Diff
Modified: trunk/Source/_javascript_Core/API/JSContextRef.cpp (86784 => 86785)
--- trunk/Source/_javascript_Core/API/JSContextRef.cpp 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/_javascript_Core/API/JSContextRef.cpp 2011-05-18 20:41:54 UTC (rev 86785)
@@ -93,7 +93,7 @@
#endif
if (!globalObjectClass) {
- JSGlobalObject* globalObject = new (globalData.get()) JSGlobalObject(*globalData);
+ JSGlobalObject* globalObject = new (globalData.get()) JSGlobalObject(*globalData, JSGlobalObject::createStructure(*globalData, jsNull()));
return JSGlobalContextRetain(toGlobalRef(globalObject->globalExec()));
}
Modified: trunk/Source/_javascript_Core/ChangeLog (86784 => 86785)
--- trunk/Source/_javascript_Core/ChangeLog 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-05-18 20:41:54 UTC (rev 86785)
@@ -1,5 +1,30 @@
2011-05-18 Oliver Hunt <oli...@apple.com>
+ Reviewed by Sam Weinig.
+
+ JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
+ https://bugs.webkit.org/show_bug.cgi?id=61090
+
+ Remove the Structure-free JSGlobalObject constructor and instead always
+ pass the structure into the JSGlobalObject constructor.
+ Stop DebuggerActivation creating a new structure every time, and simply
+ use a single shared structure held by the GlobalData.
+
+ * API/JSContextRef.cpp:
+ * debugger/DebuggerActivation.cpp:
+ (JSC::DebuggerActivation::DebuggerActivation):
+ * jsc.cpp:
+ (GlobalObject::GlobalObject):
+ (functionRun):
+ (jscmain):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ (JSC::JSGlobalData::clearBuiltinStructures):
+ * runtime/JSGlobalData.h:
+ * runtime/JSGlobalObject.h:
+
+2011-05-18 Oliver Hunt <oli...@apple.com>
+
Reviewed by Adam Roben.
Disable gc validation in release builds
Modified: trunk/Source/_javascript_Core/debugger/DebuggerActivation.cpp (86784 => 86785)
--- trunk/Source/_javascript_Core/debugger/DebuggerActivation.cpp 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/_javascript_Core/debugger/DebuggerActivation.cpp 2011-05-18 20:41:54 UTC (rev 86785)
@@ -31,7 +31,7 @@
namespace JSC {
DebuggerActivation::DebuggerActivation(JSGlobalData& globalData, JSObject* activation)
- : JSNonFinalObject(globalData, DebuggerActivation::createStructure(globalData, jsNull()))
+ : JSNonFinalObject(globalData, globalData.debuggerActivationStructure.get())
{
ASSERT(activation);
ASSERT(activation->isActivationObject());
Modified: trunk/Source/_javascript_Core/jsc.cpp (86784 => 86785)
--- trunk/Source/_javascript_Core/jsc.cpp 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/_javascript_Core/jsc.cpp 2011-05-18 20:41:54 UTC (rev 86785)
@@ -141,14 +141,14 @@
class GlobalObject : public JSGlobalObject {
public:
- GlobalObject(JSGlobalData&, const Vector<UString>& arguments);
+ GlobalObject(JSGlobalData&, Structure*, const Vector<UString>& arguments);
virtual UString className() const { return "global"; }
};
COMPILE_ASSERT(!IsInteger<GlobalObject>::value, WTF_IsInteger_GlobalObject_false);
ASSERT_CLASS_FITS_IN_CELL(GlobalObject);
-GlobalObject::GlobalObject(JSGlobalData& globalData, const Vector<UString>& arguments)
- : JSGlobalObject(globalData)
+GlobalObject::GlobalObject(JSGlobalData& globalData, Structure* structure, const Vector<UString>& arguments)
+ : JSGlobalObject(globalData, structure)
{
putDirectFunction(globalExec(), new (globalExec()) JSFunction(globalExec(), this, functionStructure(), 1, Identifier(globalExec(), "debug"), functionDebug));
putDirectFunction(globalExec(), new (globalExec()) JSFunction(globalExec(), this, functionStructure(), 1, Identifier(globalExec(), "print"), functionPrint));
@@ -212,7 +212,7 @@
if (!fillBufferWithContentsOfFile(fileName, script))
return JSValue::encode(throwError(exec, createError(exec, "Could not open file.")));
- GlobalObject* globalObject = new (&exec->globalData()) GlobalObject(exec->globalData(), Vector<UString>());
