<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[210867] branches/safari-603-branch/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/210867">210867</a></dd>
<dt>Author</dt> <dd>matthew_hanson@apple.com</dd>
<dt>Date</dt> <dd>2017-01-18 12:42:40 -0800 (Wed, 18 Jan 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/210829">r210829</a>. rdar://problem/30044439</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari603branchSourceJavaScriptCoreAPIJSAPIWrapperObjectmm">branches/safari-603-branch/Source/JavaScriptCore/API/JSAPIWrapperObject.mm</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreAPIJSCallbackObjecth">branches/safari-603-branch/Source/JavaScriptCore/API/JSCallbackObject.h</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreAPIJSCallbackObjectFunctionsh">branches/safari-603-branch/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreAPIJSObjectRefcpp">branches/safari-603-branch/Source/JavaScriptCore/API/JSObjectRef.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreChangeLog">branches/safari-603-branch/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorebytecodeEvalCodeBlockcpp">branches/safari-603-branch/Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorebytecodeFunctionCodeBlockcpp">branches/safari-603-branch/Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorebytecodeModuleProgramCodeBlockcpp">branches/safari-603-branch/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorebytecodeProgramCodeBlockcpp">branches/safari-603-branch/Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedEvalCodeBlockcpp">branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedFunctionCodeBlockcpp">branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedFunctionExecutablecpp">branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedModuleProgramCodeBlockcpp">branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedProgramCodeBlockcpp">branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreheapCodeBlockSetcpp">branches/safari-603-branch/Source/JavaScriptCore/heap/CodeBlockSet.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreheapMarkedAllocatorcpp">branches/safari-603-branch/Source/JavaScriptCore/heap/MarkedAllocator.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreheapMarkedBlockcpp">branches/safari-603-branch/Source/JavaScriptCore/heap/MarkedBlock.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorejitJITThunkscpp">branches/safari-603-branch/Source/JavaScriptCore/jit/JITThunks.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeAbstractModuleRecordcpp">branches/safari-603-branch/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeExecutableBasecpp">branches/safari-603-branch/Source/JavaScriptCore/runtime/ExecutableBase.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeJSCellInlinesh">branches/safari-603-branch/Source/JavaScriptCore/runtime/JSCellInlines.h</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeJSLockh">branches/safari-603-branch/Source/JavaScriptCore/runtime/JSLock.h</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeJSModuleNamespaceObjectcpp">branches/safari-603-branch/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeJSModuleRecordcpp">branches/safari-603-branch/Source/JavaScriptCore/runtime/JSModuleRecord.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorcpp">branches/safari-603-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeJSSegmentedVariableObjecth">branches/safari-603-branch/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeStructureInlinesh">branches/safari-603-branch/Source/JavaScriptCore/runtime/StructureInlines.h</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeSymbolTablecpp">branches/safari-603-branch/Source/JavaScriptCore/runtime/SymbolTable.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCoreruntimeVMh">branches/safari-603-branch/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorewasmjsJSWebAssemblyCalleecpp">branches/safari-603-branch/Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorewasmjsWebAssemblyModuleRecordcpp">branches/safari-603-branch/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp</a></li>
<li><a href="#branchessafari603branchSourceJavaScriptCorewasmjsWebAssemblyToJSCalleecpp">branches/safari-603-branch/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCoreChangeLog">branches/safari-603-branch/Source/WebCore/ChangeLog</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsjsJSCSSValueCustomcpp">branches/safari-603-branch/Source/WebCore/bindings/js/JSCSSValueCustom.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsjsJSDOMIteratorh">branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMIterator.h</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptsCodeGeneratorJSpm">branches/safari-603-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSInterfaceNamecpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestActiveDOMObjectcpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestCEReactionscpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestCEReactionsStringifiercpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestClassWithJSBuiltinConstructorcpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestCustomConstructorWithNoInterfaceObjectcpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestCustomNamedGettercpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestExceptioncpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestGenerateIsReachablecpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestGlobalObjectcpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestInterfacecpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestInterfaceLeadingUnderscorecpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestIterablecpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestMediaQueryListListenercpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestNamedConstructorcpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestObjcpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestOverloadedConstructorscpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestOverloadedConstructorsWithSequencecpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestOverrideBuiltinscpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestSerializationcpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestSerializedScriptValueInterfacecpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestTypedefscpp">branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebKit2ChangeLog">branches/safari-603-branch/Source/WebKit2/ChangeLog</a></li>
<li><a href="#branchessafari603branchSourceWebKit2WebProcessPluginsNetscapeNPRuntimeObjectMapcpp">branches/safari-603-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari603branchSourceJavaScriptCoreAPIJSAPIWrapperObjectmm"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/API/JSAPIWrapperObject.mm (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/API/JSAPIWrapperObject.mm 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/API/JSAPIWrapperObject.mm 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -48,7 +48,7 @@
</span><span class="cx">
</span><span class="cx"> void JSAPIWrapperObjectHandleOwner::finalize(JSC::Handle<JSC::Unknown> handle, void*)
</span><span class="cx"> {
</span><del>- JSC::JSAPIWrapperObject* wrapperObject = JSC::jsCast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
</del><ins>+ JSC::JSAPIWrapperObject* wrapperObject = static_cast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
</ins><span class="cx"> if (!wrapperObject->wrappedObject())
</span><span class="cx"> return;
