<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[171564] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/171564">171564</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2014-07-24 17:59:10 -0700 (Thu, 24 Jul 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
<https://webkit.org/b/135258>
Reviewed by Mark Hahnenberg.
Where needed, we cache the prototype object pointer in a stack local var.
This allows it to be scanned by the GC, and hence be kept alive until
we use it. The constructor object will in turn be kept alive by the
prototype object.
Also added some comments to warn against future code additions that could
regress this issue.
* API/JSWrapperMap.mm:
(-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
(-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
(-[JSObjCClassInfo wrapperForObject:]):
(-[JSObjCClassInfo constructor]):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreAPIJSWrapperMapmm">trunk/Source/JavaScriptCore/API/JSWrapperMap.mm</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreAPIJSWrapperMapmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSWrapperMap.mm (171563 => 171564)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSWrapperMap.mm 2014-07-25 00:57:39 UTC (rev 171563)
+++ trunk/Source/JavaScriptCore/API/JSWrapperMap.mm 2014-07-25 00:59:10 UTC (rev 171564)
</span><span class="lines">@@ -464,6 +464,11 @@
</span><span class="cx"> m_prototype = toJS(JSValueToObject(cContext, valueInternalValue(prototype), 0));
</span><span class="cx"> }
</span><span class="cx"> } else {
</span><ins>+ // We need to hold a reference to the superclass prototype here on the stack
+ // to that it won't get GC'ed while we do allocations between now and when we
+ // set it in this class' prototype below.
+ JSC::JSObject* superClassPrototype = superClassInfo->m_prototype.get();
+
</ins><span class="cx"> const char* className = class_getName(m_class);
</span><span class="cx">
</span><span class="cx"> // Create or grab the prototype/constructor pair.
</span><span class="lines">@@ -493,13 +498,15 @@
</span><span class="cx"> });
</span><span class="cx">
</span><span class="cx"> // Set [Prototype].
</span><del>- JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassInfo->m_prototype.get()));
</del><ins>+ JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassPrototype));
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> - (void)reallocateConstructorAndOrPrototype
</span><span class="cx"> {
</span><span class="cx"> [self allocateConstructorAndPrototypeWithSuperClassInfo:[m_context.wrapperMap classInfoForClass:class_getSuperclass(m_class)]];
</span><ins>+ // We should not add any code here that can trigger a GC or the prototype and
+ // constructor that we just created may be collected before they can be used.
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> - (JSValue *)wrapperForObject:(id)object
</span><span class="lines">@@ -519,9 +526,12 @@
</span><span class="cx"> if (!m_prototype)
</span><span class="cx"> [self reallocateConstructorAndOrPrototype];
</span><span class="cx"> ASSERT(!!m_prototype);
</span><ins>+ // We need to hold a reference to the prototype here on the stack to that it won't
+ // get GC'ed while we create the wrapper below.
+ JSC::JSObject* prototype = m_prototype.get();
</ins><span class="cx">
</span><span class="cx"> JSObjectRef wrapper = makeWrapper([m_context JSGlobalContextRef], m_classRef, object);
</span><del>- JSObjectSetPrototype([m_context JSGlobalContextRef], wrapper, toRef(m_prototype.get()));
</del><ins>+ JSObjectSetPrototype([m_context JSGlobalContextRef], wrapper, toRef(prototype));
</ins><span class="cx"> return [JSValue valueWithJSValueRef:wrapper inContext:m_context];
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -530,6 +540,9 @@
</span><span class="cx"> if (!m_constructor)
</span><span class="cx"> [self reallocateConstructorAndOrPrototype];
</span><span class="cx"> ASSERT(!!m_constructor);
</span><ins>+ // If we need to add any code here in the future that can trigger a GC, we should
+ // cache the constructor pointer in a stack local var first so that it is protected
+ // from the GC until it gets used below.
</ins><span class="cx"> return [JSValue valueWithJSValueRef:toRef(m_constructor.get()) inContext:m_context];
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (171563 => 171564)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-07-25 00:57:39 UTC (rev 171563)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-07-25 00:59:10 UTC (rev 171564)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2014-07-24 Mark Lam <mark.lam@apple.com>
+
+ JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
+ <https://webkit.org/b/135258>
+
+ Reviewed by Mark Hahnenberg.
+
+ Where needed, we cache the prototype object pointer in a stack local var.
+ This allows it to be scanned by the GC, and hence be kept alive until
+ we use it. The constructor object will in turn be kept alive by the
+ prototype object.
+
+ Also added some comments to warn against future code additions that could
+ regress this issue.
+
+ * API/JSWrapperMap.mm:
+ (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
+ (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
+ (-[JSObjCClassInfo wrapperForObject:]):
+ (-[JSObjCClassInfo constructor]):
+
</ins><span class="cx"> 2014-07-24 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> JSLock release should only modify the AtomicStringTable if it modified in acquire
</span></span></pre>
</div>
</div>
</body>
</html>