+ GlobalObject* globalObject = new (&exec->globalData()) GlobalObject(exec->globalData(), GlobalObject::createStructure(exec->globalData(), jsNull()), Vector<UString>());
StopWatch stopWatch;
stopWatch.start();
@@ -537,7 +537,7 @@
Options options;
parseArguments(argc, argv, options, globalData);
- GlobalObject* globalObject = new (globalData) GlobalObject(*globalData, options.arguments);
+ GlobalObject* globalObject = new (globalData) GlobalObject(*globalData, GlobalObject::createStructure(*globalData, jsNull()), options.arguments);
bool success = runWithScripts(globalObject, options.scripts, options.dump);
if (options.interactive && success)
runInteractive(globalObject);
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp (86784 => 86785)
--- trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp 2011-05-18 20:41:54 UTC (rev 86785)
@@ -32,6 +32,7 @@
#include "ArgList.h"
#include "Heap.h"
#include "CommonIdentifiers.h"
+#include "DebuggerActivation.h"
#include "FunctionConstructor.h"
#include "GetterSetter.h"
#include "Interpreter.h"
@@ -200,6 +201,7 @@
IdentifierTable* existingEntryIdentifierTable = wtfThreadData().setCurrentIdentifierTable(identifierTable);
JSLock lock(SilenceAssertionsOnly);
structureStructure.set(*this, Structure::createStructure(*this));
+ debuggerActivationStructure.set(*this, DebuggerActivation::createStructure(*this, jsNull()));
activationStructure.set(*this, JSActivation::createStructure(*this, jsNull()));
interruptedExecutionErrorStructure.set(*this, JSNonFinalObject::createStructure(*this, jsNull()));
terminatedExecutionErrorStructure.set(*this, JSNonFinalObject::createStructure(*this, jsNull()));
@@ -259,6 +261,7 @@
void JSGlobalData::clearBuiltinStructures()
{
structureStructure.clear();
+ debuggerActivationStructure.clear();
activationStructure.clear();
interruptedExecutionErrorStructure.clear();
terminatedExecutionErrorStructure.clear();
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalData.h (86784 => 86785)
--- trunk/Source/_javascript_Core/runtime/JSGlobalData.h 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalData.h 2011-05-18 20:41:54 UTC (rev 86785)
@@ -156,6 +156,7 @@
const HashTable* stringConstructorTable;
Strong<Structure> structureStructure;
+ Strong<Structure> debuggerActivationStructure;
Strong<Structure> activationStructure;
Strong<Structure> interruptedExecutionErrorStructure;
Strong<Structure> terminatedExecutionErrorStructure;
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (86784 => 86785)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2011-05-18 20:41:54 UTC (rev 86785)
@@ -123,19 +123,7 @@
public:
void* operator new(size_t, JSGlobalData*);
-
- explicit JSGlobalObject(JSGlobalData& globalData)
- : JSVariableObject(globalData, JSGlobalObject::createStructure(globalData, jsNull()), &m_symbolTable, 0)
- , m_registerArraySize(0)
- , m_globalScopeChain()
- , m_weakRandom(static_cast<unsigned>(randomNumber() * (std::numeric_limits<unsigned>::max() + 1.0)))
- , m_isEvalEnabled(true)
- {
- COMPILE_ASSERT(JSGlobalObject::AnonymousSlotCount == 1, JSGlobalObject_has_only_a_single_slot);
- putThisToAnonymousValue(0);
- init(this);
- }
-
+
explicit JSGlobalObject(JSGlobalData& globalData, Structure* structure)
: JSVariableObject(globalData, structure, &m_symbolTable, 0)
, m_registerArraySize(0)
Modified: trunk/Source/WebCore/ChangeLog (86784 => 86785)
--- trunk/Source/WebCore/ChangeLog 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/WebCore/ChangeLog 2011-05-18 20:41:54 UTC (rev 86785)
@@ -1,3 +1,29 @@
+2011-05-18 Oliver Hunt <oli...@apple.com>
+
+ Reviewed by Sam Weinig.
+
+ JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
+ https://bugs.webkit.org/show_bug.cgi?id=61090
+
+ Rather than having Constructor objects create their structure
+ as part of initialisation, we now pass their expected structure
+ in as an argument. This required fixing the few custom Constructors
+ and the code generator.
