Changeset 180452 in webkit

Timestamp:

Feb 20, 2015 1:51:37 PM (9 years ago)

Author:

mark.lam@apple.com

Message:

[JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
<​https://webkit.org/b/141809>

Reviewed by Geoffrey Garen.

A ObjC class that implement the JSExport protocol will have a JS prototype
chain and constructor automatically synthesized for its JS wrapper object.
However, if there are no more instances of that ObjC class reachable by a
JS GC root scan, then its synthesized prototype chain and constructors may
be released by the GC. If a new instance of that ObjC class is subsequently
instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
should re-construct the prototype chain and constructor (if they were
previously released). However, the current implementation only
re-constructs the immediate prototype, but not every other prototype
object upstream in the prototype chain.

To fix this, we do the following:

1. We no longer allocate the JSObjCClassInfo's prototype and constructor eagerly. Hence, -initWithContext:forClass: will no longer call -allocateConstructorAndPrototypeWithSuperClassInfo:.
2. Instead, we'll always access the prototype and constructor thru accessor methods. The accessor methods will call -allocateConstructorAndPrototype: if needed.
3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo from the JSWrapperMap itself. This makes it so that we no longer need to pass the superClassInfo all over.
4. -allocateConstructorAndPrototype: will get the super class prototype by invoking -prototype: on the superClassInfo, thereby allowing the super class to allocate its prototype and constructor if needed and fixing the issue in this bug.

5. Also removed the GC warning comments, and ensured that needed JS objects are kept alive by having a local var pointing to it from the stack (which makes a GC root).

• API/JSWrapperMap.mm:

(-[JSObjCClassInfo initWithContext:forClass:]):
(-[JSObjCClassInfo allocateConstructorAndPrototype]):
(-[JSObjCClassInfo wrapperForObject:]):
(-[JSObjCClassInfo constructor]):
(-[JSObjCClassInfo prototype]):
(-[JSWrapperMap classInfoForClass:]):
(-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
(-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
(-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.

• API/tests/Regress141809.h: Added.
• API/tests/Regress141809.mm: Added.

(-[TestClassB name]):
(-[TestClassC name]):
(runRegress141809):

• API/tests/testapi.mm:
• JavaScriptCore.xcodeproj/project.pbxproj:

Location:

trunk/Source/JavaScriptCore

Files:

• API/JSWrapperMap.mm (modified) (10 diffs)
• API/tests/Regress141809.h (added)
• API/tests/Regress141809.mm (added)
• API/tests/testapi.mm (modified) (3 diffs)
• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)

trunk/Source/JavaScriptCore/API/JSWrapperMap.mm

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -365 +365 @@
 }
 
-- (id)initWithContext:(JSContext *)context forClass:(Class)cls superClassInfo:(JSObjCClassInfo*)superClassInfo;
+- (id)initWithContext:(JSContext *)context forClass:(Class)cls;
 - (JSValue *)wrapperForObject:(id)object;
 - (JSValue *)constructor;
+- (JSC::JSObject *)prototype;
 
 @end
@@ -373 +374 @@
 @implementation JSObjCClassInfo
 
-- (id)initWithContext:(JSContext *)context forClass:(Class)cls superClassInfo:(JSObjCClassInfo*)superClassInfo
+- (id)initWithContext:(JSContext *)context forClass:(Class)cls
 {
     self = [super init];
@@ -387 +388 @@
     definition.className = className;
     m_classRef = JSClassCreate(&definition);
-
-    [self allocateConstructorAndPrototypeWithSuperClassInfo:superClassInfo];
 
     return self;
@@ -451 +450 @@
 }
 
-- (void)allocateConstructorAndPrototypeWithSuperClassInfo:(JSObjCClassInfo*)superClassInfo
-{
+typedef std::pair<JSC::JSObject*, JSC::JSObject*> ConstructorPrototypePair;
+
+- (ConstructorPrototypePair)allocateConstructorAndPrototype
+{
+    JSObjCClassInfo* superClassInfo = [m_context.wrapperMap classInfoForClass:class_getSuperclass(m_class)];
+
     ASSERT(!m_constructor || !m_prototype);
     ASSERT((m_class == [NSObject class]) == !superClassInfo);
@@ -466 +469 @@
         }
     } else {
-        // We need to hold a reference to the superclass prototype here on the stack
-        // to that it won't get GC'ed while we do allocations between now and when we
-        // set it in this class' prototype below.
-        JSC::JSObject* superClassPrototype = superClassInfo->m_prototype.get();
-
         const char* className = class_getName(m_class);
 
