<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[210829] trunk/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/210829">210829</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2017-01-17 15:52:55 -0800 (Tue, 17 Jan 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
https://bugs.webkit.org/show_bug.cgi?id=167066
Reviewed by Keith Miller and Michael Saboff.
Source/JavaScriptCore:
This reduces the size of JSCell::classInfo() by half and removes some checks that
this function previously had to do in case it was called from destructors.
I changed all of the destructors so that they don't call JSCell::classInfo() and I
added an assertion to JSCell::classInfo() to catch cases where someone called it
from a destructor accidentally.
This means that we only have one place in destruction that needs to know the class:
the sweeper's call to the destructor.
One of the trickiest outcomes of this is the need to support inherits() tests in
JSObjectGetPrivate(), when it is called from the destructor callback on the object
being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
on any dead-but-not-destructed object other than the one being destructed right
now. The purpose of the inherits() tests is to distinguish between different kinds
of CallbackObjects, which may have different kinds of base classes. I think that
this was always subtly wrong - for example, if the object being destructed is a
JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
but does not have an immortal Structure - so classInfo() is not valid. This fixes
the issue by having ~JSCallbackObject know its classInfo. It now stashes its
classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
that it's being used on a currently-destructing object.
That was the only really weird part of this patch. The rest is mostly removing
illegal uses of jsCast<> in destructors. There were a few other genuine uses of
classInfo() but they were in code that already knew how to get its classInfo()
using other means:
- You can still say structure()->classInfo(), and I use this form in code that
knows that its StructureIsImmortal.
- You can use this->classInfo() if it's overridden, like in subclasses of
JSDestructibleObject.
Rolling this back in because I think I fixed the crashes.
* API/JSAPIWrapperObject.mm:
(JSAPIWrapperObjectHandleOwner::finalize):
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::~JSCallbackObject):
(JSC::JSCallbackObject<Parent>::init):
* API/JSObjectRef.cpp:
(classInfoPrivate):
(JSObjectGetPrivate):
(JSObjectSetPrivate):
* bytecode/EvalCodeBlock.cpp:
(JSC::EvalCodeBlock::destroy):
* bytecode/FunctionCodeBlock.cpp:
(JSC::FunctionCodeBlock::destroy):
* bytecode/ModuleProgramCodeBlock.cpp:
(JSC::ModuleProgramCodeBlock::destroy):
* bytecode/ProgramCodeBlock.cpp:
(JSC::ProgramCodeBlock::destroy):
* bytecode/UnlinkedEvalCodeBlock.cpp:
(JSC::UnlinkedEvalCodeBlock::destroy):
* bytecode/UnlinkedFunctionCodeBlock.cpp:
(JSC::UnlinkedFunctionCodeBlock::destroy):
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::destroy):
* bytecode/UnlinkedModuleProgramCodeBlock.cpp:
(JSC::UnlinkedModuleProgramCodeBlock::destroy):
* bytecode/UnlinkedProgramCodeBlock.cpp:
(JSC::UnlinkedProgramCodeBlock::destroy):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::lastChanceToFinalize):
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::allocateSlowCaseImpl):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::sweep):
* jit/JITThunks.cpp:
(JSC::JITThunks::finalize):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::destroy):
* runtime/ExecutableBase.cpp:
(JSC::ExecutableBase::clearCode):
* runtime/JSCellInlines.h:
(JSC::JSCell::classInfo):
(JSC::JSCell::callDestructor):
* runtime/JSLock.h:
(JSC::JSLock::ownerThread):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::destroy):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::destroy):
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::destroy):
* runtime/JSSegmentedVariableObject.h:
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::destroy):
* runtime/VM.h:
* wasm/js/JSWebAssemblyCallee.cpp:
(JSC::JSWebAssemblyCallee::destroy):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::destroy):
* wasm/js/WebAssemblyToJSCallee.cpp:
(JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
(JSC::WebAssemblyToJSCallee::destroy):
Source/WebCore:
No new tests because no new behavior.
It's now necessary to avoid jsCast in destructors and finalizers. This was an easy
rule to introduce because this used to always be the rule.
* bindings/js/JSCSSValueCustom.cpp:
(WebCore::JSDeprecatedCSSOMValueOwner::finalize):
* bindings/js/JSDOMIterator.h:
(WebCore::IteratorTraits>::destroy):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
Source/WebKit2:
Just remove now-erroneous use of jsCast<>.
* WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
(WebKit::NPRuntimeObjectMap::finalize):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreAPIJSAPIWrapperObjectmm">trunk/Source/JavaScriptCore/API/JSAPIWrapperObject.mm</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIJSCallbackObjecth">trunk/Source/JavaScriptCore/API/JSCallbackObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIJSCallbackObjectFunctionsh">trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIJSObjectRefcpp">trunk/Source/JavaScriptCore/API/JSObjectRef.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeEvalCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeFunctionCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeModuleProgramCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeProgramCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedEvalCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedFunctionCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedFunctionExecutablecpp">trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedModuleProgramCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedProgramCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCodeBlockSetcpp">trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedAllocatorcpp">trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedBlockcpp">trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITThunkscpp">trunk/Source/JavaScriptCore/jit/JITThunks.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeAbstractModuleRecordcpp">trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExecutableBasecpp">trunk/Source/JavaScriptCore/runtime/ExecutableBase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellInlinesh">trunk/Source/JavaScriptCore/runtime/JSCellInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSLockh">trunk/Source/JavaScriptCore/runtime/JSLock.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSModuleNamespaceObjectcpp">trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSModuleRecordcpp">trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorcpp">trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjecth">trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureInlinesh">trunk/Source/JavaScriptCore/runtime/StructureInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSymbolTablecpp">trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMh">trunk/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsJSWebAssemblyCalleecpp">trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsWebAssemblyModuleRecordcpp">trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsWebAssemblyToJSCalleecpp">trunk/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSCSSValueCustomcpp">trunk/Source/WebCore/bindings/js/JSCSSValueCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMIteratorh">trunk/Source/WebCore/bindings/js/JSDOMIterator.h</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm">trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSInterfaceNamecpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestActiveDOMObjectcpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestCEReactionscpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestCEReactionsStringifiercpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestClassWithJSBuiltinConstructorcpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestCustomConstructorWithNoInterfaceObjectcpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestCustomNamedGettercpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestExceptioncpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestGenerateIsReachablecpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestGlobalObjectcpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestInterfacecpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestInterfaceLeadingUnderscorecpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestIterablecpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestMediaQueryListListenercpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestNamedConstructorcpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestObjcpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestOverloadedConstructorscpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestOverloadedConstructorsWithSequencecpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestOverrideBuiltinscpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestSerializationcpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestSerializedScriptValueInterfacecpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestTypedefscpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2WebProcessPluginsNetscapeNPRuntimeObjectMapcpp">trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreAPIJSAPIWrapperObjectmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSAPIWrapperObject.mm (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSAPIWrapperObject.mm 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/API/JSAPIWrapperObject.mm 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -48,7 +48,7 @@
</span><span class="cx">
</span><span class="cx"> void JSAPIWrapperObjectHandleOwner::finalize(JSC::Handle<JSC::Unknown> handle, void*)
</span><span class="cx"> {
</span><del>- JSC::JSAPIWrapperObject* wrapperObject = JSC::jsCast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
</del><ins>+ JSC::JSAPIWrapperObject* wrapperObject = static_cast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
</ins><span class="cx"> if (!wrapperObject->wrappedObject())
</span><span class="cx"> return;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIJSCallbackObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSCallbackObject.h (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSCallbackObject.h 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/API/JSCallbackObject.h 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -232,6 +232,7 @@
</span><span class="cx"> static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
</span><span class="cx">
</span><span class="cx"> std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
</span><ins>+ const ClassInfo* m_classInfo;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIJSCallbackObjectFunctionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -74,11 +74,17 @@
</span><span class="cx"> template <class Parent>
</span><span class="cx"> JSCallbackObject<Parent>::~JSCallbackObject()
</span><span class="cx"> {
</span><ins>+ VM* vm = this->HeapCell::vm();
+ vm->currentlyDestructingCallbackObject = this;
+ ASSERT(m_classInfo);
+ vm->currentlyDestructingCallbackObjectClassInfo = m_classInfo;
</ins><span class="cx"> JSObjectRef thisRef = toRef(static_cast<JSObject*>(this));
</span><span class="cx"> for (JSClassRef jsClass = classRef(); jsClass; jsClass = jsClass->parentClass) {
</span><span class="cx"> if (JSObjectFinalizeCallback finalize = jsClass->finalize)
</span><span class="cx"> finalize(thisRef);
</span><span class="cx"> }
</span><ins>+ vm->currentlyDestructingCallbackObject = nullptr;
+ vm->currentlyDestructingCallbackObjectClassInfo = nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template <class Parent>
</span><span class="lines">@@ -117,6 +123,8 @@
</span><span class="cx"> JSObjectInitializeCallback initialize = initRoutines[i];
</span><span class="cx"> initialize(toRef(exec), toRef(this));
</span><span class="cx"> }
</span><ins>+
+ m_classInfo = this->classInfo();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template <class Parent>
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIJSObjectRefcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSObjectRef.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSObjectRef.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/API/JSObjectRef.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -380,21 +380,38 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+// API objects have private properties, which may get accessed during destruction. This
+// helper lets us get the ClassInfo of an API object from a function that may get called
+// during destruction.
+static const ClassInfo* classInfoPrivate(JSObject* jsObject)
+{
+ VM* vm = jsObject->vm();
+
+ if (vm->currentlyDestructingCallbackObject != jsObject)
+ return jsObject->classInfo();
+
+ return vm->currentlyDestructingCallbackObjectClassInfo;
+}
+
</ins><span class="cx"> void* JSObjectGetPrivate(JSObjectRef object)
</span><span class="cx"> {
</span><span class="cx"> JSObject* jsObject = uncheckedToJS(object);
</span><span class="cx">
</span><ins>+ const ClassInfo* classInfo = classInfoPrivate(jsObject);
+
</ins><span class="cx"> // Get wrapped object if proxied
</span><del>- if (jsObject->inherits(JSProxy::info()))
- jsObject = jsCast<JSProxy*>(jsObject)->target();
</del><ins>+ if (classInfo->isSubClassOf(JSProxy::info())) {
+ jsObject = static_cast<JSProxy*>(jsObject)->target();
+ classInfo = jsObject->classInfo();
+ }
</ins><span class="cx">
</span><del>- if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info()))
- return jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
- if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info()))
- return jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info()))
+ return static_cast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
+ if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info()))
+ return static_cast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
</ins><span class="cx"> #if JSC_OBJC_API_ENABLED
</span><del>- if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info()))
- return jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info()))
+ return static_cast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
</ins><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> return 0;
</span><span class="lines">@@ -404,20 +421,24 @@
</span><span class="cx"> {
</span><span class="cx"> JSObject* jsObject = uncheckedToJS(object);
</span><span class="cx">
</span><ins>+ const ClassInfo* classInfo = classInfoPrivate(jsObject);
+
</ins><span class="cx"> // Get wrapped object if proxied
</span><del>- if (jsObject->inherits(JSProxy::info()))
</del><ins>+ if (classInfo->isSubClassOf(JSProxy::info())) {
</ins><span class="cx"> jsObject = jsCast<JSProxy*>(jsObject)->target();
</span><ins>+ classInfo = jsObject->classInfo();
+ }
</ins><span class="cx">
</span><del>- if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info())) {
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info())) {
</ins><span class="cx"> jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->setPrivate(data);
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><del>- if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info())) {
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info())) {
</ins><span class="cx"> jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->setPrivate(data);
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx"> #if JSC_OBJC_API_ENABLED
</span><del>- if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info())) {
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info())) {
</ins><span class="cx"> jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->setPrivate(data);
</span><span class="cx"> return true;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/ChangeLog 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -1,3 +1,110 @@
</span><ins>+2017-01-16 Filip Pizlo <fpizlo@apple.com>
+
+ JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+ https://bugs.webkit.org/show_bug.cgi?id=167066
+
+ Reviewed by Keith Miller and Michael Saboff.
