prototypes
have been marked as such in JSC from
https://trac.webkit.org/changeset/246801. It's ok to call
didBecomePrototype here as we setting up the world state right now
so we won't be having a bad time.

We don't automatically call didBecomePrototype() for
setPrototypeWithoutTransition because existing objects may already
have this structure so it seems more reasonable to be explicit
there.

* bindings/js/JSWindowProxy.cpp:
(WebCore::JSWindowProxy::setWindow):
* bindings/js/WorkerScriptController.cpp:
(WebCore::WorkerScriptController::initScript):
* worklets/WorkletScriptController.cpp:
(WebCore::WorkletScriptController::initScriptWithSubclass):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@246808 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSWindowProxy.cpp
Source/WebCore/bindings/js/WorkerScriptController.cpp
Source/WebCore/worklets/WorkletScriptController.cpp

index fc5ff08..e488656 100644 (file)
@@ -1,3 +1,28 @@
+2019-06-25  Keith Miller  <keith_miller@apple.com>
+
+        Add didBecomePrototype() calls to global context prototypes
+        https://bugs.webkit.org/show_bug.cgi?id=199202
+
+        Reviewed by Mark Lam.
+
+        This fixes some crashes related to asserting that all prototypes
+        have been marked as such in JSC from
+        https://trac.webkit.org/changeset/246801. It's ok to call
+        didBecomePrototype here as we setting up the world state right now
+        so we won't be having a bad time.
+
+        We don't automatically call didBecomePrototype() for
+        setPrototypeWithoutTransition because existing objects may already
+        have this structure so it seems more reasonable to be explicit
+        there.
+
+        * bindings/js/JSWindowProxy.cpp:
+        (WebCore::JSWindowProxy::setWindow):
+        * bindings/js/WorkerScriptController.cpp:
+        (WebCore::WorkerScriptController::initScript):
+        * worklets/WorkletScriptController.cpp:
+        (WebCore::WorkletScriptController::initScriptWithSubclass):
+
 2019-06-25  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Implement console.timeLog
index bf0e225..c229749 100644 (file)
@@ -111,6 +111,7 @@ void JSWindowProxy::setWindow(AbstractDOMWindow& domWindow)
 
     auto& propertiesStructure = *JSDOMWindowProperties::createStructure(vm, window, JSEventTarget::prototype(vm, *window));
     auto& properties = *JSDOMWindowProperties::create(&propertiesStructure, *window);
+    properties.didBecomePrototype();
     prototype->structure(vm)->setPrototypeWithoutTransition(vm, &properties);
 
     setWindow(vm, *window);
index a623523..6f75d16 100644 (file)
@@ -90,7 +90,9 @@ void WorkerScriptController::initScript()
         ASSERT(structure->globalObject() == m_workerGlobalScopeWrapper);
         ASSERT(m_workerGlobalScopeWrapper->structure(*m_vm)->globalObject() == m_workerGlobalScopeWrapper);
         dedicatedContextPrototype->structure(*m_vm)->setGlobalObject(*m_vm, m_workerGlobalScopeWrapper.get());
-        dedicatedContextPrototype->structure(*m_vm)->setPrototypeWithoutTransition(*m_vm, JSWorkerGlobalScope::prototype(*m_vm, *m_workerGlobalScopeWrapper.get()));
+        auto* workerGlobalScopePrototype = JSWorkerGlobalScope::prototype(*m_vm, *m_workerGlobalScopeWrapper.get());
+        workerGlobalScopePrototype->didBecomePrototype();
+        dedicatedContextPrototype->structure(*m_vm)->setPrototypeWithoutTransition(*m_vm, workerGlobalScopePrototype);
 
         proxy->setTarget(*m_vm, m_workerGlobalScopeWrapper.get());
         proxy->structure(*m_vm)->setGlobalObject(*m_vm, m_workerGlobalScopeWrapper.get());
@@ -107,7 +109,9 @@ void WorkerScriptController::initScript()
         ASSERT(structure->globalObject() == m_workerGlobalScopeWrapper);
         ASSERT(m_workerGlobalScopeWrapper->structure()->globalObject() == m_workerGlobalScopeWrapper);
         contextPrototype->structure(*m_vm)->setGlobalObject(*m_vm, m_workerGlobalScopeWrapper.get());
-        contextPrototype->structure(*m_vm)->setPrototypeWithoutTransition(*m_vm, JSWorkerGlobalScope::prototype(*m_vm, *m_workerGlobalScopeWrapper.get()));
+        auto* workerGlobalScopePrototype = JSWorkerGlobalScope::prototype(*m_vm, *m_workerGlobalScopeWrapper.get());
+        workerGlobalScopePrototype->didBecomePrototype();
+        contextPrototype->structure(*m_vm)->setPrototypeWithoutTransition(*m_vm, workerGlobalScopePrototype);
 
         proxy->setTarget(*m_vm, m_workerGlobalScopeWrapper.get());
         proxy->structure(*m_vm)->setGlobalObject(*m_vm, m_workerGlobalScopeWrapper.get());
index 1168978..1cee9eb 100644 (file)
@@ -126,7 +126,9 @@ void WorkletScriptController::initScriptWithSubclass()
     ASSERT(structure->globalObject() == m_workletGlobalScopeWrapper);
     ASSERT(m_workletGlobalScopeWrapper->structure(*m_vm)->globalObject() == m_workletGlobalScopeWrapper);
     contextPrototype->structure(*m_vm)->setGlobalObject(*m_vm, m_workletGlobalScopeWrapper.get());
-    contextPrototype->structure(*m_vm)->setPrototypeWithoutTransition(*m_vm, JSGlobalScope::prototype(*m_vm, *m_workletGlobalScopeWrapper.get()));
+    auto* globalScopePrototype = JSGlobalScope::prototype(*m_vm, *m_workletGlobalScopeWrapper.get());
+    globalScopePrototype->didBecomePrototype();
+    contextPrototype->structure(*m_vm)->setPrototypeWithoutTransition(*m_vm, globalScopePrototype);
 
     proxy->setTarget(*m_vm, m_workletGlobalScopeWrapper.get());
     proxy->structure(*m_vm)->setGlobalObject(*m_vm, m_workletGlobalScopeWrapper.get());