@@ -500 +498 @@
 
         // Set [Prototype].
+        JSC::JSObject* superClassPrototype = [superClassInfo prototype];
         JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassPrototype));
     }
-}
-
-- (void)reallocateConstructorAndOrPrototype
-{
-    [self allocateConstructorAndPrototypeWithSuperClassInfo:[m_context.wrapperMap classInfoForClass:class_getSuperclass(m_class)]];
-    // We should not add any code here that can trigger a GC or the prototype and
-    // constructor that we just created may be collected before they can be used.
+    return ConstructorPrototypePair(m_constructor.get(), m_prototype.get());
 }
 
@@ -525 +518 @@
     }
 
-    if (!m_prototype)
-        [self reallocateConstructorAndOrPrototype];
-    ASSERT(!!m_prototype);
-    // We need to hold a reference to the prototype here on the stack to that it won't
-    // get GC'ed while we create the wrapper below.
-    JSC::JSObject* prototype = m_prototype.get();
+    JSC::JSObject* prototype = [self prototype];
 
     JSObjectRef wrapper = makeWrapper([m_context JSGlobalContextRef], m_classRef, object);
@@ -539 +527 @@
 - (JSValue *)constructor
 {
-    if (!m_constructor)
-        [self reallocateConstructorAndOrPrototype];
-    ASSERT(!!m_constructor);
-    // If we need to add any code here in the future that can trigger a GC, we should
-    // cache the constructor pointer in a stack local var first so that it is protected
-    // from the GC until it gets used below.
-    return [JSValue valueWithJSValueRef:toRef(m_constructor.get()) inContext:m_context];
+    JSC::JSObject* constructor = m_constructor.get();
+    if (!constructor)
+        constructor = [self allocateConstructorAndPrototype].first;
+    ASSERT(!!constructor);
+    return [JSValue valueWithJSValueRef:toRef(constructor) inContext:m_context];
+}
+
+- (JSC::JSObject*)prototype
+{
+    JSC::JSObject* prototype = m_prototype.get();
+    if (!prototype)
+        prototype = [self allocateConstructorAndPrototype].second;
+    ASSERT(!!prototype);
+    return prototype;
 }
 
@@ -592 +587 @@
         return m_classMap[cls] = [self classInfoForClass:class_getSuperclass(cls)];
 
-    return m_classMap[cls] = [[[JSObjCClassInfo alloc] initWithContext:m_context forClass:cls superClassInfo:[self classInfoForClass:class_getSuperclass(cls)]] autorelease];
+    return m_classMap[cls] = [[[JSObjCClassInfo alloc] initWithContext:m_context forClass:cls] autorelease];
 }
 

trunk/Source/JavaScriptCore/API/tests/testapi.mm

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29 +29 @@
 #import "DateTests.h"
 #import "JSExportTests.h"
+#import "Regress141809.h"
 