+
+ This reduces the size of JSCell::classInfo() by half and removes some checks that
+ this function previously had to do in case it was called from destructors.
+
+ I changed all of the destructors so that they don't call JSCell::classInfo() and I
+ added an assertion to JSCell::classInfo() to catch cases where someone called it
+ from a destructor accidentally.
+
+ This means that we only have one place in destruction that needs to know the class:
+ the sweeper's call to the destructor.
+
+ One of the trickiest outcomes of this is the need to support inherits() tests in
+ JSObjectGetPrivate(), when it is called from the destructor callback on the object
+ being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
+ on any dead-but-not-destructed object other than the one being destructed right
+ now. The purpose of the inherits() tests is to distinguish between different kinds
+ of CallbackObjects, which may have different kinds of base classes. I think that
+ this was always subtly wrong - for example, if the object being destructed is a
+ JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
+ but does not have an immortal Structure - so classInfo() is not valid. This fixes
+ the issue by having ~JSCallbackObject know its classInfo. It now stashes its
+ classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
+ that it's being used on a currently-destructing object.
+
+ That was the only really weird part of this patch. The rest is mostly removing
+ illegal uses of jsCast<> in destructors. There were a few other genuine uses of
+ classInfo() but they were in code that already knew how to get its classInfo()
+ using other means:
+
+ - You can still say structure()->classInfo(), and I use this form in code that
+ knows that its StructureIsImmortal.
+
+ - You can use this->classInfo() if it's overridden, like in subclasses of
+ JSDestructibleObject.
+
+ Rolling this back in because I think I fixed the crashes.
+
+ * API/JSAPIWrapperObject.mm:
+ (JSAPIWrapperObjectHandleOwner::finalize):
+ * API/JSCallbackObject.h:
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
+ (JSC::JSCallbackObject<Parent>::init):
+ * API/JSObjectRef.cpp:
+ (classInfoPrivate):
+ (JSObjectGetPrivate):
+ (JSObjectSetPrivate):
+ * bytecode/EvalCodeBlock.cpp:
+ (JSC::EvalCodeBlock::destroy):
+ * bytecode/FunctionCodeBlock.cpp:
+ (JSC::FunctionCodeBlock::destroy):
+ * bytecode/ModuleProgramCodeBlock.cpp:
+ (JSC::ModuleProgramCodeBlock::destroy):
+ * bytecode/ProgramCodeBlock.cpp:
+ (JSC::ProgramCodeBlock::destroy):
+ * bytecode/UnlinkedEvalCodeBlock.cpp:
+ (JSC::UnlinkedEvalCodeBlock::destroy):
+ * bytecode/UnlinkedFunctionCodeBlock.cpp:
+ (JSC::UnlinkedFunctionCodeBlock::destroy):
+ * bytecode/UnlinkedFunctionExecutable.cpp:
+ (JSC::UnlinkedFunctionExecutable::destroy):
+ * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
+ (JSC::UnlinkedModuleProgramCodeBlock::destroy):
+ * bytecode/UnlinkedProgramCodeBlock.cpp:
+ (JSC::UnlinkedProgramCodeBlock::destroy):
+ * heap/CodeBlockSet.cpp:
+ (JSC::CodeBlockSet::lastChanceToFinalize):
+ (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
+ * heap/MarkedAllocator.cpp:
+ (JSC::MarkedAllocator::allocateSlowCaseImpl):
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::Handle::sweep):
+ * jit/JITThunks.cpp:
+ (JSC::JITThunks::finalize):
+ * runtime/AbstractModuleRecord.cpp:
+ (JSC::AbstractModuleRecord::destroy):
+ * runtime/ExecutableBase.cpp:
+ (JSC::ExecutableBase::clearCode):
+ * runtime/JSCellInlines.h:
+ (JSC::JSCell::classInfo):
+ (JSC::JSCell::callDestructor):
+ * runtime/JSLock.h:
+ (JSC::JSLock::ownerThread):
+ * runtime/JSModuleNamespaceObject.cpp:
+ (JSC::JSModuleNamespaceObject::destroy):
+ * runtime/JSModuleRecord.cpp:
+ (JSC::JSModuleRecord::destroy):
+ * runtime/JSPropertyNameEnumerator.cpp:
+ (JSC::JSPropertyNameEnumerator::destroy):
+ * runtime/JSSegmentedVariableObject.h:
+ * runtime/SymbolTable.cpp:
+ (JSC::SymbolTable::destroy):
+ * runtime/VM.h:
+ * wasm/js/JSWebAssemblyCallee.cpp:
+ (JSC::JSWebAssemblyCallee::destroy):
+ * wasm/js/WebAssemblyModuleRecord.cpp:
+ (JSC::WebAssemblyModuleRecord::destroy):
+ * wasm/js/WebAssemblyToJSCallee.cpp:
+ (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
+ (JSC::WebAssemblyToJSCallee::destroy):
+
</ins><span class="cx"> 2017-01-17 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed, roll out http://trac.webkit.org/changeset/210821