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreAPIJSCallbackObjecth"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/API/JSCallbackObject.h (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/API/JSCallbackObject.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/API/JSCallbackObject.h 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -232,6 +232,7 @@
</span><span class="cx"> static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
</span><span class="cx">
</span><span class="cx"> std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
</span><ins>+ const ClassInfo* m_classInfo;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreAPIJSCallbackObjectFunctionsh"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -74,11 +74,17 @@
</span><span class="cx"> template <class Parent>
</span><span class="cx"> JSCallbackObject<Parent>::~JSCallbackObject()
</span><span class="cx"> {
</span><ins>+ VM* vm = this->HeapCell::vm();
+ vm->currentlyDestructingCallbackObject = this;
+ ASSERT(m_classInfo);
+ vm->currentlyDestructingCallbackObjectClassInfo = m_classInfo;
</ins><span class="cx"> JSObjectRef thisRef = toRef(static_cast<JSObject*>(this));
</span><span class="cx"> for (JSClassRef jsClass = classRef(); jsClass; jsClass = jsClass->parentClass) {
</span><span class="cx"> if (JSObjectFinalizeCallback finalize = jsClass->finalize)
</span><span class="cx"> finalize(thisRef);
</span><span class="cx"> }
</span><ins>+ vm->currentlyDestructingCallbackObject = nullptr;
+ vm->currentlyDestructingCallbackObjectClassInfo = nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template <class Parent>
</span><span class="lines">@@ -117,6 +123,8 @@
</span><span class="cx"> JSObjectInitializeCallback initialize = initRoutines[i];
</span><span class="cx"> initialize(toRef(exec), toRef(this));
</span><span class="cx"> }
</span><ins>+
+ m_classInfo = this->classInfo();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template <class Parent>
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreAPIJSObjectRefcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/API/JSObjectRef.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/API/JSObjectRef.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/API/JSObjectRef.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -379,21 +379,38 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+// API objects have private properties, which may get accessed during destruction. This
+// helper lets us get the ClassInfo of an API object from a function that may get called
+// during destruction.
+static const ClassInfo* classInfoPrivate(JSObject* jsObject)
+{
+ VM* vm = jsObject->vm();
+
+ if (vm->currentlyDestructingCallbackObject != jsObject)
+ return jsObject->classInfo();
+
+ return vm->currentlyDestructingCallbackObjectClassInfo;
+}
+
</ins><span class="cx"> void* JSObjectGetPrivate(JSObjectRef object)
</span><span class="cx"> {
</span><span class="cx"> JSObject* jsObject = uncheckedToJS(object);
</span><span class="cx">
</span><ins>+ const ClassInfo* classInfo = classInfoPrivate(jsObject);
+
</ins><span class="cx"> // Get wrapped object if proxied
</span><del>- if (jsObject->inherits(JSProxy::info()))
- jsObject = jsCast<JSProxy*>(jsObject)->target();
</del><ins>+ if (classInfo->isSubClassOf(JSProxy::info())) {
+ jsObject = static_cast<JSProxy*>(jsObject)->target();
+ classInfo = jsObject->classInfo();
+ }
</ins><span class="cx">
</span><del>- if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info()))
- return jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
- if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info()))
- return jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info()))
+ return static_cast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
+ if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info()))
+ return static_cast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
</ins><span class="cx"> #if JSC_OBJC_API_ENABLED
</span><del>- if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info()))
- return jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info()))
+ return static_cast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
</ins><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> return 0;
</span><span class="lines">@@ -403,20 +420,24 @@
</span><span class="cx"> {
</span><span class="cx"> JSObject* jsObject = uncheckedToJS(object);
</span><span class="cx">
</span><ins>+ const ClassInfo* classInfo = classInfoPrivate(jsObject);
+
</ins><span class="cx"> // Get wrapped object if proxied
</span><del>- if (jsObject->inherits(JSProxy::info()))
</del><ins>+ if (classInfo->isSubClassOf(JSProxy::info())) {
</ins><span class="cx"> jsObject = jsCast<JSProxy*>(jsObject)->target();
</span><ins>+ classInfo = jsObject->classInfo();
+ }
</ins><span class="cx">
</span><del>- if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info())) {
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info())) {
</ins><span class="cx"> jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->setPrivate(data);
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><del>- if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info())) {
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info())) {
</ins><span class="cx"> jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->setPrivate(data);
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx"> #if JSC_OBJC_API_ENABLED
</span><del>- if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info())) {
</del><ins>+ if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info())) {
</ins><span class="cx"> jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->setPrivate(data);
</span><span class="cx"> return true;
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/ChangeLog (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/ChangeLog 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/ChangeLog 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -1,5 +1,116 @@
</span><span class="cx"> 2017-01-18 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><ins>+ Merge r210829. rdar://problem/30044439
+
+ 2017-01-16 Filip Pizlo <fpizlo@apple.com>
+
+ JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+ https://bugs.webkit.org/show_bug.cgi?id=167066
+
+ Reviewed by Keith Miller and Michael Saboff.
+
+ This reduces the size of JSCell::classInfo() by half and removes some checks that
+ this function previously had to do in case it was called from destructors.
+
+ I changed all of the destructors so that they don't call JSCell::classInfo() and I
+ added an assertion to JSCell::classInfo() to catch cases where someone called it
+ from a destructor accidentally.
+
+ This means that we only have one place in destruction that needs to know the class:
+ the sweeper's call to the destructor.
+
+ One of the trickiest outcomes of this is the need to support inherits() tests in
+ JSObjectGetPrivate(), when it is called from the destructor callback on the object
+ being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
+ on any dead-but-not-destructed object other than the one being destructed right
+ now. The purpose of the inherits() tests is to distinguish between different kinds
+ of CallbackObjects, which may have different kinds of base classes. I think that
+ this was always subtly wrong - for example, if the object being destructed is a
+ JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
+ but does not have an immortal Structure - so classInfo() is not valid. This fixes
+ the issue by having ~JSCallbackObject know its classInfo. It now stashes its
+ classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
+ that it's being used on a currently-destructing object.
