Diff
Modified: branches/safari-603-branch/Source/_javascript_Core/API/JSAPIWrapperObject.mm (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/API/JSAPIWrapperObject.mm 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/API/JSAPIWrapperObject.mm 2017-01-18 20:42:40 UTC (rev 210867)
@@ -48,7 +48,7 @@
void JSAPIWrapperObjectHandleOwner::finalize(JSC::Handle<JSC::Unknown> handle, void*)
{
- JSC::JSAPIWrapperObject* wrapperObject = JSC::jsCast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
+ JSC::JSAPIWrapperObject* wrapperObject = static_cast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
if (!wrapperObject->wrappedObject())
return;
Modified: branches/safari-603-branch/Source/_javascript_Core/API/JSCallbackObject.h (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/API/JSCallbackObject.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/API/JSCallbackObject.h 2017-01-18 20:42:40 UTC (rev 210867)
@@ -232,6 +232,7 @@
static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
+ const ClassInfo* m_classInfo;
};
} // namespace JSC
Modified: branches/safari-603-branch/Source/_javascript_Core/API/JSCallbackObjectFunctions.h (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/API/JSCallbackObjectFunctions.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/API/JSCallbackObjectFunctions.h 2017-01-18 20:42:40 UTC (rev 210867)
@@ -74,11 +74,17 @@
template <class Parent>
JSCallbackObject<Parent>::~JSCallbackObject()
{
+ VM* vm = this->HeapCell::vm();
+ vm->currentlyDestructingCallbackObject = this;
+ ASSERT(m_classInfo);
+ vm->currentlyDestructingCallbackObjectClassInfo = m_classInfo;
JSObjectRef thisRef = toRef(static_cast<JSObject*>(this));
for (JSClassRef jsClass = classRef(); jsClass; jsClass = jsClass->parentClass) {
if (JSObjectFinalizeCallback finalize = jsClass->finalize)
finalize(thisRef);
}
+ vm->currentlyDestructingCallbackObject = nullptr;
+ vm->currentlyDestructingCallbackObjectClassInfo = nullptr;
}
template <class Parent>
@@ -117,6 +123,8 @@
JSObjectInitializeCallback initialize = initRoutines[i];
initialize(toRef(exec), toRef(this));
}
+
+ m_classInfo = this->classInfo();
}
template <class Parent>
Modified: branches/safari-603-branch/Source/_javascript_Core/API/JSObjectRef.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/API/JSObjectRef.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/API/JSObjectRef.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -379,21 +379,38 @@
return result;
}
+// API objects have private properties, which may get accessed during destruction. This
+// helper lets us get the ClassInfo of an API object from a function that may get called
+// during destruction.
+static const ClassInfo* classInfoPrivate(JSObject* jsObject)
+{
+ VM* vm = jsObject->vm();
+
+ if (vm->currentlyDestructingCallbackObject != jsObject)
+ return jsObject->classInfo();
+
+ return vm->currentlyDestructingCallbackObjectClassInfo;
+}
+
void* JSObjectGetPrivate(JSObjectRef object)
{
JSObject* jsObject = uncheckedToJS(object);
+ const ClassInfo* classInfo = classInfoPrivate(jsObject);
+
// Get wrapped object if proxied
- if (jsObject->inherits(JSProxy::info()))
- jsObject = jsCast<JSProxy*>(jsObject)->target();
+ if (classInfo->isSubClassOf(JSProxy::info())) {
+ jsObject = static_cast<JSProxy*>(jsObject)->target();
+ classInfo = jsObject->classInfo();
+ }
- if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info()))
- return jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
- if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info()))
- return jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
+ if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info()))
+ return static_cast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
+ if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info()))
+ return static_cast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
#if JSC_OBJC_API_ENABLED
- if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info()))
- return jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
+ if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info()))
+ return static_cast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
#endif
return 0;
@@ -403,20 +420,24 @@
{
JSObject* jsObject = uncheckedToJS(object);
+ const ClassInfo* classInfo = classInfoPrivate(jsObject);
+
// Get wrapped object if proxied
- if (jsObject->inherits(JSProxy::info()))
+ if (classInfo->isSubClassOf(JSProxy::info())) {
jsObject = jsCast<JSProxy*>(jsObject)->target();
+ classInfo = jsObject->classInfo();
+ }
- if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info())) {
+ if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info())) {
jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->setPrivate(data);
return true;
}
- if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info())) {
+ if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info())) {
jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->setPrivate(data);
return true;
}
#if JSC_OBJC_API_ENABLED
- if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info())) {
+ if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info())) {
jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->setPrivate(data);
return true;
}
Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-01-18 20:42:40 UTC (rev 210867)
@@ -1,5 +1,116 @@
2017-01-18 Matthew Hanson <matthew_han...@apple.com>
+ Merge r210829. rdar://problem/30044439
+
+ 2017-01-16 Filip Pizlo <fpi...@apple.com>
+
+ JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+ https://bugs.webkit.org/show_bug.cgi?id=167066
+
+ Reviewed by Keith Miller and Michael Saboff.