+
+ * bindings/js/JSAudioConstructor.cpp:
+ (WebCore::JSAudioConstructor::JSAudioConstructor):
+ * bindings/js/JSAudioConstructor.h:
+ * bindings/js/JSDOMGlobalObject.h:
+ (WebCore::getDOMConstructor):
+ Pass the Constructor objects structure in as an argument
+ * bindings/js/JSImageConstructor.cpp:
+ (WebCore::JSImageConstructor::JSImageConstructor):
+ * bindings/js/JSImageConstructor.h:
+ * bindings/js/JSOptionConstructor.cpp:
+ (WebCore::JSOptionConstructor::JSOptionConstructor):
+ * bindings/js/JSOptionConstructor.h:
+ * bindings/scripts/CodeGeneratorJS.pm:
+
2011-05-18 Abhishek Arya <infe...@chromium.org>
Reviewed by Beth Dakin.
Modified: trunk/Source/WebCore/bindings/js/JSAudioConstructor.cpp (86784 => 86785)
--- trunk/Source/WebCore/bindings/js/JSAudioConstructor.cpp 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/WebCore/bindings/js/JSAudioConstructor.cpp 2011-05-18 20:41:54 UTC (rev 86785)
@@ -39,8 +39,8 @@
const ClassInfo JSAudioConstructor::s_info = { "AudioConstructor", &DOMConstructorWithDocument::s_info, 0, 0 };
-JSAudioConstructor::JSAudioConstructor(ExecState* exec, JSDOMGlobalObject* globalObject)
- : DOMConstructorWithDocument(JSAudioConstructor::createStructure(globalObject->globalData(), globalObject->objectPrototype()), globalObject)
+JSAudioConstructor::JSAudioConstructor(ExecState* exec, Structure* structure, JSDOMGlobalObject* globalObject)
+ : DOMConstructorWithDocument(structure, globalObject)
{
ASSERT(inherits(&s_info));
putDirect(exec->globalData(), exec->propertyNames().prototype, JSHTMLAudioElementPrototype::self(exec, globalObject), None);
Modified: trunk/Source/WebCore/bindings/js/JSAudioConstructor.h (86784 => 86785)
--- trunk/Source/WebCore/bindings/js/JSAudioConstructor.h 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/WebCore/bindings/js/JSAudioConstructor.h 2011-05-18 20:41:54 UTC (rev 86785)
@@ -36,7 +36,7 @@
class JSAudioConstructor : public DOMConstructorWithDocument {
public:
- JSAudioConstructor(JSC::ExecState*, JSDOMGlobalObject*);
+ JSAudioConstructor(JSC::ExecState*, JSC::Structure*, JSDOMGlobalObject*);
static JSC::Structure* createStructure(JSC::JSGlobalData& globalData, JSC::JSValue prototype)
{
Modified: trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.h (86784 => 86785)
--- trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.h 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.h 2011-05-18 20:41:54 UTC (rev 86785)
@@ -88,7 +88,7 @@
{
if (JSC::JSObject* constructor = const_cast<JSDOMGlobalObject*>(globalObject)->constructors().get(&ConstructorClass::s_info).get())
return constructor;
- JSC::JSObject* constructor = new (exec) ConstructorClass(exec, const_cast<JSDOMGlobalObject*>(globalObject));
+ JSC::JSObject* constructor = new (exec) ConstructorClass(exec, ConstructorClass::createStructure(exec->globalData(), globalObject->objectPrototype()), const_cast<JSDOMGlobalObject*>(globalObject));
ASSERT(!const_cast<JSDOMGlobalObject*>(globalObject)->constructors().contains(&ConstructorClass::s_info));
JSC::WriteBarrier<JSC::JSObject> temp;
const_cast<JSDOMGlobalObject*>(globalObject)->constructors().add(&ConstructorClass::s_info, temp).first->second.set(exec->globalData(), globalObject, constructor);
Modified: trunk/Source/WebCore/bindings/js/JSImageConstructor.cpp (86784 => 86785)
--- trunk/Source/WebCore/bindings/js/JSImageConstructor.cpp 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/WebCore/bindings/js/JSImageConstructor.cpp 2011-05-18 20:41:54 UTC (rev 86785)
@@ -34,8 +34,8 @@
const ClassInfo JSImageConstructor::s_info = { "ImageConstructor", &DOMConstructorWithDocument::s_info, 0, 0 };
-JSImageConstructor::JSImageConstructor(ExecState* exec, JSDOMGlobalObject* globalObject)
- : DOMConstructorWithDocument(JSImageConstructor::createStructure(globalObject->globalData(), globalObject->objectPrototype()), globalObject)
+JSImageConstructor::JSImageConstructor(ExecState* exec, Structure* structure, JSDOMGlobalObject* globalObject)
+ : DOMConstructorWithDocument(structure, globalObject)