+
+ That was the only really weird part of this patch. The rest is mostly removing
+ illegal uses of jsCast<> in destructors. There were a few other genuine uses of
+ classInfo() but they were in code that already knew how to get its classInfo()
+ using other means:
+
+ - You can still say structure()->classInfo(), and I use this form in code that
+ knows that its StructureIsImmortal.
+
+ - You can use this->classInfo() if it's overridden, like in subclasses of
+ JSDestructibleObject.
+
+ Rolling this back in because I think I fixed the crashes.
+
+ * API/JSAPIWrapperObject.mm:
+ (JSAPIWrapperObjectHandleOwner::finalize):
+ * API/JSCallbackObject.h:
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
+ (JSC::JSCallbackObject<Parent>::init):
+ * API/JSObjectRef.cpp:
+ (classInfoPrivate):
+ (JSObjectGetPrivate):
+ (JSObjectSetPrivate):
+ * bytecode/EvalCodeBlock.cpp:
+ (JSC::EvalCodeBlock::destroy):
+ * bytecode/FunctionCodeBlock.cpp:
+ (JSC::FunctionCodeBlock::destroy):
+ * bytecode/ModuleProgramCodeBlock.cpp:
+ (JSC::ModuleProgramCodeBlock::destroy):
+ * bytecode/ProgramCodeBlock.cpp:
+ (JSC::ProgramCodeBlock::destroy):
+ * bytecode/UnlinkedEvalCodeBlock.cpp:
+ (JSC::UnlinkedEvalCodeBlock::destroy):
+ * bytecode/UnlinkedFunctionCodeBlock.cpp:
+ (JSC::UnlinkedFunctionCodeBlock::destroy):
+ * bytecode/UnlinkedFunctionExecutable.cpp:
+ (JSC::UnlinkedFunctionExecutable::destroy):
+ * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
+ (JSC::UnlinkedModuleProgramCodeBlock::destroy):
+ * bytecode/UnlinkedProgramCodeBlock.cpp:
+ (JSC::UnlinkedProgramCodeBlock::destroy):
+ * heap/CodeBlockSet.cpp:
+ (JSC::CodeBlockSet::lastChanceToFinalize):
+ (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
+ * heap/MarkedAllocator.cpp:
+ (JSC::MarkedAllocator::allocateSlowCaseImpl):
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::Handle::sweep):
+ * jit/JITThunks.cpp:
+ (JSC::JITThunks::finalize):
+ * runtime/AbstractModuleRecord.cpp:
+ (JSC::AbstractModuleRecord::destroy):
+ * runtime/ExecutableBase.cpp:
+ (JSC::ExecutableBase::clearCode):
+ * runtime/JSCellInlines.h:
+ (JSC::JSCell::classInfo):
+ (JSC::JSCell::callDestructor):
+ * runtime/JSLock.h:
+ (JSC::JSLock::ownerThread):
+ * runtime/JSModuleNamespaceObject.cpp:
+ (JSC::JSModuleNamespaceObject::destroy):
+ * runtime/JSModuleRecord.cpp:
+ (JSC::JSModuleRecord::destroy):
+ * runtime/JSPropertyNameEnumerator.cpp:
+ (JSC::JSPropertyNameEnumerator::destroy):
+ * runtime/JSSegmentedVariableObject.h:
+ * runtime/SymbolTable.cpp:
+ (JSC::SymbolTable::destroy):
+ * runtime/VM.h:
+ * wasm/js/JSWebAssemblyCallee.cpp:
+ (JSC::JSWebAssemblyCallee::destroy):
+ * wasm/js/WebAssemblyModuleRecord.cpp:
+ (JSC::WebAssemblyModuleRecord::destroy):
+ * wasm/js/WebAssemblyToJSCallee.cpp:
+ (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
+ (JSC::WebAssemblyToJSCallee::destroy):
+
+2017-01-18 Matthew Hanson <matthew_hanson@apple.com>
+
</ins><span class="cx"> Merge r210745. rdar://problem/30019309
</span><span class="cx">
</span><span class="cx"> 2017-01-13 Saam Barati <sbarati@apple.com>
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorebytecodeEvalCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx">
</span><span class="cx"> void EvalCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
</del><ins>+ static_cast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorebytecodeFunctionCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx">
</span><span class="cx"> void FunctionCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
</del><ins>+ static_cast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorebytecodeModuleProgramCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx">
</span><span class="cx"> void ModuleProgramCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
</del><ins>+ static_cast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorebytecodeProgramCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx">
</span><span class="cx"> void ProgramCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
</del><ins>+ static_cast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedEvalCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -34,7 +34,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedEvalCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
</del><ins>+ static_cast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedFunctionCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -34,7 +34,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedFunctionCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
</del><ins>+ static_cast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedFunctionExecutablecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -119,7 +119,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedFunctionExecutable::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
</del><ins>+ static_cast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void UnlinkedFunctionExecutable::visitChildren(JSCell* cell, SlotVisitor& visitor)
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedModuleProgramCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedModuleProgramCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
</del><ins>+ static_cast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorebytecodeUnlinkedProgramCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx">
</span><span class="cx"> void UnlinkedProgramCodeBlock::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
</del><ins>+ static_cast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreheapCodeBlockSetcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/heap/CodeBlockSet.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/heap/CodeBlockSet.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/heap/CodeBlockSet.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -65,10 +65,10 @@