+
+ This reduces the size of JSCell::classInfo() by half and removes some checks that
+ this function previously had to do in case it was called from destructors.
+
+ I changed all of the destructors so that they don't call JSCell::classInfo() and I
+ added an assertion to JSCell::classInfo() to catch cases where someone called it
+ from a destructor accidentally.
+
+ This means that we only have one place in destruction that needs to know the class:
+ the sweeper's call to the destructor.
+
+ One of the trickiest outcomes of this is the need to support inherits() tests in
+ JSObjectGetPrivate(), when it is called from the destructor callback on the object
+ being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
+ on any dead-but-not-destructed object other than the one being destructed right
+ now. The purpose of the inherits() tests is to distinguish between different kinds
+ of CallbackObjects, which may have different kinds of base classes. I think that
+ this was always subtly wrong - for example, if the object being destructed is a
+ JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
+ but does not have an immortal Structure - so classInfo() is not valid. This fixes
+ the issue by having ~JSCallbackObject know its classInfo. It now stashes its
+ classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
+ that it's being used on a currently-destructing object.
+
+ That was the only really weird part of this patch. The rest is mostly removing
+ illegal uses of jsCast<> in destructors. There were a few other genuine uses of
+ classInfo() but they were in code that already knew how to get its classInfo()
+ using other means:
+
+ - You can still say structure()->classInfo(), and I use this form in code that
+ knows that its StructureIsImmortal.
+
+ - You can use this->classInfo() if it's overridden, like in subclasses of
+ JSDestructibleObject.
+
+ Rolling this back in because I think I fixed the crashes.
+
+ * API/JSAPIWrapperObject.mm:
+ (JSAPIWrapperObjectHandleOwner::finalize):
+ * API/JSCallbackObject.h:
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
+ (JSC::JSCallbackObject<Parent>::init):
+ * API/JSObjectRef.cpp:
+ (classInfoPrivate):
+ (JSObjectGetPrivate):
+ (JSObjectSetPrivate):
+ * bytecode/EvalCodeBlock.cpp:
+ (JSC::EvalCodeBlock::destroy):
+ * bytecode/FunctionCodeBlock.cpp:
+ (JSC::FunctionCodeBlock::destroy):
+ * bytecode/ModuleProgramCodeBlock.cpp:
+ (JSC::ModuleProgramCodeBlock::destroy):
+ * bytecode/ProgramCodeBlock.cpp:
+ (JSC::ProgramCodeBlock::destroy):
+ * bytecode/UnlinkedEvalCodeBlock.cpp:
+ (JSC::UnlinkedEvalCodeBlock::destroy):
+ * bytecode/UnlinkedFunctionCodeBlock.cpp:
+ (JSC::UnlinkedFunctionCodeBlock::destroy):
+ * bytecode/UnlinkedFunctionExecutable.cpp:
+ (JSC::UnlinkedFunctionExecutable::destroy):
+ * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
+ (JSC::UnlinkedModuleProgramCodeBlock::destroy):
+ * bytecode/UnlinkedProgramCodeBlock.cpp:
+ (JSC::UnlinkedProgramCodeBlock::destroy):
+ * heap/CodeBlockSet.cpp:
+ (JSC::CodeBlockSet::lastChanceToFinalize):
+ (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
+ * heap/MarkedAllocator.cpp:
+ (JSC::MarkedAllocator::allocateSlowCaseImpl):
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::Handle::sweep):
+ * jit/JITThunks.cpp:
+ (JSC::JITThunks::finalize):
+ * runtime/AbstractModuleRecord.cpp:
+ (JSC::AbstractModuleRecord::destroy):
+ * runtime/ExecutableBase.cpp:
+ (JSC::ExecutableBase::clearCode):
+ * runtime/JSCellInlines.h:
+ (JSC::JSCell::classInfo):
+ (JSC::JSCell::callDestructor):
+ * runtime/JSLock.h:
+ (JSC::JSLock::ownerThread):
+ * runtime/JSModuleNamespaceObject.cpp:
+ (JSC::JSModuleNamespaceObject::destroy):
+ * runtime/JSModuleRecord.cpp:
+ (JSC::JSModuleRecord::destroy):
+ * runtime/JSPropertyNameEnumerator.cpp:
+ (JSC::JSPropertyNameEnumerator::destroy):
+ * runtime/JSSegmentedVariableObject.h:
+ * runtime/SymbolTable.cpp:
+ (JSC::SymbolTable::destroy):
+ * runtime/VM.h:
+ * wasm/js/JSWebAssemblyCallee.cpp:
+ (JSC::JSWebAssemblyCallee::destroy):
+ * wasm/js/WebAssemblyModuleRecord.cpp:
+ (JSC::WebAssemblyModuleRecord::destroy):
+ * wasm/js/WebAssemblyToJSCallee.cpp:
+ (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
+ (JSC::WebAssemblyToJSCallee::destroy):
+
+2017-01-18 Matthew Hanson <matthew_han...@apple.com>
+
Merge r210745. rdar://problem/30019309
2017-01-13 Saam Barati <sbar...@apple.com>
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/EvalCodeBlock.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/EvalCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/EvalCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -39,7 +39,7 @@
void EvalCodeBlock::destroy(JSCell* cell)
{
- jsCast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
+ static_cast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
}
} // namespace JSC
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/FunctionCodeBlock.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/FunctionCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/FunctionCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -39,7 +39,7 @@
void FunctionCodeBlock::destroy(JSCell* cell)
{
- jsCast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