{
ASSERT(inherits(&s_info));
putDirect(exec->globalData(), exec->propertyNames().prototype, JSHTMLImageElementPrototype::self(exec, globalObject), None);
Modified: trunk/Source/WebCore/bindings/js/JSImageConstructor.h (86784 => 86785)
--- trunk/Source/WebCore/bindings/js/JSImageConstructor.h 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/WebCore/bindings/js/JSImageConstructor.h 2011-05-18 20:41:54 UTC (rev 86785)
@@ -27,7 +27,7 @@
class JSImageConstructor : public DOMConstructorWithDocument {
public:
- JSImageConstructor(JSC::ExecState*, JSDOMGlobalObject*);
+ JSImageConstructor(JSC::ExecState*, JSC::Structure*, JSDOMGlobalObject*);
static JSC::Structure* createStructure(JSC::JSGlobalData& globalData, JSC::JSValue prototype)
{
Modified: trunk/Source/WebCore/bindings/js/JSOptionConstructor.cpp (86784 => 86785)
--- trunk/Source/WebCore/bindings/js/JSOptionConstructor.cpp 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/WebCore/bindings/js/JSOptionConstructor.cpp 2011-05-18 20:41:54 UTC (rev 86785)
@@ -35,8 +35,8 @@
const ClassInfo JSOptionConstructor::s_info = { "OptionConstructor", &DOMConstructorWithDocument::s_info, 0, 0 };
-JSOptionConstructor::JSOptionConstructor(ExecState* exec, JSDOMGlobalObject* globalObject)
- : DOMConstructorWithDocument(JSOptionConstructor::createStructure(globalObject->globalData(), globalObject->objectPrototype()), globalObject)
+JSOptionConstructor::JSOptionConstructor(ExecState* exec, Structure* structure, JSDOMGlobalObject* globalObject)
+ : DOMConstructorWithDocument(structure, globalObject)
{
ASSERT(inherits(&s_info));
putDirect(exec->globalData(), exec->propertyNames().prototype, JSHTMLOptionElementPrototype::self(exec, globalObject), None);
Modified: trunk/Source/WebCore/bindings/js/JSOptionConstructor.h (86784 => 86785)
--- trunk/Source/WebCore/bindings/js/JSOptionConstructor.h 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/WebCore/bindings/js/JSOptionConstructor.h 2011-05-18 20:41:54 UTC (rev 86785)
@@ -28,7 +28,7 @@
class JSOptionConstructor : public DOMConstructorWithDocument {
public:
- JSOptionConstructor(JSC::ExecState*, JSDOMGlobalObject*);
+ JSOptionConstructor(JSC::ExecState*, JSC::Structure*, JSDOMGlobalObject*);
static JSC::Structure* createStructure(JSC::JSGlobalData& globalData, JSC::JSValue prototype)
{
Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (86784 => 86785)
--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2011-05-18 20:09:56 UTC (rev 86784)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2011-05-18 20:41:54 UTC (rev 86785)
@@ -2974,7 +2974,7 @@
push(@$outputArray, "class ${constructorClassName} : public DOMConstructorObject {\n");
push(@$outputArray, "public:\n");
- push(@$outputArray, " ${constructorClassName}(JSC::ExecState*, JSDOMGlobalObject*);\n\n");
+ push(@$outputArray, " ${constructorClassName}(JSC::ExecState*, JSC::Structure*, JSDOMGlobalObject*);\n\n");
push(@$outputArray, " virtual bool getOwnPropertySlot(JSC::ExecState*, const JSC::Identifier&, JSC::PropertySlot&);\n");
push(@$outputArray, " virtual bool getOwnPropertyDescriptor(JSC::ExecState*, const JSC::Identifier&, JSC::PropertyDescriptor&);\n");
@@ -3013,8 +3013,8 @@
push(@$outputArray, "const ClassInfo ${constructorClassName}::s_info = { \"${visibleClassName}Constructor\", &DOMConstructorObject::s_info, &${constructorClassName}Table, 0 };\n\n");
- push(@$outputArray, "${constructorClassName}::${constructorClassName}(ExecState* exec, JSDOMGlobalObject* globalObject)\n");
- push(@$outputArray, " : DOMConstructorObject(${constructorClassName}::createStructure(globalObject->globalData(), globalObject->objectPrototype()), globalObject)\n");
+ push(@$outputArray, "${constructorClassName}::${constructorClassName}(ExecState* exec, Structure* structure, JSDOMGlobalObject* globalObject)\n");
+ push(@$outputArray, " : DOMConstructorObject(structure, globalObject)\n");
push(@$outputArray, "{\n");
push(@$outputArray, " ASSERT(inherits(&s_info));\n");
if ($interfaceName eq "DOMWindow") {