</span><span class="cx"> {
</span><span class="cx"> LockHolder locker(&m_lock);
</span><span class="cx"> for (CodeBlock* codeBlock : m_newCodeBlocks)
</span><del>- codeBlock->classInfo()->methodTable.destroy(codeBlock);
</del><ins>+ codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
</ins><span class="cx">
</span><span class="cx"> for (CodeBlock* codeBlock : m_oldCodeBlocks)
</span><del>- codeBlock->classInfo()->methodTable.destroy(codeBlock);
</del><ins>+ codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void CodeBlockSet::deleteUnmarkedAndUnreferenced(CollectionScope scope)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx"> unmarked.append(codeBlock);
</span><span class="cx"> }
</span><span class="cx"> for (CodeBlock* codeBlock : unmarked) {
</span><del>- codeBlock->classInfo()->methodTable.destroy(codeBlock);
</del><ins>+ codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
</ins><span class="cx"> set.remove(codeBlock);
</span><span class="cx"> }
</span><span class="cx"> unmarked.resize(0);
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreheapMarkedAllocatorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/heap/MarkedAllocator.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/heap/MarkedAllocator.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/heap/MarkedAllocator.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -212,7 +212,7 @@
</span><span class="cx">
</span><span class="cx"> didConsumeFreeList();
</span><span class="cx">
</span><del>- AllocatingScope healpingHeap(*m_heap);
</del><ins>+ AllocatingScope helpingHeap(*m_heap);
</ins><span class="cx">
</span><span class="cx"> m_heap->collectIfNecessaryOrDefer(deferralContext);
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreheapMarkedBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/heap/MarkedBlock.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/heap/MarkedBlock.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/heap/MarkedBlock.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "MarkedBlock.h"
</span><span class="cx">
</span><ins>+#include "HelpingGCScope.h"
</ins><span class="cx"> #include "JSCell.h"
</span><span class="cx"> #include "JSDestructibleObject.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="lines">@@ -195,6 +196,9 @@
</span><span class="cx">
</span><span class="cx"> FreeList MarkedBlock::Handle::sweep(SweepMode sweepMode)
</span><span class="cx"> {
</span><ins>+ // FIXME: Maybe HelpingGCScope should just be called SweepScope?
+ HelpingGCScope helpingGCScope(*heap());
+
</ins><span class="cx"> m_allocator->setIsUnswept(NoLockingNecessary, this, false);
</span><span class="cx">
</span><span class="cx"> m_weakSet.sweep();
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorejitJITThunkscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/jit/JITThunks.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/jit/JITThunks.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/jit/JITThunks.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -84,7 +84,7 @@
</span><span class="cx">
</span><span class="cx"> void JITThunks::finalize(Handle<Unknown> handle, void*)
</span><span class="cx"> {
</span><del>- auto* nativeExecutable = jsCast<NativeExecutable*>(handle.get().asCell());
</del><ins>+ auto* nativeExecutable = static_cast<NativeExecutable*>(handle.get().asCell());
</ins><span class="cx"> weakRemove(*m_hostFunctionStubMap, std::make_tuple(nativeExecutable->function(), nativeExecutable->constructor(), nativeExecutable->name()), nativeExecutable);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeAbstractModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -46,7 +46,7 @@
</span><span class="cx">
</span><span class="cx"> void AbstractModuleRecord::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- AbstractModuleRecord* thisObject = jsCast<AbstractModuleRecord*>(cell);
</del><ins>+ AbstractModuleRecord* thisObject = static_cast<AbstractModuleRecord*>(cell);
</ins><span class="cx"> thisObject->AbstractModuleRecord::~AbstractModuleRecord();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeExecutableBasecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/ExecutableBase.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/ExecutableBase.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/ExecutableBase.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -60,29 +60,29 @@
</span><span class="cx"> m_numParametersForCall = NUM_PARAMETERS_NOT_COMPILED;
</span><span class="cx"> m_numParametersForConstruct = NUM_PARAMETERS_NOT_COMPILED;
</span><span class="cx">
</span><del>- if (classInfo() == FunctionExecutable::info()) {
- FunctionExecutable* executable = jsCast<FunctionExecutable*>(this);
</del><ins>+ if (structure()->classInfo() == FunctionExecutable::info()) {
+ FunctionExecutable* executable = static_cast<FunctionExecutable*>(this);
</ins><span class="cx"> executable->m_codeBlockForCall.clear();
</span><span class="cx"> executable->m_codeBlockForConstruct.clear();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (classInfo() == EvalExecutable::info()) {
- EvalExecutable* executable = jsCast<EvalExecutable*>(this);
</del><ins>+ if (structure()->classInfo() == EvalExecutable::info()) {
+ EvalExecutable* executable = static_cast<EvalExecutable*>(this);
</ins><span class="cx"> executable->m_evalCodeBlock.clear();
</span><span class="cx"> executable->m_unlinkedEvalCodeBlock.clear();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (classInfo() == ProgramExecutable::info()) {