+ static_cast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
}
} // namespace JSC
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/ModuleProgramCodeBlock.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/ModuleProgramCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/ModuleProgramCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -39,7 +39,7 @@
void ModuleProgramCodeBlock::destroy(JSCell* cell)
{
- jsCast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
+ static_cast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
}
} // namespace JSC
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/ProgramCodeBlock.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/ProgramCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/ProgramCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -39,7 +39,7 @@
void ProgramCodeBlock::destroy(JSCell* cell)
{
- jsCast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
+ static_cast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
}
} // namespace JSC
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedEvalCodeBlock.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedEvalCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedEvalCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -34,7 +34,7 @@
void UnlinkedEvalCodeBlock::destroy(JSCell* cell)
{
- jsCast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
+ static_cast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
}
}
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedFunctionCodeBlock.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedFunctionCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedFunctionCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -34,7 +34,7 @@
void UnlinkedFunctionCodeBlock::destroy(JSCell* cell)
{
- jsCast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
+ static_cast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
}
}
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -119,7 +119,7 @@
void UnlinkedFunctionExecutable::destroy(JSCell* cell)
{
- jsCast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
+ static_cast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
}
void UnlinkedFunctionExecutable::visitChildren(JSCell* cell, SlotVisitor& visitor)
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedModuleProgramCodeBlock.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedModuleProgramCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedModuleProgramCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -42,7 +42,7 @@
void UnlinkedModuleProgramCodeBlock::destroy(JSCell* cell)
{
- jsCast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
+ static_cast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
}
}
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedProgramCodeBlock.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedProgramCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/UnlinkedProgramCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -42,7 +42,7 @@
void UnlinkedProgramCodeBlock::destroy(JSCell* cell)
{
- jsCast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
+ static_cast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
}
}
Modified: branches/safari-603-branch/Source/_javascript_Core/heap/CodeBlockSet.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/heap/CodeBlockSet.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/heap/CodeBlockSet.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -65,10 +65,10 @@
{
LockHolder locker(&m_lock);
for (CodeBlock* codeBlock : m_newCodeBlocks)
- codeBlock->classInfo()->methodTable.destroy(codeBlock);
+ codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
for (CodeBlock* codeBlock : m_oldCodeBlocks)
- codeBlock->classInfo()->methodTable.destroy(codeBlock);
+ codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
}
void CodeBlockSet::deleteUnmarkedAndUnreferenced(CollectionScope scope)
@@ -83,7 +83,7 @@
unmarked.append(codeBlock);
}
for (CodeBlock* codeBlock : unmarked) {
- codeBlock->classInfo()->methodTable.destroy(codeBlock);
+ codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
set.remove(codeBlock);
}
unmarked.resize(0);
Modified: branches/safari-603-branch/Source/_javascript_Core/heap/MarkedAllocator.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/heap/MarkedAllocator.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/heap/MarkedAllocator.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -212,7 +212,7 @@
didConsumeFreeList();
- AllocatingScope healpingHeap(*m_heap);
+ AllocatingScope helpingHeap(*m_heap);
m_heap->collectIfNecessaryOrDefer(deferralContext);
Modified: branches/safari-603-branch/Source/_javascript_Core/heap/MarkedBlock.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/heap/MarkedBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/heap/MarkedBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -26,6 +26,7 @@
#include "config.h"
#include "MarkedBlock.h"
+#include "HelpingGCScope.h"
#include "JSCell.h"
#include "JSDestructibleObject.h"
#include "JSCInlines.h"
@@ -195,6 +196,9 @@
FreeList MarkedBlock::Handle::sweep(SweepMode sweepMode)
{
+ // FIXME: Maybe HelpingGCScope should just be called SweepScope?