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeEvalCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx">
</span><span class="cx"> void EvalCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
</del><ins>+ static_cast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeFunctionCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx">
</span><span class="cx"> void FunctionCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
</del><ins>+ static_cast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeModuleProgramCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx">
</span><span class="cx"> void ModuleProgramCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
</del><ins>+ static_cast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeProgramCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx">
</span><span class="cx"> void ProgramCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
</del><ins>+ static_cast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedEvalCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -34,7 +34,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedEvalCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
</del><ins>+ static_cast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedFunctionCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -34,7 +34,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedFunctionCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
</del><ins>+ static_cast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedFunctionExecutablecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -119,7 +119,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedFunctionExecutable::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
</del><ins>+ static_cast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void UnlinkedFunctionExecutable::visitChildren(JSCell* cell, SlotVisitor& visitor)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedModuleProgramCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedModuleProgramCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
</del><ins>+ static_cast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedProgramCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedProgramCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
</del><ins>+ static_cast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCodeBlockSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -65,10 +65,10 @@
</span><span class="cx"> {
</span><span class="cx"> LockHolder locker(&m_lock);
</span><span class="cx"> for (CodeBlock* codeBlock : m_newCodeBlocks)
</span><del>- codeBlock->classInfo()->methodTable.destroy(codeBlock);
</del><ins>+ codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
</ins><span class="cx">
</span><span class="cx"> for (CodeBlock* codeBlock : m_oldCodeBlocks)
</span><del>- codeBlock->classInfo()->methodTable.destroy(codeBlock);
</del><ins>+ codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void CodeBlockSet::deleteUnmarkedAndUnreferenced(CollectionScope scope)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx"> unmarked.append(codeBlock);
</span><span class="cx"> }
</span><span class="cx"> for (CodeBlock* codeBlock : unmarked) {
</span><del>- codeBlock->classInfo()->methodTable.destroy(codeBlock);
</del><ins>+ codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
</ins><span class="cx"> set.remove(codeBlock);
</span><span class="cx"> }
</span><span class="cx"> unmarked.resize(0);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedAllocatorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -211,7 +211,7 @@
</span><span class="cx">
</span><span class="cx"> didConsumeFreeList();
</span><span class="cx">
</span><del>- AllocatingScope healpingHeap(*m_heap);
</del><ins>+ AllocatingScope helpingHeap(*m_heap);
</ins><span class="cx">
</span><span class="cx"> m_heap->collectIfNecessaryOrDefer(deferralContext);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "MarkedBlock.h"
</span><span class="cx">
</span><ins>+#include "HelpingGCScope.h"
</ins><span class="cx"> #include "JSCell.h"
</span><span class="cx"> #include "JSDestructibleObject.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="lines">@@ -195,6 +196,9 @@
</span><span class="cx">
</span><span class="cx"> FreeList MarkedBlock::Handle::sweep(SweepMode sweepMode)
</span><span class="cx"> {
</span><ins>+ // FIXME: Maybe HelpingGCScope should just be called SweepScope?