- ProgramExecutable* executable = jsCast<ProgramExecutable*>(this);
</del><ins>+ if (structure()->classInfo() == ProgramExecutable::info()) {
+ ProgramExecutable* executable = static_cast<ProgramExecutable*>(this);
</ins><span class="cx"> executable->m_programCodeBlock.clear();
</span><span class="cx"> executable->m_unlinkedProgramCodeBlock.clear();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (classInfo() == ModuleProgramExecutable::info()) {
- ModuleProgramExecutable* executable = jsCast<ModuleProgramExecutable*>(this);
</del><ins>+ if (structure()->classInfo() == ModuleProgramExecutable::info()) {
+ ModuleProgramExecutable* executable = static_cast<ModuleProgramExecutable*>(this);
</ins><span class="cx"> executable->m_moduleProgramCodeBlock.clear();
</span><span class="cx"> executable->m_unlinkedModuleProgramCodeBlock.clear();
</span><span class="cx"> executable->m_moduleEnvironmentSymbolTable.clear();
</span><span class="lines">@@ -89,7 +89,7 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- ASSERT(classInfo() == NativeExecutable::info());
</del><ins>+ ASSERT(structure()->classInfo() == NativeExecutable::info());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ExecutableBase::dump(PrintStream& out) const
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeJSCellInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/JSCellInlines.h (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/JSCellInlines.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/JSCellInlines.h 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -267,17 +267,13 @@
</span><span class="cx">
</span><span class="cx"> ALWAYS_INLINE const ClassInfo* JSCell::classInfo() const
</span><span class="cx"> {
</span><del>- if (isLargeAllocation()) {
- LargeAllocation& allocation = largeAllocation();
- if (allocation.attributes().destruction == NeedsDestruction
- && !(inlineTypeFlags() & StructureIsImmortal))
- return static_cast<const JSDestructibleObject*>(this)->classInfo();
- return structure(*allocation.vm())->classInfo();
- }
- MarkedBlock& block = markedBlock();
- if (block.needsDestruction() && !(inlineTypeFlags() & StructureIsImmortal))
- return static_cast<const JSDestructibleObject*>(this)->classInfo();
- return structure(*block.vm())->classInfo();
</del><ins>+ VM* vm;
+ if (isLargeAllocation())
+ vm = largeAllocation().vm();
+ else
+ vm = markedBlock().vm();
+ ASSERT(vm->heap.mutatorState() == MutatorState::Running || vm->apiLock().ownerThread() != std::this_thread::get_id());
+ return structure(*vm)->classInfo();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> inline bool JSCell::toBoolean(ExecState* exec) const
</span><span class="lines">@@ -307,7 +303,7 @@
</span><span class="cx"> MethodTable::DestroyFunctionPtr destroy = classInfo->methodTable.destroy;
</span><span class="cx"> destroy(this);
</span><span class="cx"> } else
</span><del>- jsCast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
</del><ins>+ static_cast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
</ins><span class="cx"> zap();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeJSLockh"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/JSLock.h (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/JSLock.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/JSLock.h 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -99,6 +99,7 @@
</span><span class="cx"> ASSERT(m_hasExclusiveThread);
</span><span class="cx"> return m_ownerThreadID;
</span><span class="cx"> }
</span><ins>+ std::thread::id ownerThread() const { return m_ownerThreadID; }
</ins><span class="cx"> JS_EXPORT_PRIVATE void setExclusiveThread(std::thread::id);
</span><span class="cx"> JS_EXPORT_PRIVATE bool currentThreadIsHoldingLock();
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeJSModuleNamespaceObjectcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx">
</span><span class="cx"> void JSModuleNamespaceObject::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- JSModuleNamespaceObject* thisObject = jsCast<JSModuleNamespaceObject*>(cell);
</del><ins>+ JSModuleNamespaceObject* thisObject = static_cast<JSModuleNamespaceObject*>(cell);
</ins><span class="cx"> thisObject->JSModuleNamespaceObject::~JSModuleNamespaceObject();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeJSModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/JSModuleRecord.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/JSModuleRecord.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/JSModuleRecord.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx">
</span><span class="cx"> void JSModuleRecord::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- JSModuleRecord* thisObject = jsCast<JSModuleRecord*>(cell);
</del><ins>+ JSModuleRecord* thisObject = static_cast<JSModuleRecord*>(cell);
</ins><span class="cx"> thisObject->JSModuleRecord::~JSModuleRecord();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx">
</span><span class="cx"> void JSPropertyNameEnumerator::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- jsCast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
</del><ins>+ static_cast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JSPropertyNameEnumerator::visitChildren(JSCell* cell, SlotVisitor& visitor)
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeJSSegmentedVariableObjecth"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -47,6 +47,8 @@
</span><span class="cx"> // JSSegmentedVariableObject has its own GC tracing functionality, since it knows the
</span><span class="cx"> // exact dimensions of the variables array at all times.
</span><span class="cx">
</span><ins>+// Except for JSGlobalObject, subclasses of this don't call the destructor and leak memory.