+ HelpingGCScope helpingGCScope(*heap());
+
m_allocator->setIsUnswept(NoLockingNecessary, this, false);
m_weakSet.sweep();
Modified: branches/safari-603-branch/Source/_javascript_Core/jit/JITThunks.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/jit/JITThunks.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/jit/JITThunks.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -84,7 +84,7 @@
void JITThunks::finalize(Handle<Unknown> handle, void*)
{
- auto* nativeExecutable = jsCast<NativeExecutable*>(handle.get().asCell());
+ auto* nativeExecutable = static_cast<NativeExecutable*>(handle.get().asCell());
weakRemove(*m_hostFunctionStubMap, std::make_tuple(nativeExecutable->function(), nativeExecutable->constructor(), nativeExecutable->name()), nativeExecutable);
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/AbstractModuleRecord.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/AbstractModuleRecord.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/AbstractModuleRecord.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -46,7 +46,7 @@
void AbstractModuleRecord::destroy(JSCell* cell)
{
- AbstractModuleRecord* thisObject = jsCast<AbstractModuleRecord*>(cell);
+ AbstractModuleRecord* thisObject = static_cast<AbstractModuleRecord*>(cell);
thisObject->AbstractModuleRecord::~AbstractModuleRecord();
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/ExecutableBase.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/ExecutableBase.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/ExecutableBase.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -60,29 +60,29 @@
m_numParametersForCall = NUM_PARAMETERS_NOT_COMPILED;
m_numParametersForConstruct = NUM_PARAMETERS_NOT_COMPILED;
- if (classInfo() == FunctionExecutable::info()) {
- FunctionExecutable* executable = jsCast<FunctionExecutable*>(this);
+ if (structure()->classInfo() == FunctionExecutable::info()) {
+ FunctionExecutable* executable = static_cast<FunctionExecutable*>(this);
executable->m_codeBlockForCall.clear();
executable->m_codeBlockForConstruct.clear();
return;
}
- if (classInfo() == EvalExecutable::info()) {
- EvalExecutable* executable = jsCast<EvalExecutable*>(this);
+ if (structure()->classInfo() == EvalExecutable::info()) {
+ EvalExecutable* executable = static_cast<EvalExecutable*>(this);
executable->m_evalCodeBlock.clear();
executable->m_unlinkedEvalCodeBlock.clear();
return;
}
- if (classInfo() == ProgramExecutable::info()) {
- ProgramExecutable* executable = jsCast<ProgramExecutable*>(this);
+ if (structure()->classInfo() == ProgramExecutable::info()) {
+ ProgramExecutable* executable = static_cast<ProgramExecutable*>(this);
executable->m_programCodeBlock.clear();
executable->m_unlinkedProgramCodeBlock.clear();
return;
}
- if (classInfo() == ModuleProgramExecutable::info()) {
- ModuleProgramExecutable* executable = jsCast<ModuleProgramExecutable*>(this);
+ if (structure()->classInfo() == ModuleProgramExecutable::info()) {
+ ModuleProgramExecutable* executable = static_cast<ModuleProgramExecutable*>(this);
executable->m_moduleProgramCodeBlock.clear();
executable->m_unlinkedModuleProgramCodeBlock.clear();
executable->m_moduleEnvironmentSymbolTable.clear();
@@ -89,7 +89,7 @@
return;
}
- ASSERT(classInfo() == NativeExecutable::info());
+ ASSERT(structure()->classInfo() == NativeExecutable::info());
}
void ExecutableBase::dump(PrintStream& out) const
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSCellInlines.h (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSCellInlines.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSCellInlines.h 2017-01-18 20:42:40 UTC (rev 210867)
@@ -267,17 +267,13 @@
ALWAYS_INLINE const ClassInfo* JSCell::classInfo() const
{
- if (isLargeAllocation()) {
- LargeAllocation& allocation = largeAllocation();
- if (allocation.attributes().destruction == NeedsDestruction
- && !(inlineTypeFlags() & StructureIsImmortal))
- return static_cast<const JSDestructibleObject*>(this)->classInfo();
- return structure(*allocation.vm())->classInfo();
- }
- MarkedBlock& block = markedBlock();
- if (block.needsDestruction() && !(inlineTypeFlags() & StructureIsImmortal))
- return static_cast<const JSDestructibleObject*>(this)->classInfo();
- return structure(*block.vm())->classInfo();
+ VM* vm;
+ if (isLargeAllocation())
+ vm = largeAllocation().vm();
+ else
+ vm = markedBlock().vm();
+ ASSERT(vm->heap.mutatorState() == MutatorState::Running || vm->apiLock().ownerThread() != std::this_thread::get_id());
+ return structure(*vm)->classInfo();
}
inline bool JSCell::toBoolean(ExecState* exec) const
@@ -307,7 +303,7 @@
MethodTable::DestroyFunctionPtr destroy = classInfo->methodTable.destroy;
destroy(this);
} else
- jsCast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
+ static_cast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
zap();
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSLock.h (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSLock.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSLock.h 2017-01-18 20:42:40 UTC (rev 210867)
@@ -99,6 +99,7 @@
ASSERT(m_hasExclusiveThread);
return m_ownerThreadID;
}