 #import <pthread.h>
@@ -1432 +1433 @@
     runDateTests();
     runJSExportTests();
+    runRegress141809();
 }
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-02-20  Mark Lam  <mark.lam@apple.com>
+
+        [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
+        <https://webkit.org/b/141809>
+
+        Reviewed by Geoffrey Garen.
+
+        A ObjC class that implement the JSExport protocol will have a JS prototype
+        chain and constructor automatically synthesized for its JS wrapper object.
+        However, if there are no more instances of that ObjC class reachable by a
+        JS GC root scan, then its synthesized prototype chain and constructors may
+        be released by the GC.  If a new instance of that ObjC class is subsequently
+        instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
+        should re-construct the prototype chain and constructor (if they were
+        previously released).  However, the current implementation only
+        re-constructs the immediate prototype, but not every other prototype
+        object upstream in the prototype chain.
+
+        To fix this, we do the following:
+        1. We no longer allocate the JSObjCClassInfo's prototype and constructor
+           eagerly.  Hence, -initWithContext:forClass: will no longer call
+           -allocateConstructorAndPrototypeWithSuperClassInfo:.
+        2. Instead, we'll always access the prototype and constructor thru
+           accessor methods.  The accessor methods will call
+           -allocateConstructorAndPrototype: if needed.
+        3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
+           from the JSWrapperMap itself.  This makes it so that we no longer
+           need to pass the superClassInfo all over.
+        4. -allocateConstructorAndPrototype: will get the super class prototype
+           by invoking -prototype: on the superClassInfo, thereby allowing the
+           super class to allocate its prototype and constructor if needed and
+           fixing the issue in this bug.
+
+        5. Also removed the GC warning comments, and ensured that needed JS
+           objects are kept alive by having a local var pointing to it from the
+           stack (which makes a GC root).
+
+        * API/JSWrapperMap.mm:
+        (-[JSObjCClassInfo initWithContext:forClass:]):
+        (-[JSObjCClassInfo allocateConstructorAndPrototype]):
+        (-[JSObjCClassInfo wrapperForObject:]):
+        (-[JSObjCClassInfo constructor]):
+        (-[JSObjCClassInfo prototype]):
+        (-[JSWrapperMap classInfoForClass:]):
+        (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
+        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
+        (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
+        * API/tests/Regress141809.h: Added.
+        * API/tests/Regress141809.mm: Added.
+        (-[TestClassB name]):
+        (-[TestClassC name]):
+        (runRegress141809):
+        * API/tests/testapi.mm:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1613 +1613 @@
                 FEA08620182B7A0400F6D851 /* Breakpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = FEA0861E182B7A0400F6D851 /* Breakpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FEA08621182B7A0400F6D851 /* DebuggerPrimitives.h in Headers */ = {isa = PBXBuildFile; fileRef = FEA0861F182B7A0400F6D851 /* DebuggerPrimitives.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                FEB51F6C1A97B688001F921C /* Regress141809.mm in Sources */ = {isa = PBXBuildFile; fileRef = FEB51F6B1A97B688001F921C /* Regress141809.mm */; };
                 FEB58C14187B8B160098EF0B /* ErrorHandlingScope.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FEB58C12187B8B160098EF0B /* ErrorHandlingScope.cpp */; };
                 FEB58C15187B8B160098EF0B /* ErrorHandlingScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FEB58C13187B8B160098EF0B /* ErrorHandlingScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -3346 +3347 @@
                 FEA0861E182B7A0400F6D851 /* Breakpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Breakpoint.h; sourceTree = "<group>"; };
                 FEA0861F182B7A0400F6D851 /* DebuggerPrimitives.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DebuggerPrimitives.h; sourceTree = "<group>"; };
+                FEB51F6A1A97B688001F921C /* Regress141809.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = Regress141809.h; path = API/tests/Regress141809.h; sourceTree = "<group>"; };
+                FEB51F6B1A97B688001F921C /* Regress141809.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = Regress141809.mm; path = API/tests/Regress141809.mm; sourceTree = "<group>"; };
                 FEB58C12187B8B160098EF0B /* ErrorHandlingScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ErrorHandlingScope.cpp; sourceTree = "<group>"; };
                 FEB58C13187B8B160098EF0B /* ErrorHandlingScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ErrorHandlingScope.h; sourceTree = "<group>"; };
@@ -3716 +3719 @@
                                 C2181FC018A948FB0025A235 /* JSExportTests.h */,
                                 C2181FC118A948FB0025A235 /* JSExportTests.mm */,
+                                FEB51F6A1A97B688001F921C /* Regress141809.h */,
+                                FEB51F6B1A97B688001F921C /* Regress141809.mm */,
                                 144005170A531CB50005F061 /* minidom */,
                                 14BD5A2D0A3E91F600BAF59C /* testapi.c */,
@@ -6736 +6741 @@
                         files = (
                                 C29ECB031804D0ED00D2CBB4 /* CurrentThisInsideBlockGetterTest.mm in Sources */,
+                                FEB51F6C1A97B688001F921C /* Regress141809.mm in Sources */,
                                 C20328201981979D0088B499 /* CustomGlobalObjectClassTest.c in Sources */,
                                 C288B2DE18A54D3E007BE40B /* DateTests.mm in Sources */,