+
</ins><span class="cx"> class JSSegmentedVariableObject : public JSSymbolTableObject {
</span><span class="cx"> friend class JIT;
</span><span class="cx"> friend class LLIntOffsetsExtractor;
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeStructureInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/StructureInlines.h (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/StructureInlines.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/StructureInlines.h 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -259,10 +259,27 @@
</span><span class="cx"> if (isCompilationThread())
</span><span class="cx"> return true;
</span><span class="cx">
</span><del>- RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize());
</del><span class="cx"> unsigned totalSize = propertyTable->propertyStorageSize();
</span><del>- RELEASE_ASSERT((totalSize < inlineCapacity() ? 0 : totalSize - inlineCapacity()) == numberOfOutOfLineSlotsForLastOffset(m_offset));
</del><ins>+ unsigned inlineOverflowAccordingToTotalSize = totalSize < m_inlineCapacity ? 0 : totalSize - m_inlineCapacity;
</ins><span class="cx">
</span><ins>+ auto fail = [&] (const char* description) {
+ dataLog("Detected offset inconsistency: ", description, "!\n");
+ dataLog("this = ", RawPointer(this), "\n");
+ dataLog("m_offset = ", m_offset, "\n");
+ dataLog("m_inlineCapacity = ", m_inlineCapacity, "\n");
+ dataLog("propertyTable = ", RawPointer(propertyTable), "\n");
+ dataLog("numberOfSlotsForLastOffset = ", numberOfSlotsForLastOffset(m_offset, m_inlineCapacity), "\n");
+ dataLog("totalSize = ", totalSize, "\n");
+ dataLog("inlineOverflowAccordingToTotalSize = ", inlineOverflowAccordingToTotalSize, "\n");
+ dataLog("numberOfOutOfLineSlotsForLastOffset = ", numberOfOutOfLineSlotsForLastOffset(m_offset), "\n");
+ UNREACHABLE_FOR_PLATFORM();
+ };
+
+ if (numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) != totalSize)
+ fail("numberOfSlotsForLastOffset doesn't match totalSize");
+ if (inlineOverflowAccordingToTotalSize != numberOfOutOfLineSlotsForLastOffset(m_offset))
+ fail("inlineOverflowAccordingToTotalSize doesn't match numberOfOutOfLineSlotsForLastOffset");
+
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeSymbolTablecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/SymbolTable.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/SymbolTable.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/SymbolTable.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -49,7 +49,7 @@
</span><span class="cx">
</span><span class="cx"> void SymbolTable::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- SymbolTable* thisObject = jsCast<SymbolTable*>(cell);
</del><ins>+ SymbolTable* thisObject = static_cast<SymbolTable*>(cell);
</ins><span class="cx"> thisObject->SymbolTable::~SymbolTable();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/runtime/VM.h (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/runtime/VM.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/runtime/VM.h 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -354,6 +354,9 @@
</span><span class="cx"> Strong<JSCell> iterationTerminator;
</span><span class="cx"> Strong<JSCell> emptyPropertyNameEnumerator;
</span><span class="cx">
</span><ins>+ JSCell* currentlyDestructingCallbackObject;
+ const ClassInfo* currentlyDestructingCallbackObjectClassInfo;
+
</ins><span class="cx"> AtomicStringTable* m_atomicStringTable;
</span><span class="cx"> WTF::SymbolRegistry m_symbolRegistry;
</span><span class="cx"> TemplateRegistryKeyTable m_templateRegistryKeytable;
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorewasmjsJSWebAssemblyCalleecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -47,7 +47,7 @@
</span><span class="cx">
</span><span class="cx"> void JSWebAssemblyCallee::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- JSWebAssemblyCallee* thisObject = jsCast<JSWebAssemblyCallee*>(cell);
</del><ins>+ JSWebAssemblyCallee* thisObject = static_cast<JSWebAssemblyCallee*>(cell);
</ins><span class="cx"> thisObject->JSWebAssemblyCallee::~JSWebAssemblyCallee();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorewasmjsWebAssemblyModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -62,7 +62,7 @@
</span><span class="cx">
</span><span class="cx"> void WebAssemblyModuleRecord::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- WebAssemblyModuleRecord* thisObject = jsCast<WebAssemblyModuleRecord*>(cell);
</del><ins>+ WebAssemblyModuleRecord* thisObject = static_cast<WebAssemblyModuleRecord*>(cell);
</ins><span class="cx"> thisObject->WebAssemblyModuleRecord::~WebAssemblyModuleRecord();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceJavaScriptCorewasmjsWebAssemblyToJSCalleecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -48,7 +48,8 @@
</span><span class="cx">
</span><span class="cx"> WebAssemblyToJSCallee::WebAssemblyToJSCallee(VM& vm, Structure* structure)
</span><span class="cx"> : Base(vm, structure)
</span><del>-{ }
</del><ins>+{
+}
</ins><span class="cx">
</span><span class="cx"> void WebAssemblyToJSCallee::finishCreation(VM& vm)
</span><span class="cx"> {
</span><span class="lines">@@ -57,7 +58,7 @@
</span><span class="cx">
</span><span class="cx"> void WebAssemblyToJSCallee::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- WebAssemblyToJSCallee* thisObject = jsCast<WebAssemblyToJSCallee*>(cell);
</del><ins>+ WebAssemblyToJSCallee* thisObject = static_cast<WebAssemblyToJSCallee*>(cell);
</ins><span class="cx"> thisObject->WebAssemblyToJSCallee::~WebAssemblyToJSCallee();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -1,5 +1,28 @@
</span><span class="cx"> 2017-01-18 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><ins>+ Merge r210829. rdar://problem/30044439
+
+ 2017-01-16 Filip Pizlo <fpizlo@apple.com>
+
+ JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+ https://bugs.webkit.org/show_bug.cgi?id=167066
+
+ Reviewed by Keith Miller and Michael Saboff.
+
+ No new tests because no new behavior.
+
+ It's now necessary to avoid jsCast in destructors and finalizers. This was an easy
+ rule to introduce because this used to always be the rule.