+ std::thread::id ownerThread() const { return m_ownerThreadID; }
JS_EXPORT_PRIVATE void setExclusiveThread(std::thread::id);
JS_EXPORT_PRIVATE bool currentThreadIsHoldingLock();
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSModuleNamespaceObject.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSModuleNamespaceObject.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSModuleNamespaceObject.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -83,7 +83,7 @@
void JSModuleNamespaceObject::destroy(JSCell* cell)
{
- JSModuleNamespaceObject* thisObject = jsCast<JSModuleNamespaceObject*>(cell);
+ JSModuleNamespaceObject* thisObject = static_cast<JSModuleNamespaceObject*>(cell);
thisObject->JSModuleNamespaceObject::~JSModuleNamespaceObject();
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSModuleRecord.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSModuleRecord.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSModuleRecord.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -59,7 +59,7 @@
void JSModuleRecord::destroy(JSCell* cell)
{
- JSModuleRecord* thisObject = jsCast<JSModuleRecord*>(cell);
+ JSModuleRecord* thisObject = static_cast<JSModuleRecord*>(cell);
thisObject->JSModuleRecord::~JSModuleRecord();
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -83,7 +83,7 @@
void JSPropertyNameEnumerator::destroy(JSCell* cell)
{
- jsCast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
+ static_cast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
}
void JSPropertyNameEnumerator::visitChildren(JSCell* cell, SlotVisitor& visitor)
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h 2017-01-18 20:42:40 UTC (rev 210867)
@@ -47,6 +47,8 @@
// JSSegmentedVariableObject has its own GC tracing functionality, since it knows the
// exact dimensions of the variables array at all times.
+// Except for JSGlobalObject, subclasses of this don't call the destructor and leak memory.
+
class JSSegmentedVariableObject : public JSSymbolTableObject {
friend class JIT;
friend class LLIntOffsetsExtractor;
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/StructureInlines.h (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/StructureInlines.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/StructureInlines.h 2017-01-18 20:42:40 UTC (rev 210867)
@@ -259,10 +259,27 @@
if (isCompilationThread())
return true;
- RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize());
unsigned totalSize = propertyTable->propertyStorageSize();
- RELEASE_ASSERT((totalSize < inlineCapacity() ? 0 : totalSize - inlineCapacity()) == numberOfOutOfLineSlotsForLastOffset(m_offset));
+ unsigned inlineOverflowAccordingToTotalSize = totalSize < m_inlineCapacity ? 0 : totalSize - m_inlineCapacity;
+ auto fail = [&] (const char* description) {
+ dataLog("Detected offset inconsistency: ", description, "!\n");
+ dataLog("this = ", RawPointer(this), "\n");
+ dataLog("m_offset = ", m_offset, "\n");
+ dataLog("m_inlineCapacity = ", m_inlineCapacity, "\n");
+ dataLog("propertyTable = ", RawPointer(propertyTable), "\n");
+ dataLog("numberOfSlotsForLastOffset = ", numberOfSlotsForLastOffset(m_offset, m_inlineCapacity), "\n");
+ dataLog("totalSize = ", totalSize, "\n");
+ dataLog("inlineOverflowAccordingToTotalSize = ", inlineOverflowAccordingToTotalSize, "\n");
+ dataLog("numberOfOutOfLineSlotsForLastOffset = ", numberOfOutOfLineSlotsForLastOffset(m_offset), "\n");
+ UNREACHABLE_FOR_PLATFORM();
+ };
+
+ if (numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) != totalSize)
+ fail("numberOfSlotsForLastOffset doesn't match totalSize");
+ if (inlineOverflowAccordingToTotalSize != numberOfOutOfLineSlotsForLastOffset(m_offset))
+ fail("inlineOverflowAccordingToTotalSize doesn't match numberOfOutOfLineSlotsForLastOffset");
+
return true;
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/SymbolTable.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/SymbolTable.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/SymbolTable.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -49,7 +49,7 @@
void SymbolTable::destroy(JSCell* cell)
{
- SymbolTable* thisObject = jsCast<SymbolTable*>(cell);
+ SymbolTable* thisObject = static_cast<SymbolTable*>(cell);
thisObject->SymbolTable::~SymbolTable();
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/VM.h (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/VM.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/VM.h 2017-01-18 20:42:40 UTC (rev 210867)
@@ -354,6 +354,9 @@
Strong<JSCell> iterationTerminator;
Strong<JSCell> emptyPropertyNameEnumerator;
+ JSCell* currentlyDestructingCallbackObject;
+ const ClassInfo* currentlyDestructingCallbackObjectClassInfo;
+
AtomicStringTable* m_atomicStringTable;
WTF::SymbolRegistry m_symbolRegistry;
TemplateRegistryKeyTable m_templateRegistryKeytable;
Modified: branches/safari-603-branch/Source/_javascript_Core/wasm/js/JSWebAssemblyCallee.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/wasm/js/JSWebAssemblyCallee.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/wasm/js/JSWebAssemblyCallee.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -47,7 +47,7 @@
void JSWebAssemblyCallee::destroy(JSCell* cell)
{