+ HelpingGCScope helpingGCScope(*heap());
+
</ins><span class="cx"> m_allocator->setIsUnswept(NoLockingNecessary, this, false);
</span><span class="cx">
</span><span class="cx"> m_weakSet.sweep();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITThunkscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITThunks.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITThunks.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/jit/JITThunks.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -84,7 +84,7 @@
</span><span class="cx">
</span><span class="cx"> void JITThunks::finalize(Handle<Unknown> handle, void*)
</span><span class="cx"> {
</span><del>- auto* nativeExecutable = jsCast<NativeExecutable*>(handle.get().asCell());
</del><ins>+ auto* nativeExecutable = static_cast<NativeExecutable*>(handle.get().asCell());
</ins><span class="cx"> weakRemove(*m_hostFunctionStubMap, std::make_tuple(nativeExecutable->function(), nativeExecutable->constructor(), nativeExecutable->name()), nativeExecutable);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeAbstractModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -46,7 +46,7 @@
</span><span class="cx">
</span><span class="cx"> void AbstractModuleRecord::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- AbstractModuleRecord* thisObject = jsCast<AbstractModuleRecord*>(cell);
</del><ins>+ AbstractModuleRecord* thisObject = static_cast<AbstractModuleRecord*>(cell);
</ins><span class="cx"> thisObject->AbstractModuleRecord::~AbstractModuleRecord();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExecutableBasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ExecutableBase.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ExecutableBase.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/ExecutableBase.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -60,29 +60,29 @@
</span><span class="cx"> m_numParametersForCall = NUM_PARAMETERS_NOT_COMPILED;
</span><span class="cx"> m_numParametersForConstruct = NUM_PARAMETERS_NOT_COMPILED;
</span><span class="cx">
</span><del>- if (classInfo() == FunctionExecutable::info()) {
- FunctionExecutable* executable = jsCast<FunctionExecutable*>(this);
</del><ins>+ if (structure()->classInfo() == FunctionExecutable::info()) {
+ FunctionExecutable* executable = static_cast<FunctionExecutable*>(this);
</ins><span class="cx"> executable->m_codeBlockForCall.clear();
</span><span class="cx"> executable->m_codeBlockForConstruct.clear();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (classInfo() == EvalExecutable::info()) {
- EvalExecutable* executable = jsCast<EvalExecutable*>(this);
</del><ins>+ if (structure()->classInfo() == EvalExecutable::info()) {
+ EvalExecutable* executable = static_cast<EvalExecutable*>(this);
</ins><span class="cx"> executable->m_evalCodeBlock.clear();
</span><span class="cx"> executable->m_unlinkedEvalCodeBlock.clear();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (classInfo() == ProgramExecutable::info()) {
- ProgramExecutable* executable = jsCast<ProgramExecutable*>(this);
</del><ins>+ if (structure()->classInfo() == ProgramExecutable::info()) {
+ ProgramExecutable* executable = static_cast<ProgramExecutable*>(this);
</ins><span class="cx"> executable->m_programCodeBlock.clear();
</span><span class="cx"> executable->m_unlinkedProgramCodeBlock.clear();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (classInfo() == ModuleProgramExecutable::info()) {
- ModuleProgramExecutable* executable = jsCast<ModuleProgramExecutable*>(this);
</del><ins>+ if (structure()->classInfo() == ModuleProgramExecutable::info()) {
+ ModuleProgramExecutable* executable = static_cast<ModuleProgramExecutable*>(this);
</ins><span class="cx"> executable->m_moduleProgramCodeBlock.clear();
</span><span class="cx"> executable->m_unlinkedModuleProgramCodeBlock.clear();
</span><span class="cx"> executable->m_moduleEnvironmentSymbolTable.clear();
</span><span class="lines">@@ -89,7 +89,7 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- ASSERT(classInfo() == NativeExecutable::info());
</del><ins>+ ASSERT(structure()->classInfo() == NativeExecutable::info());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ExecutableBase::dump(PrintStream& out) const
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCellInlines.h (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCellInlines.h 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/JSCellInlines.h 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -267,17 +267,13 @@
</span><span class="cx">
</span><span class="cx"> ALWAYS_INLINE const ClassInfo* JSCell::classInfo() const
</span><span class="cx"> {
</span><del>- if (isLargeAllocation()) {
- LargeAllocation& allocation = largeAllocation();
- if (allocation.attributes().destruction == NeedsDestruction
- && !(inlineTypeFlags() & StructureIsImmortal))
- return static_cast<const JSDestructibleObject*>(this)->classInfo();
- return structure(*allocation.vm())->classInfo();
- }
- MarkedBlock& block = markedBlock();
- if (block.needsDestruction() && !(inlineTypeFlags() & StructureIsImmortal))
- return static_cast<const JSDestructibleObject*>(this)->classInfo();
- return structure(*block.vm())->classInfo();
</del><ins>+ VM* vm;
+ if (isLargeAllocation())
+ vm = largeAllocation().vm();
+ else
+ vm = markedBlock().vm();
+ ASSERT(vm->heap.mutatorState() == MutatorState::Running || vm->apiLock().ownerThread() != std::this_thread::get_id());
+ return structure(*vm)->classInfo();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> inline bool JSCell::toBoolean(ExecState* exec) const
</span><span class="lines">@@ -307,7 +303,7 @@
</span><span class="cx"> MethodTable::DestroyFunctionPtr destroy = classInfo->methodTable.destroy;
</span><span class="cx"> destroy(this);
</span><span class="cx"> } else
</span><del>- jsCast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
</del><ins>+ static_cast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
</ins><span class="cx"> zap();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSLockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSLock.h (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSLock.h 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/JSLock.h 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -99,6 +99,7 @@
</span><span class="cx"> ASSERT(m_hasExclusiveThread);
</span><span class="cx"> return m_ownerThreadID;
</span><span class="cx"> }
</span><ins>+ std::thread::id ownerThread() const { return m_ownerThreadID; }
</ins><span class="cx"> JS_EXPORT_PRIVATE void setExclusiveThread(std::thread::id);
</span><span class="cx"> JS_EXPORT_PRIVATE bool currentThreadIsHoldingLock();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSModuleNamespaceObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx">
</span><span class="cx"> void JSModuleNamespaceObject::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- JSModuleNamespaceObject* thisObject = jsCast<JSModuleNamespaceObject*>(cell);
</del><ins>+ JSModuleNamespaceObject* thisObject = static_cast<JSModuleNamespaceObject*>(cell);
</ins><span class="cx"> thisObject->JSModuleNamespaceObject::~JSModuleNamespaceObject();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx">
</span><span class="cx"> void JSModuleRecord::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- JSModuleRecord* thisObject = jsCast<JSModuleRecord*>(cell);
</del><ins>+ JSModuleRecord* thisObject = static_cast<JSModuleRecord*>(cell);
</ins><span class="cx"> thisObject->JSModuleRecord::~JSModuleRecord();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx">
</span><span class="cx"> void JSPropertyNameEnumerator::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
</del><ins>+ static_cast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JSPropertyNameEnumerator::visitChildren(JSCell* cell, SlotVisitor& visitor)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -47,6 +47,8 @@
</span><span class="cx"> // JSSegmentedVariableObject has its own GC tracing functionality, since it knows the
</span><span class="cx"> // exact dimensions of the variables array at all times.