+
+ * bindings/js/JSCSSValueCustom.cpp:
+ (WebCore::JSDeprecatedCSSOMValueOwner::finalize):
+ * bindings/js/JSDOMIterator.h:
+ (WebCore::IteratorTraits>::destroy):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+
+2017-01-18 Matthew Hanson <matthew_hanson@apple.com>
+
</ins><span class="cx"> Merge r210822. rdar://problem/15607819
</span><span class="cx">
</span><span class="cx"> 2017-01-17 Joseph Pecoraro <pecoraro@apple.com>
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsjsJSCSSValueCustomcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/js/JSCSSValueCustom.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/js/JSCSSValueCustom.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/js/JSCSSValueCustom.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -50,7 +50,7 @@
</span><span class="cx">
</span><span class="cx"> void JSDeprecatedCSSOMValueOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- JSDeprecatedCSSOMValue* jsCSSValue = jsCast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
</del><ins>+ JSDeprecatedCSSOMValue* jsCSSValue = static_cast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
</ins><span class="cx"> DOMWrapperWorld& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> world.m_deprecatedCSSOMValueRoots.remove(&jsCSSValue->wrapped());
</span><span class="cx"> uncacheWrapper(world, &jsCSSValue->wrapped(), jsCSSValue);
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsjsJSDOMIteratorh"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMIterator.h (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMIterator.h 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMIterator.h 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -225,7 +225,7 @@
</span><span class="cx"> template<typename JSWrapper, typename IteratorTraits>
</span><span class="cx"> void JSDOMIterator<JSWrapper, IteratorTraits>::destroy(JSCell* cell)
</span><span class="cx"> {
</span><del>- JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = JSC::jsCast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
</del><ins>+ JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = static_cast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
</ins><span class="cx"> thisObject->JSDOMIterator<JSWrapper, IteratorTraits>::~JSDOMIterator();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptsCodeGeneratorJSpm"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -4096,7 +4096,7 @@
</span><span class="cx"> if (ShouldGenerateWrapperOwnerCode($hasParent, $interface) && !$interface->extendedAttributes->{JSCustomFinalize}) {
</span><span class="cx"> push(@implContent, "void JS${interfaceName}Owner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)\n");
</span><span class="cx"> push(@implContent, "{\n");
</span><del>- push(@implContent, " auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
</del><ins>+ push(@implContent, " auto* js${interfaceName} = static_cast<JS${interfaceName}*>(handle.slot()->asCell());\n");
</ins><span class="cx"> push(@implContent, " auto& world = *static_cast<DOMWrapperWorld*>(context);\n");
</span><span class="cx"> push(@implContent, " uncacheWrapper(world, &js${interfaceName}->wrapped(), js${interfaceName});\n");
</span><span class="cx"> push(@implContent, "}\n\n");
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSInterfaceNamecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -174,7 +174,7 @@
</span><span class="cx">
</span><span class="cx"> void JSInterfaceNameOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsInterfaceName = jsCast<JSInterfaceName*>(handle.slot()->asCell());
</del><ins>+ auto* jsInterfaceName = static_cast<JSInterfaceName*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsInterfaceName->wrapped(), jsInterfaceName);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestActiveDOMObjectcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -255,7 +255,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestActiveDOMObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestActiveDOMObject = jsCast<JSTestActiveDOMObject*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestActiveDOMObject = static_cast<JSTestActiveDOMObject*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestActiveDOMObject->wrapped(), jsTestActiveDOMObject);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestCEReactionscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -315,7 +315,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestCEReactionsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestCEReactions = jsCast<JSTestCEReactions*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestCEReactions = static_cast<JSTestCEReactions*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestCEReactions->wrapped(), jsTestCEReactions);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestCEReactionsStringifiercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -232,7 +232,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestCEReactionsStringifierOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestCEReactionsStringifier = jsCast<JSTestCEReactionsStringifier*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestCEReactionsStringifier = static_cast<JSTestCEReactionsStringifier*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestCEReactionsStringifier->wrapped(), jsTestCEReactionsStringifier);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestClassWithJSBuiltinConstructorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -173,7 +173,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestClassWithJSBuiltinConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestClassWithJSBuiltinConstructor = jsCast<JSTestClassWithJSBuiltinConstructor*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestClassWithJSBuiltinConstructor = static_cast<JSTestClassWithJSBuiltinConstructor*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestClassWithJSBuiltinConstructor->wrapped(), jsTestClassWithJSBuiltinConstructor);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestCustomConstructorWithNoInterfaceObjectcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -164,7 +164,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestCustomConstructorWithNoInterfaceObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestCustomConstructorWithNoInterfaceObject = jsCast<JSTestCustomConstructorWithNoInterfaceObject*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestCustomConstructorWithNoInterfaceObject = static_cast<JSTestCustomConstructorWithNoInterfaceObject*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestCustomConstructorWithNoInterfaceObject->wrapped(), jsTestCustomConstructorWithNoInterfaceObject);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestCustomNamedGettercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -228,7 +228,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestCustomNamedGetterOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestCustomNamedGetter = jsCast<JSTestCustomNamedGetter*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestCustomNamedGetter = static_cast<JSTestCustomNamedGetter*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestCustomNamedGetter->wrapped(), jsTestCustomNamedGetter);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestExceptioncpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -197,7 +197,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestExceptionOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestException = jsCast<JSTestException*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestException = static_cast<JSTestException*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestException->wrapped(), jsTestException);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestGenerateIsReachablecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -160,7 +160,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestGenerateIsReachableOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestGenerateIsReachable = jsCast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestGenerateIsReachable = static_cast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestGenerateIsReachable->wrapped(), jsTestGenerateIsReachable);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -502,7 +502,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestGlobalObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestGlobalObject = jsCast<JSTestGlobalObject*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestGlobalObject = static_cast<JSTestGlobalObject*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestGlobalObject->wrapped(), jsTestGlobalObject);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestInterfacecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -990,7 +990,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestInterface = jsCast<JSTestInterface*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestInterface = static_cast<JSTestInterface*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestInterface->wrapped(), jsTestInterface);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestInterfaceLeadingUnderscorecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -184,7 +184,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestInterfaceLeadingUnderscoreOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestInterfaceLeadingUnderscore = jsCast<JSTestInterfaceLeadingUnderscore*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestInterfaceLeadingUnderscore = static_cast<JSTestInterfaceLeadingUnderscore*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestInterfaceLeadingUnderscore->wrapped(), jsTestInterfaceLeadingUnderscore);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestIterablecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -244,7 +244,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestIterableOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestIterable = jsCast<JSTestIterable*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestIterable = static_cast<JSTestIterable*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestIterable->wrapped(), jsTestIterable);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestMediaQueryListListenercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -193,7 +193,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestMediaQueryListListenerOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestMediaQueryListListener = jsCast<JSTestMediaQueryListListener*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestMediaQueryListListener = static_cast<JSTestMediaQueryListListener*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestMediaQueryListListener->wrapped(), jsTestMediaQueryListListener);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestNamedConstructorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -204,7 +204,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestNamedConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestNamedConstructor = jsCast<JSTestNamedConstructor*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestNamedConstructor = static_cast<JSTestNamedConstructor*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestNamedConstructor->wrapped(), jsTestNamedConstructor);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestObjcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -8619,7 +8619,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestObjOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestObj = jsCast<JSTestObj*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestObj = static_cast<JSTestObj*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestObj->wrapped(), jsTestObj);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestOverloadedConstructorscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -260,7 +260,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestOverloadedConstructorsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestOverloadedConstructors = jsCast<JSTestOverloadedConstructors*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestOverloadedConstructors = static_cast<JSTestOverloadedConstructors*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestOverloadedConstructors->wrapped(), jsTestOverloadedConstructors);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestOverloadedConstructorsWithSequencecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -211,7 +211,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestOverloadedConstructorsWithSequenceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestOverloadedConstructorsWithSequence = jsCast<JSTestOverloadedConstructorsWithSequence*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestOverloadedConstructorsWithSequence = static_cast<JSTestOverloadedConstructorsWithSequence*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestOverloadedConstructorsWithSequence->wrapped(), jsTestOverloadedConstructorsWithSequence);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestOverrideBuiltinscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -235,7 +235,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestOverrideBuiltinsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestOverrideBuiltins = jsCast<JSTestOverrideBuiltins*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestOverrideBuiltins = static_cast<JSTestOverrideBuiltins*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestOverrideBuiltins->wrapped(), jsTestOverrideBuiltins);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestSerializationcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -397,7 +397,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestSerializationOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestSerialization = jsCast<JSTestSerialization*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestSerialization = static_cast<JSTestSerialization*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestSerialization->wrapped(), jsTestSerialization);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestSerializedScriptValueInterfacecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -365,7 +365,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestSerializedScriptValueInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestSerializedScriptValueInterface = jsCast<JSTestSerializedScriptValueInterface*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestSerializedScriptValueInterface = static_cast<JSTestSerializedScriptValueInterface*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestSerializedScriptValueInterface->wrapped(), jsTestSerializedScriptValueInterface);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorebindingsscriptstestJSJSTestTypedefscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -770,7 +770,7 @@
</span><span class="cx">
</span><span class="cx"> void JSTestTypedefsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- auto* jsTestTypedefs = jsCast<JSTestTypedefs*>(handle.slot()->asCell());
</del><ins>+ auto* jsTestTypedefs = static_cast<JSTestTypedefs*>(handle.slot()->asCell());
</ins><span class="cx"> auto& world = *static_cast<DOMWrapperWorld*>(context);
</span><span class="cx"> uncacheWrapper(world, &jsTestTypedefs->wrapped(), jsTestTypedefs);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebKit2/ChangeLog (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebKit2/ChangeLog 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebKit2/ChangeLog 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -1,5 +1,21 @@
</span><span class="cx"> 2017-01-18 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><ins>+ Merge r210829. rdar://problem/30044439
+
+ 2017-01-17 Filip Pizlo <fpizlo@apple.com>
+
+ JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+ https://bugs.webkit.org/show_bug.cgi?id=167066
+
+ Reviewed by Keith Miller and Michael Saboff.
+
+ Just remove now-erroneous use of jsCast<>.
+
+ * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
+ (WebKit::NPRuntimeObjectMap::finalize):
+
+2017-01-18 Matthew Hanson <matthew_hanson@apple.com>
+
</ins><span class="cx"> Merge r210822. rdar://problem/15607819
</span><span class="cx">
</span><span class="cx"> 2017-01-17 Joseph Pecoraro <pecoraro@apple.com>
</span></span></pre></div>
<a id="branchessafari603branchSourceWebKit2WebProcessPluginsNetscapeNPRuntimeObjectMapcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp (210866 => 210867)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp 2017-01-18 20:42:24 UTC (rev 210866)
+++ branches/safari-603-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp 2017-01-18 20:42:40 UTC (rev 210867)
</span><span class="lines">@@ -300,7 +300,7 @@
</span><span class="cx">
</span><span class="cx"> void NPRuntimeObjectMap::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
</span><span class="cx"> {
</span><del>- JSNPObject* object = jsCast<JSNPObject*>(handle.get().asCell());
</del><ins>+ JSNPObject* object = static_cast<JSNPObject*>(handle.get().asCell());
</ins><span class="cx"> weakRemove(m_jsNPObjects, static_cast<NPObject*>(context), object);
</span><span class="cx"> addToInvalidationQueue(object->leakNPObject());
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>