- JSWebAssemblyCallee* thisObject = jsCast<JSWebAssemblyCallee*>(cell);
+ JSWebAssemblyCallee* thisObject = static_cast<JSWebAssemblyCallee*>(cell);
thisObject->JSWebAssemblyCallee::~JSWebAssemblyCallee();
}
Modified: branches/safari-603-branch/Source/_javascript_Core/wasm/js/WebAssemblyModuleRecord.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/wasm/js/WebAssemblyModuleRecord.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/wasm/js/WebAssemblyModuleRecord.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -62,7 +62,7 @@
void WebAssemblyModuleRecord::destroy(JSCell* cell)
{
- WebAssemblyModuleRecord* thisObject = jsCast<WebAssemblyModuleRecord*>(cell);
+ WebAssemblyModuleRecord* thisObject = static_cast<WebAssemblyModuleRecord*>(cell);
thisObject->WebAssemblyModuleRecord::~WebAssemblyModuleRecord();
}
Modified: branches/safari-603-branch/Source/_javascript_Core/wasm/js/WebAssemblyToJSCallee.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/_javascript_Core/wasm/js/WebAssemblyToJSCallee.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/_javascript_Core/wasm/js/WebAssemblyToJSCallee.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -48,7 +48,8 @@
WebAssemblyToJSCallee::WebAssemblyToJSCallee(VM& vm, Structure* structure)
: Base(vm, structure)
-{ }
+{
+}
void WebAssemblyToJSCallee::finishCreation(VM& vm)
{
@@ -57,7 +58,7 @@
void WebAssemblyToJSCallee::destroy(JSCell* cell)
{
- WebAssemblyToJSCallee* thisObject = jsCast<WebAssemblyToJSCallee*>(cell);
+ WebAssemblyToJSCallee* thisObject = static_cast<WebAssemblyToJSCallee*>(cell);
thisObject->WebAssemblyToJSCallee::~WebAssemblyToJSCallee();
}
Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-01-18 20:42:40 UTC (rev 210867)
@@ -1,5 +1,28 @@
2017-01-18 Matthew Hanson <matthew_han...@apple.com>
+ Merge r210829. rdar://problem/30044439
+
+ 2017-01-16 Filip Pizlo <fpi...@apple.com>
+
+ JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+ https://bugs.webkit.org/show_bug.cgi?id=167066
+
+ Reviewed by Keith Miller and Michael Saboff.
+
+ No new tests because no new behavior.
+
+ It's now necessary to avoid jsCast in destructors and finalizers. This was an easy
+ rule to introduce because this used to always be the rule.
+
+ * bindings/js/JSCSSValueCustom.cpp:
+ (WebCore::JSDeprecatedCSSOMValueOwner::finalize):
+ * bindings/js/JSDOMIterator.h:
+ (WebCore::IteratorTraits>::destroy):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+
+2017-01-18 Matthew Hanson <matthew_han...@apple.com>
+
Merge r210822. rdar://problem/15607819
2017-01-17 Joseph Pecoraro <pecor...@apple.com>
Modified: branches/safari-603-branch/Source/WebCore/bindings/js/JSCSSValueCustom.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/js/JSCSSValueCustom.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/js/JSCSSValueCustom.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -50,7 +50,7 @@
void JSDeprecatedCSSOMValueOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- JSDeprecatedCSSOMValue* jsCSSValue = jsCast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
+ JSDeprecatedCSSOMValue* jsCSSValue = static_cast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
DOMWrapperWorld& world = *static_cast<DOMWrapperWorld*>(context);
world.m_deprecatedCSSOMValueRoots.remove(&jsCSSValue->wrapped());
uncacheWrapper(world, &jsCSSValue->wrapped(), jsCSSValue);
Modified: branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMIterator.h (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMIterator.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMIterator.h 2017-01-18 20:42:40 UTC (rev 210867)
@@ -225,7 +225,7 @@
template<typename JSWrapper, typename IteratorTraits>
void JSDOMIterator<JSWrapper, IteratorTraits>::destroy(JSCell* cell)
{
- JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = JSC::jsCast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
+ JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = static_cast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
thisObject->JSDOMIterator<JSWrapper, IteratorTraits>::~JSDOMIterator();
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-01-18 20:42:40 UTC (rev 210867)
@@ -4096,7 +4096,7 @@
if (ShouldGenerateWrapperOwnerCode($hasParent, $interface) && !$interface->extendedAttributes->{JSCustomFinalize}) {
push(@implContent, "void JS${interfaceName}Owner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)\n");
push(@implContent, "{\n");
- push(@implContent, " auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
+ push(@implContent, " auto* js${interfaceName} = static_cast<JS${interfaceName}*>(handle.slot()->asCell());\n");
push(@implContent, " auto& world = *static_cast<DOMWrapperWorld*>(context);\n");
push(@implContent, " uncacheWrapper(world, &js${interfaceName}->wrapped(), js${interfaceName});\n");
push(@implContent, "}\n\n");
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -174,7 +174,7 @@
void JSInterfaceNameOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsInterfaceName = jsCast<JSInterfaceName*>(handle.slot()->asCell());
+ auto* jsInterfaceName = static_cast<JSInterfaceName*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsInterfaceName->wrapped(), jsInterfaceName);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -255,7 +255,7 @@
void JSTestActiveDOMObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestActiveDOMObject = jsCast<JSTestActiveDOMObject*>(handle.slot()->asCell());
+ auto* jsTestActiveDOMObject = static_cast<JSTestActiveDOMObject*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestActiveDOMObject->wrapped(), jsTestActiveDOMObject);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -315,7 +315,7 @@
void JSTestCEReactionsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestCEReactions = jsCast<JSTestCEReactions*>(handle.slot()->asCell());
+ auto* jsTestCEReactions = static_cast<JSTestCEReactions*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestCEReactions->wrapped(), jsTestCEReactions);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -232,7 +232,7 @@
void JSTestCEReactionsStringifierOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestCEReactionsStringifier = jsCast<JSTestCEReactionsStringifier*>(handle.slot()->asCell());
+ auto* jsTestCEReactionsStringifier = static_cast<JSTestCEReactionsStringifier*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestCEReactionsStringifier->wrapped(), jsTestCEReactionsStringifier);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -173,7 +173,7 @@
void JSTestClassWithJSBuiltinConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestClassWithJSBuiltinConstructor = jsCast<JSTestClassWithJSBuiltinConstructor*>(handle.slot()->asCell());
+ auto* jsTestClassWithJSBuiltinConstructor = static_cast<JSTestClassWithJSBuiltinConstructor*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestClassWithJSBuiltinConstructor->wrapped(), jsTestClassWithJSBuiltinConstructor);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -164,7 +164,7 @@
void JSTestCustomConstructorWithNoInterfaceObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestCustomConstructorWithNoInterfaceObject = jsCast<JSTestCustomConstructorWithNoInterfaceObject*>(handle.slot()->asCell());
+ auto* jsTestCustomConstructorWithNoInterfaceObject = static_cast<JSTestCustomConstructorWithNoInterfaceObject*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestCustomConstructorWithNoInterfaceObject->wrapped(), jsTestCustomConstructorWithNoInterfaceObject);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -228,7 +228,7 @@
void JSTestCustomNamedGetterOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestCustomNamedGetter = jsCast<JSTestCustomNamedGetter*>(handle.slot()->asCell());
+ auto* jsTestCustomNamedGetter = static_cast<JSTestCustomNamedGetter*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestCustomNamedGetter->wrapped(), jsTestCustomNamedGetter);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -197,7 +197,7 @@
void JSTestExceptionOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestException = jsCast<JSTestException*>(handle.slot()->asCell());
+ auto* jsTestException = static_cast<JSTestException*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestException->wrapped(), jsTestException);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -160,7 +160,7 @@
void JSTestGenerateIsReachableOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestGenerateIsReachable = jsCast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
+ auto* jsTestGenerateIsReachable = static_cast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestGenerateIsReachable->wrapped(), jsTestGenerateIsReachable);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -502,7 +502,7 @@
void JSTestGlobalObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestGlobalObject = jsCast<JSTestGlobalObject*>(handle.slot()->asCell());
+ auto* jsTestGlobalObject = static_cast<JSTestGlobalObject*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestGlobalObject->wrapped(), jsTestGlobalObject);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -990,7 +990,7 @@
void JSTestInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestInterface = jsCast<JSTestInterface*>(handle.slot()->asCell());
+ auto* jsTestInterface = static_cast<JSTestInterface*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestInterface->wrapped(), jsTestInterface);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -184,7 +184,7 @@
void JSTestInterfaceLeadingUnderscoreOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestInterfaceLeadingUnderscore = jsCast<JSTestInterfaceLeadingUnderscore*>(handle.slot()->asCell());
+ auto* jsTestInterfaceLeadingUnderscore = static_cast<JSTestInterfaceLeadingUnderscore*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestInterfaceLeadingUnderscore->wrapped(), jsTestInterfaceLeadingUnderscore);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -244,7 +244,7 @@
void JSTestIterableOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestIterable = jsCast<JSTestIterable*>(handle.slot()->asCell());
+ auto* jsTestIterable = static_cast<JSTestIterable*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestIterable->wrapped(), jsTestIterable);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -193,7 +193,7 @@
void JSTestMediaQueryListListenerOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestMediaQueryListListener = jsCast<JSTestMediaQueryListListener*>(handle.slot()->asCell());
+ auto* jsTestMediaQueryListListener = static_cast<JSTestMediaQueryListListener*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestMediaQueryListListener->wrapped(), jsTestMediaQueryListListener);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -204,7 +204,7 @@
void JSTestNamedConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestNamedConstructor = jsCast<JSTestNamedConstructor*>(handle.slot()->asCell());
+ auto* jsTestNamedConstructor = static_cast<JSTestNamedConstructor*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestNamedConstructor->wrapped(), jsTestNamedConstructor);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -8619,7 +8619,7 @@
void JSTestObjOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestObj = jsCast<JSTestObj*>(handle.slot()->asCell());
+ auto* jsTestObj = static_cast<JSTestObj*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestObj->wrapped(), jsTestObj);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -260,7 +260,7 @@
void JSTestOverloadedConstructorsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestOverloadedConstructors = jsCast<JSTestOverloadedConstructors*>(handle.slot()->asCell());
+ auto* jsTestOverloadedConstructors = static_cast<JSTestOverloadedConstructors*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestOverloadedConstructors->wrapped(), jsTestOverloadedConstructors);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -211,7 +211,7 @@
void JSTestOverloadedConstructorsWithSequenceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestOverloadedConstructorsWithSequence = jsCast<JSTestOverloadedConstructorsWithSequence*>(handle.slot()->asCell());
+ auto* jsTestOverloadedConstructorsWithSequence = static_cast<JSTestOverloadedConstructorsWithSequence*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestOverloadedConstructorsWithSequence->wrapped(), jsTestOverloadedConstructorsWithSequence);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -235,7 +235,7 @@
void JSTestOverrideBuiltinsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestOverrideBuiltins = jsCast<JSTestOverrideBuiltins*>(handle.slot()->asCell());
+ auto* jsTestOverrideBuiltins = static_cast<JSTestOverrideBuiltins*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestOverrideBuiltins->wrapped(), jsTestOverrideBuiltins);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -397,7 +397,7 @@
void JSTestSerializationOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestSerialization = jsCast<JSTestSerialization*>(handle.slot()->asCell());
+ auto* jsTestSerialization = static_cast<JSTestSerialization*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestSerialization->wrapped(), jsTestSerialization);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -365,7 +365,7 @@
void JSTestSerializedScriptValueInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestSerializedScriptValueInterface = jsCast<JSTestSerializedScriptValueInterface*>(handle.slot()->asCell());
+ auto* jsTestSerializedScriptValueInterface = static_cast<JSTestSerializedScriptValueInterface*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestSerializedScriptValueInterface->wrapped(), jsTestSerializedScriptValueInterface);
}
Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -770,7 +770,7 @@
void JSTestTypedefsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- auto* jsTestTypedefs = jsCast<JSTestTypedefs*>(handle.slot()->asCell());
+ auto* jsTestTypedefs = static_cast<JSTestTypedefs*>(handle.slot()->asCell());
auto& world = *static_cast<DOMWrapperWorld*>(context);
uncacheWrapper(world, &jsTestTypedefs->wrapped(), jsTestTypedefs);
}
Modified: branches/safari-603-branch/Source/WebKit2/ChangeLog (210866 => 210867)
--- branches/safari-603-branch/Source/WebKit2/ChangeLog 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebKit2/ChangeLog 2017-01-18 20:42:40 UTC (rev 210867)
@@ -1,5 +1,21 @@
2017-01-18 Matthew Hanson <matthew_han...@apple.com>
+ Merge r210829. rdar://problem/30044439
+
+ 2017-01-17 Filip Pizlo <fpi...@apple.com>
+
+ JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+ https://bugs.webkit.org/show_bug.cgi?id=167066
+
+ Reviewed by Keith Miller and Michael Saboff.
+
+ Just remove now-erroneous use of jsCast<>.
+
+ * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
+ (WebKit::NPRuntimeObjectMap::finalize):
+
+2017-01-18 Matthew Hanson <matthew_han...@apple.com>
+
Merge r210822. rdar://problem/15607819
2017-01-17 Joseph Pecoraro <pecor...@apple.com>
Modified: branches/safari-603-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp (210866 => 210867)
--- branches/safari-603-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp 2017-01-18 20:42:40 UTC (rev 210867)
@@ -300,7 +300,7 @@
void NPRuntimeObjectMap::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
{
- JSNPObject* object = jsCast<JSNPObject*>(handle.get().asCell());
+ JSNPObject* object = static_cast<JSNPObject*>(handle.get().asCell());
weakRemove(m_jsNPObjects, static_cast<NPObject*>(context), object);
addToInvalidationQueue(object->leakNPObject());
}