</span><span class="cx">
</span><ins>+// Except for JSGlobalObject, subclasses of this don't call the destructor and leak memory.
+
</ins><span class="cx"> class JSSegmentedVariableObject : public JSSymbolTableObject {
</span><span class="cx"> friend class JIT;
</span><span class="cx"> friend class LLIntOffsetsExtractor;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StructureInlines.h (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureInlines.h 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/StructureInlines.h 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -259,10 +259,27 @@
</span><span class="cx"> if (isCompilationThread())
</span><span class="cx"> return true;
</span><span class="cx">
</span><del>- RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize());
</del><span class="cx"> unsigned totalSize = propertyTable->propertyStorageSize();
</span><del>- RELEASE_ASSERT((totalSize < inlineCapacity() ? 0 : totalSize - inlineCapacity()) == numberOfOutOfLineSlotsForLastOffset(m_offset));
</del><ins>+ unsigned inlineOverflowAccordingToTotalSize = totalSize < m_inlineCapacity ? 0 : totalSize - m_inlineCapacity;
</ins><span class="cx">
</span><ins>+ auto fail = [&] (const char* description) {
+ dataLog("Detected offset inconsistency: ", description, "!\n");
+ dataLog("this = ", RawPointer(this), "\n");
+ dataLog("m_offset = ", m_offset, "\n");
+ dataLog("m_inlineCapacity = ", m_inlineCapacity, "\n");
+ dataLog("propertyTable = ", RawPointer(propertyTable), "\n");
+ dataLog("numberOfSlotsForLastOffset = ", numberOfSlotsForLastOffset(m_offset, m_inlineCapacity), "\n");
+ dataLog("totalSize = ", totalSize, "\n");
+ dataLog("inlineOverflowAccordingToTotalSize = ", inlineOverflowAccordingToTotalSize, "\n");
+ dataLog("numberOfOutOfLineSlotsForLastOffset = ", numberOfOutOfLineSlotsForLastOffset(m_offset), "\n");
+ UNREACHABLE_FOR_PLATFORM();
+ };
+
+ if (numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) != totalSize)
+ fail("numberOfSlotsForLastOffset doesn't match totalSize");
+ if (inlineOverflowAccordingToTotalSize != numberOfOutOfLineSlotsForLastOffset(m_offset))
+ fail("inlineOverflowAccordingToTotalSize doesn't match numberOfOutOfLineSlotsForLastOffset");
+
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSymbolTablecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -49,7 +49,7 @@
</span><span class="cx">
</span><span class="cx"> void SymbolTable::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- SymbolTable* thisObject = jsCast<SymbolTable*>(cell);
</del><ins>+ SymbolTable* thisObject = static_cast<SymbolTable*>(cell);
</ins><span class="cx"> thisObject->SymbolTable::~SymbolTable();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.h (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.h 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/runtime/VM.h 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -363,6 +363,9 @@
</span><span class="cx"> std::once_flag m_wasmSignatureInformationOnceFlag;
</span><span class="cx"> std::unique_ptr<Wasm::SignatureInformation> m_wasmSignatureInformation;
</span><span class="cx"> #endif
</span><ins>+
+ JSCell* currentlyDestructingCallbackObject;
+ const ClassInfo* currentlyDestructingCallbackObjectClassInfo;
</ins><span class="cx">
</span><span class="cx"> AtomicStringTable* m_atomicStringTable;
</span><span class="cx"> WTF::SymbolRegistry m_symbolRegistry;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsJSWebAssemblyCalleecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -47,7 +47,7 @@
</span><span class="cx">
</span><span class="cx"> void JSWebAssemblyCallee::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- JSWebAssemblyCallee* thisObject = jsCast<JSWebAssemblyCallee*>(cell);
</del><ins>+ JSWebAssemblyCallee* thisObject = static_cast<JSWebAssemblyCallee*>(cell);
</ins><span class="cx"> thisObject->JSWebAssemblyCallee::~JSWebAssemblyCallee();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsWebAssemblyModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -64,7 +64,7 @@
</span><span class="cx">
</span><span class="cx"> void WebAssemblyModuleRecord::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- WebAssemblyModuleRecord* thisObject = jsCast<WebAssemblyModuleRecord*>(cell);
</del><ins>+ WebAssemblyModuleRecord* thisObject = static_cast<WebAssemblyModuleRecord*>(cell);
</ins><span class="cx"> thisObject->WebAssemblyModuleRecord::~WebAssemblyModuleRecord();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsWebAssemblyToJSCalleecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -48,7 +48,8 @@
</span><span class="cx">
</span><span class="cx"> WebAssemblyToJSCallee::WebAssemblyToJSCallee(VM& vm, Structure* structure)
</span><span class="cx"> : Base(vm, structure)
</span><del>-{ }
</del><ins>+{
+}
</ins><span class="cx">
</span><span class="cx"> void WebAssemblyToJSCallee::finishCreation(VM& vm)
</span><span class="cx"> {
</span><span class="lines">@@ -57,7 +58,7 @@
</span><span class="cx">
</span><span class="cx"> void WebAssemblyToJSCallee::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- WebAssemblyToJSCallee* thisObject = jsCast<WebAssemblyToJSCallee*>(cell);
</del><ins>+ WebAssemblyToJSCallee* thisObject = static_cast<WebAssemblyToJSCallee*>(cell);
</ins><span class="cx"> thisObject->WebAssemblyToJSCallee::~WebAssemblyToJSCallee();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/ChangeLog 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -1,3 +1,22 @@
</span><ins>+2017-01-16 Filip Pizlo <fpizlo@apple.com>
+
+ JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+ https://bugs.webkit.org/show_bug.cgi?id=167066
+
+ Reviewed by Keith Miller and Michael Saboff.
