Title: [164147] trunk/Source/_javascript_Core
- Revision
- 164147
- Author
- mhahnenb...@apple.com
- Date
- 2014-02-14 17:27:53 -0800 (Fri, 14 Feb 2014)
Log Message
-[JSManagedValue value] needs to be protected by the API lock
https://bugs.webkit.org/show_bug.cgi?id=128857
Reviewed by Mark Lam.
* API/APICast.h:
(toRef): Added an ASSERT so that we can detect these sorts of errors earlier. On 32-bit, toRef
can allocate objects so we need to be holding the lock.
* API/APIShims.h: Removed outdated comments.
* API/JSManagedValue.mm: Added RefPtr<JSLock> to JSManagedValue.
(-[JSManagedValue initWithValue:]): Initialize the m_lock field.
(-[JSManagedValue value]): Lock the JSLock, check the VM*, return nil if invalid, take the APIEntryShim otherwise.
* runtime/JSLock.cpp: Bug fix in JSLock. We were assuming that the VM was always non-null in JSLock::lock.
(JSC::JSLock::lock):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/API/APICast.h (164146 => 164147)
--- trunk/Source/_javascript_Core/API/APICast.h 2014-02-15 01:06:42 UTC (rev 164146)
+++ trunk/Source/_javascript_Core/API/APICast.h 2014-02-15 01:27:53 UTC (rev 164147)
@@ -124,6 +124,7 @@
inline JSValueRef toRef(JSC::ExecState* exec, JSC::JSValue v)
{
+ ASSERT(exec->vm().currentThreadIsHoldingAPILock());
#if USE(JSVALUE32_64)
if (!v)
return 0;
Modified: trunk/Source/_javascript_Core/API/APIShims.h (164146 => 164147)
--- trunk/Source/_javascript_Core/API/APIShims.h 2014-02-15 01:06:42 UTC (rev 164146)
+++ trunk/Source/_javascript_Core/API/APIShims.h 2014-02-15 01:27:53 UTC (rev 164147)
@@ -56,14 +56,12 @@
class APIEntryShim : public APIEntryShimWithoutLock {
public:
- // Normal API entry
APIEntryShim(ExecState* exec, bool registerThread = true)
: APIEntryShimWithoutLock(&exec->vm(), registerThread)
, m_lockHolder(exec->vm().exclusiveThread ? 0 : exec)
{
}
- // JSPropertyNameAccumulator only has a vm.
APIEntryShim(VM* vm, bool registerThread = true)
: APIEntryShimWithoutLock(vm, registerThread)
, m_lockHolder(vm->exclusiveThread ? 0 : vm)
Modified: trunk/Source/_javascript_Core/API/JSManagedValue.mm (164146 => 164147)
--- trunk/Source/_javascript_Core/API/JSManagedValue.mm 2014-02-15 01:06:42 UTC (rev 164146)
+++ trunk/Source/_javascript_Core/API/JSManagedValue.mm 2014-02-15 01:27:53 UTC (rev 164147)
@@ -30,6 +30,7 @@
#if JSC_OBJC_API_ENABLED
#import "APICast.h"
+#import "APIShims.h"
#import "Heap.h"
#import "JSContextInternal.h"
#import "JSValueInternal.h"
@@ -168,6 +169,7 @@
@implementation JSManagedValue {
JSC::Weak<JSC::JSGlobalObject> m_globalObject;
+ RefPtr<JSC::JSLock> m_lock;
WeakValueRef m_weakValue;
NSMapTable *m_owners;
}
@@ -203,6 +205,8 @@
JSC::Weak<JSC::JSGlobalObject> weak(globalObject, managedValueHandleOwner(), self);
m_globalObject.swap(weak);
+ m_lock = &exec->vm().apiLock();
+
NSPointerFunctionsOptions weakIDOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality;
NSPointerFunctionsOptions integerOptions = NSPointerFunctionsOpaqueMemory | NSPointerFunctionsIntegerPersonality;
m_owners = [[NSMapTable alloc] initWithKeyOptions:weakIDOptions valueOptions:integerOptions capacity:1];
@@ -258,6 +262,11 @@
- (JSValue *)value
{
+ WTF::Locker<JSC::JSLock> locker(m_lock.get());
+ if (!m_lock->vm())
+ return nil;
+
+ JSC::APIEntryShim shim(m_lock->vm());
if (!m_globalObject)
return nil;
if (m_weakValue.isClear())
Modified: trunk/Source/_javascript_Core/ChangeLog (164146 => 164147)
--- trunk/Source/_javascript_Core/ChangeLog 2014-02-15 01:06:42 UTC (rev 164146)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-02-15 01:27:53 UTC (rev 164147)
@@ -1,3 +1,20 @@
+2014-02-14 Mark Hahnenberg <mhahnenb...@apple.com>
+
+ -[JSManagedValue value] needs to be protected by the API lock
+ https://bugs.webkit.org/show_bug.cgi?id=128857
+
+ Reviewed by Mark Lam.
+
+ * API/APICast.h:
+ (toRef): Added an ASSERT so that we can detect these sorts of errors earlier. On 32-bit, toRef
+ can allocate objects so we need to be holding the lock.
+ * API/APIShims.h: Removed outdated comments.
+ * API/JSManagedValue.mm: Added RefPtr<JSLock> to JSManagedValue.
+ (-[JSManagedValue initWithValue:]): Initialize the m_lock field.
+ (-[JSManagedValue value]): Lock the JSLock, check the VM*, return nil if invalid, take the APIEntryShim otherwise.
+ * runtime/JSLock.cpp: Bug fix in JSLock. We were assuming that the VM was always non-null in JSLock::lock.
+ (JSC::JSLock::lock):
+
2014-02-14 Oliver Hunt <oli...@apple.com>
Implement a few more Array prototype functions in JS
Modified: trunk/Source/_javascript_Core/runtime/JSLock.cpp (164146 => 164147)
--- trunk/Source/_javascript_Core/runtime/JSLock.cpp 2014-02-15 01:06:42 UTC (rev 164146)
+++ trunk/Source/_javascript_Core/runtime/JSLock.cpp 2014-02-15 01:27:53 UTC (rev 164147)
@@ -121,6 +121,9 @@
ASSERT(!m_lockCount);
m_lockCount = lockCount;
+ if (!m_vm)
+ return;
+
WTFThreadData& threadData = wtfThreadData();
RELEASE_ASSERT(!m_vm->stackPointerAtVMEntry());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
