Changeset 171564 in webkit

Timestamp:

Jul 24, 2014, 5:59:10 PM (11 years ago)

Author:

mark.lam@apple.com

Message:

JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
<​https://webkit.org/b/135258>

Reviewed by Mark Hahnenberg.

Where needed, we cache the prototype object pointer in a stack local var.
This allows it to be scanned by the GC, and hence be kept alive until
we use it. The constructor object will in turn be kept alive by the
prototype object.

Also added some comments to warn against future code additions that could
regress this issue.

• API/JSWrapperMap.mm:

(-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
(-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
(-[JSObjCClassInfo wrapperForObject:]):
(-[JSObjCClassInfo constructor]):

Location:

trunk/Source/JavaScriptCore

Files:

• API/JSWrapperMap.mm (modified) (5 diffs)
• ChangeLog (modified) (1 diff)

trunk/Source/JavaScriptCore/API/JSWrapperMap.mm

@@ -465 +465 @@
         }
     } else {
+        // We need to hold a reference to the superclass prototype here on the stack
+        // to that it won't get GC'ed while we do allocations between now and when we
+        // set it in this class' prototype below.
+        JSC::JSObject* superClassPrototype = superClassInfo->m_prototype.get();
+
         const char* className = class_getName(m_class);
 
@@ -494 +499 @@
 
         // Set [Prototype].
-        JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassInfo->m_prototype.get()));
+        JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassPrototype));
     }
 }
@@ -501 +506 @@
 {
     [self allocateConstructorAndPrototypeWithSuperClassInfo:[m_context.wrapperMap classInfoForClass:class_getSuperclass(m_class)]];
+    // We should not add any code here that can trigger a GC or the prototype and
+    // constructor that we just created may be collected before they can be used.
 }
 
@@ -520 +527 @@
         [self reallocateConstructorAndOrPrototype];
     ASSERT(!!m_prototype);
+    // We need to hold a reference to the prototype here on the stack to that it won't
+    // get GC'ed while we create the wrapper below.
+    JSC::JSObject* prototype = m_prototype.get();
 
     JSObjectRef wrapper = makeWrapper([m_context JSGlobalContextRef], m_classRef, object);
-    JSObjectSetPrototype([m_context JSGlobalContextRef], wrapper, toRef(m_prototype.get()));
+    JSObjectSetPrototype([m_context JSGlobalContextRef], wrapper, toRef(prototype));
     return [JSValue valueWithJSValueRef:wrapper inContext:m_context];
 }
@@ -531 +541 @@
         [self reallocateConstructorAndOrPrototype];
     ASSERT(!!m_constructor);
+    // If we need to add any code here in the future that can trigger a GC, we should
+    // cache the constructor pointer in a stack local var first so that it is protected
+    // from the GC until it gets used below.
     return [JSValue valueWithJSValueRef:toRef(m_constructor.get()) inContext:m_context];
 }

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-07-24  Mark Lam  <mark.lam@apple.com>
+
+        JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
+        <https://webkit.org/b/135258>
+
+        Reviewed by Mark Hahnenberg.
+
+        Where needed, we cache the prototype object pointer in a stack local var.
+        This allows it to be scanned by the GC, and hence be kept alive until
+        we use it.  The constructor object will in turn be kept alive by the
+        prototype object.
+
+        Also added some comments to warn against future code additions that could
+        regress this issue.
+
+        * API/JSWrapperMap.mm:
+        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
+        (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
+        (-[JSObjCClassInfo wrapperForObject:]):
+        (-[JSObjCClassInfo constructor]):
+
 2014-07-24  Joseph Pecoraro  <pecoraro@apple.com>