+
+ No new tests because no new behavior.
+
+ It's now necessary to avoid jsCast in destructors and finalizers. This was an easy
+ rule to introduce because this used to always be the rule.
+
+ * bindings/js/JSCSSValueCustom.cpp:
+ (WebCore::JSDeprecatedCSSOMValueOwner::finalize):
+ * bindings/js/JSDOMIterator.h:
+ (WebCore::IteratorTraits>::destroy):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+
</ins><span class="cx"> 2017-01-17 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Remove unnecessary includes
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSCSSValueCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSCSSValueCustom.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSCSSValueCustom.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/js/JSCSSValueCustom.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -50,7 +50,7 @@
</span><span class="cx">
</span><span class="cx"> void JSDeprecatedCSSOMValueOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- JSDeprecatedCSSOMValue* jsCSSValue = jsCast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
</del><ins>+ JSDeprecatedCSSOMValue* jsCSSValue = static_cast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
</ins><span class="cx"> DOMWrapperWorld& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> world.m_deprecatedCSSOMValueRoots.remove(&jsCSSValue->wrapped());
</span><span class="cx"> uncacheWrapper(world, &jsCSSValue->wrapped(), jsCSSValue);
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMIteratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMIterator.h (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMIterator.h 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/js/JSDOMIterator.h 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -225,7 +225,7 @@
</span><span class="cx"> template<typename JSWrapper, typename IteratorTraits>
</span><span class="cx"> void JSDOMIterator<JSWrapper, IteratorTraits>::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = JSC::jsCast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
</del><ins>+ JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = static_cast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
</ins><span class="cx"> thisObject->JSDOMIterator<JSWrapper, IteratorTraits>::~JSDOMIterator();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -4243,7 +4243,7 @@
</span><span class="cx"> if (ShouldGenerateWrapperOwnerCode($hasParent, $interface) && !$interface->extendedAttributes->{JSCustomFinalize}) {
</span><span class="cx"> push(@implContent, "void JS${interfaceName}Owner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)\n");
</span><span class="cx"> push(@implContent, "{\n");
</span><del>- push(@implContent, " auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
</del><ins>+ push(@implContent, " auto* js${interfaceName} = static_cast<JS${interfaceName}*>(handle.slot()->asCell());\n");
</ins><span class="cx"> push(@implContent, " auto& world = *static_cast<DOMWrapperWorld*>(context);\n");
</span><span class="cx"> push(@implContent, " uncacheWrapper(world, &js${interfaceName}->wrapped(), js${interfaceName});\n");
</span><span class="cx"> push(@implContent, "}\n\n");
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSInterfaceNamecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -174,7 +174,7 @@
</span><span class="cx">
</span><span class="cx"> void JSInterfaceNameOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsInterfaceName = jsCast<JSInterfaceName*>(handle.slot()->asCell());
</del><ins>+ auto* jsInterfaceName = static_cast<JSInterfaceName*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsInterfaceName->wrapped(), jsInterfaceName);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestActiveDOMObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -255,7 +255,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestActiveDOMObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestActiveDOMObject = jsCast<JSTestActiveDOMObject*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestActiveDOMObject = static_cast<JSTestActiveDOMObject*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestActiveDOMObject->wrapped(), jsTestActiveDOMObject);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestCEReactionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -315,7 +315,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestCEReactionsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestCEReactions = jsCast<JSTestCEReactions*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestCEReactions = static_cast<JSTestCEReactions*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestCEReactions->wrapped(), jsTestCEReactions);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestCEReactionsStringifiercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -232,7 +232,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestCEReactionsStringifierOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestCEReactionsStringifier = jsCast<JSTestCEReactionsStringifier*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestCEReactionsStringifier = static_cast<JSTestCEReactionsStringifier*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestCEReactionsStringifier->wrapped(), jsTestCEReactionsStringifier);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestClassWithJSBuiltinConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -173,7 +173,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestClassWithJSBuiltinConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestClassWithJSBuiltinConstructor = jsCast<JSTestClassWithJSBuiltinConstructor*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestClassWithJSBuiltinConstructor = static_cast<JSTestClassWithJSBuiltinConstructor*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestClassWithJSBuiltinConstructor->wrapped(), jsTestClassWithJSBuiltinConstructor);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestCustomConstructorWithNoInterfaceObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -164,7 +164,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestCustomConstructorWithNoInterfaceObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestCustomConstructorWithNoInterfaceObject = jsCast<JSTestCustomConstructorWithNoInterfaceObject*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestCustomConstructorWithNoInterfaceObject = static_cast<JSTestCustomConstructorWithNoInterfaceObject*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestCustomConstructorWithNoInterfaceObject->wrapped(), jsTestCustomConstructorWithNoInterfaceObject);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestCustomNamedGettercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -227,7 +227,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestCustomNamedGetterOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestCustomNamedGetter = jsCast<JSTestCustomNamedGetter*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestCustomNamedGetter = static_cast<JSTestCustomNamedGetter*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestCustomNamedGetter->wrapped(), jsTestCustomNamedGetter);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestExceptioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -197,7 +197,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestExceptionOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestException = jsCast<JSTestException*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestException = static_cast<JSTestException*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestException->wrapped(), jsTestException);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestGenerateIsReachablecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -160,7 +160,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestGenerateIsReachableOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestGenerateIsReachable = jsCast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestGenerateIsReachable = static_cast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestGenerateIsReachable->wrapped(), jsTestGenerateIsReachable);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -502,7 +502,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestGlobalObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestGlobalObject = jsCast<JSTestGlobalObject*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestGlobalObject = static_cast<JSTestGlobalObject*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestGlobalObject->wrapped(), jsTestGlobalObject);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestInterfacecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -990,7 +990,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestInterface = jsCast<JSTestInterface*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestInterface = static_cast<JSTestInterface*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestInterface->wrapped(), jsTestInterface);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestInterfaceLeadingUnderscorecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -184,7 +184,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestInterfaceLeadingUnderscoreOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestInterfaceLeadingUnderscore = jsCast<JSTestInterfaceLeadingUnderscore*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestInterfaceLeadingUnderscore = static_cast<JSTestInterfaceLeadingUnderscore*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestInterfaceLeadingUnderscore->wrapped(), jsTestInterfaceLeadingUnderscore);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestIterablecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -244,7 +244,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestIterableOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestIterable = jsCast<JSTestIterable*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestIterable = static_cast<JSTestIterable*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestIterable->wrapped(), jsTestIterable);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestMediaQueryListListenercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -193,7 +193,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestMediaQueryListListenerOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestMediaQueryListListener = jsCast<JSTestMediaQueryListListener*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestMediaQueryListListener = static_cast<JSTestMediaQueryListListener*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestMediaQueryListListener->wrapped(), jsTestMediaQueryListListener);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestNamedConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -204,7 +204,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestNamedConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestNamedConstructor = jsCast<JSTestNamedConstructor*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestNamedConstructor = static_cast<JSTestNamedConstructor*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestNamedConstructor->wrapped(), jsTestNamedConstructor);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestObjcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -8617,7 +8617,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestObjOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestObj = jsCast<JSTestObj*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestObj = static_cast<JSTestObj*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestObj->wrapped(), jsTestObj);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestOverloadedConstructorscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -260,7 +260,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestOverloadedConstructorsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestOverloadedConstructors = jsCast<JSTestOverloadedConstructors*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestOverloadedConstructors = static_cast<JSTestOverloadedConstructors*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestOverloadedConstructors->wrapped(), jsTestOverloadedConstructors);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestOverloadedConstructorsWithSequencecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -211,7 +211,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestOverloadedConstructorsWithSequenceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestOverloadedConstructorsWithSequence = jsCast<JSTestOverloadedConstructorsWithSequence*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestOverloadedConstructorsWithSequence = static_cast<JSTestOverloadedConstructorsWithSequence*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestOverloadedConstructorsWithSequence->wrapped(), jsTestOverloadedConstructorsWithSequence);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestOverrideBuiltinscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -232,7 +232,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestOverrideBuiltinsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestOverrideBuiltins = jsCast<JSTestOverrideBuiltins*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestOverrideBuiltins = static_cast<JSTestOverrideBuiltins*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestOverrideBuiltins->wrapped(), jsTestOverrideBuiltins);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestSerializationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -397,7 +397,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestSerializationOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestSerialization = jsCast<JSTestSerialization*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestSerialization = static_cast<JSTestSerialization*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestSerialization->wrapped(), jsTestSerialization);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestSerializedScriptValueInterfacecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -365,7 +365,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestSerializedScriptValueInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestSerializedScriptValueInterface = jsCast<JSTestSerializedScriptValueInterface*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestSerializedScriptValueInterface = static_cast<JSTestSerializedScriptValueInterface*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestSerializedScriptValueInterface->wrapped(), jsTestSerializedScriptValueInterface);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestTypedefscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -770,7 +770,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestTypedefsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestTypedefs = jsCast<JSTestTypedefs*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestTypedefs = static_cast<JSTestTypedefs*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestTypedefs->wrapped(), jsTestTypedefs);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebKit2/ChangeLog 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2017-01-17 Filip Pizlo <fpizlo@apple.com>
+
+ JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+ https://bugs.webkit.org/show_bug.cgi?id=167066
+
+ Reviewed by Keith Miller and Michael Saboff.
+
+ Just remove now-erroneous use of jsCast<>.
+
+ * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
+ (WebKit::NPRuntimeObjectMap::finalize):
+
</ins><span class="cx"> 2017-01-17 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Remove unnecessary includes
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessPluginsNetscapeNPRuntimeObjectMapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp (210828 => 210829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp 2017-01-17 23:50:49 UTC (rev 210828)
+++ trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp 2017-01-17 23:52:55 UTC (rev 210829)
</span><span class="lines">@@ -299,7 +299,7 @@
</span><span class="cx">
</span><span class="cx"> void NPRuntimeObjectMap::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- JSNPObject* object = jsCast<JSNPObject*>(handle.get().asCell());
</del><ins>+ JSNPObject* object = static_cast<JSNPObject*>(handle.get().asCell());
</ins><span class="cx"> weakRemove(m_jsNPObjects, static_cast<NPObject*>(context), object);
</span><span class="cx"> addToInvalidationQueue(object->leakNPObject());
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>