Changeset 181806 in webkit

Timestamp:

Mar 20, 2015 11:08:29 AM (9 years ago)

Author:

mark.lam@apple.com

Message:

JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
<​https://webkit.org/b/142846>

Reviewed by Geoffrey Garen.

Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:

1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef that a JSCallbackObject references.
2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via vm.heap.addFinalizer() which destroys the JSCallbackObject.

The first finalizer is implemented as a virtual function of a JSCallbackObjectData
instance that will be destructed if the 2nd finalizer is called. Hence, if the
2nd finalizer if called first, the later invocation of the 1st finalizer will
result in a crash.

This patch fixes the issue by eliminating the finalizer registration in init().
Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
if needed. This ensures that these finalizers are called before the JSCallbackObject
is destructor.

Also added assertions to a few Heap functions because JSCell::classInfo() expects
all objects that are allocated from MarkedBlock::Normal blocks to be derived from
JSDestructibleObject. These assertions will help us catch violations of this
expectation earlier.

• API/JSCallbackObject.cpp:

(JSC::JSCallbackObjectData::finalize): Deleted.

• API/JSCallbackObject.h:

(JSC::JSCallbackObjectData::~JSCallbackObjectData):

• API/JSCallbackObjectFunctions.h:

(JSC::JSCallbackObject<Parent>::~JSCallbackObject):
(JSC::JSCallbackObject<Parent>::init):

• API/tests/GlobalContextWithFinalizerTest.cpp: Added.

(finalize):
(testGlobalContextWithFinalizer):

• API/tests/GlobalContextWithFinalizerTest.h: Added.
• API/tests/testapi.c:

(main):

• JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
• JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• heap/HeapInlines.h:

(JSC::Heap::allocateObjectOfType):
(JSC::Heap::subspaceForObjectOfType):
(JSC::Heap::allocatorForObjectOfType):

Location:

trunk/Source/JavaScriptCore

Files:

• API/JSCallbackObject.cpp (modified) (1 diff)
• API/JSCallbackObject.h (modified) (4 diffs)
• API/JSCallbackObjectFunctions.h (modified) (2 diffs)
• API/tests/GlobalContextWithFinalizerTest.cpp (added)
• API/tests/GlobalContextWithFinalizerTest.h (added)
• API/tests/testapi.c (modified) (2 diffs)
• ChangeLog (modified) (1 diff)
• JavaScriptCore.vcxproj/testapi/testapi.vcxproj (modified) (1 diff)
• JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• heap/HeapInlines.h (modified) (4 diffs)

trunk/Source/JavaScriptCore/API/JSCallbackObject.cpp

@@ -62 +62 @@
 }
 
-void JSCallbackObjectData::finalize(Handle<Unknown> handle, void* context)
-{
-    JSClassRef jsClass = static_cast<JSClassRef>(context);
-    JSObjectRef thisRef = toRef(static_cast<JSObject*>(handle.get().asCell()));
-    
-    for (; jsClass; jsClass = jsClass->parentClass)
-        if (JSObjectFinalizeCallback finalize = jsClass->finalize)
-            finalize(thisRef);
-    WeakSet::deallocate(WeakImpl::asWeakImpl(handle.slot()));
-}
-    
 } // namespace JSC

trunk/Source/JavaScriptCore/API/JSCallbackObject.h

@@ -34 +34 @@
 namespace JSC {
 
-struct JSCallbackObjectData : WeakHandleOwner {
+struct JSCallbackObjectData {
     JSCallbackObjectData(void* privateData, JSClassRef jsClass)
         : privateData(privateData)
@@ -42 +42 @@
     }
     
-    virtual ~JSCallbackObjectData()
+    ~JSCallbackObjectData()
     {
         JSClassRelease(jsClass);
@@ -110 +110 @@
     };
     std::unique_ptr<JSPrivatePropertyMap> m_privateProperties;
-    virtual void finalize(Handle<Unknown>, void*) override;
 };
 
@@ -125 +124 @@
 public:
     typedef Parent Base;
+
+    ~JSCallbackObject();
 
     static JSCallbackObject* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, void* data)

trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

@@ -75 +75 @@
 
 template <class Parent>
+JSCallbackObject<Parent>::~JSCallbackObject()
+{
+    JSObjectRef thisRef = toRef(static_cast<JSObject*>(this));
+    for (JSClassRef jsClass = classRef(); jsClass; jsClass = jsClass->parentClass) {
+        if (JSObjectFinalizeCallback finalize = jsClass->finalize)
+            finalize(thisRef);
+    }
+}
+    
+template <class Parent>
 void JSCallbackObject<Parent>::finishCreation(ExecState* exec)
 {
@@ -109 +119 @@
         JSObjectInitializeCallback initialize = initRoutines[i];
         initialize(toRef(exec), toRef(this));
-    }
-
-    for (JSClassRef jsClassPtr = classRef(); jsClassPtr; jsClassPtr = jsClassPtr->parentClass) {
-        if (jsClassPtr->finalize) {
-            WeakSet::allocate(this, m_callbackObjectData.get(), classRef());
-            break;
-        }
     }
 }

trunk/Source/JavaScriptCore/API/tests/testapi.c

@@ -42 +42 @@
 #include "CompareAndSwapTest.h"
 #include "CustomGlobalObjectClassTest.h"
+#include "GlobalContextWithFinalizerTest.h"
 
 #if OS(DARWIN)
@@ -1857 +1858 @@
     failed = testExecutionTimeLimit(&context) || failed;
 #endif /* OS(DARWIN) */
+    failed = testGlobalContextWithFinalizer() || failed;
 
     // Clear out local variables pointing at JSObjectRefs to allow their values to be collected

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-03-19  Mark Lam  <mark.lam@apple.com>
+
+        JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
+        <https://webkit.org/b/142846>
+
+        Reviewed by Geoffrey Garen.
+
+        Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
+        1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
+           that a JSCallbackObject references.
+        2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
+           vm.heap.addFinalizer() which destroys the JSCallbackObject.
+
+        The first finalizer is implemented as a virtual function of a JSCallbackObjectData
+        instance that will be destructed if the 2nd finalizer is called.  Hence, if the
+        2nd finalizer if called first, the later invocation of the 1st finalizer will
+        result in a crash.
+
+        This patch fixes the issue by eliminating the finalizer registration in init().
+        Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
+        if needed.  This ensures that these finalizers are called before the JSCallbackObject
+        is destructor.
+
+        Also added assertions to a few Heap functions because JSCell::classInfo() expects
+        all objects that are allocated from MarkedBlock::Normal blocks to be derived from
+        JSDestructibleObject.  These assertions will help us catch violations of this
+        expectation earlier.
+
+        * API/JSCallbackObject.cpp:
+        (JSC::JSCallbackObjectData::finalize): Deleted.
+        * API/JSCallbackObject.h:
+        (JSC::JSCallbackObjectData::~JSCallbackObjectData):
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
+        (JSC::JSCallbackObject<Parent>::init):
+        * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
+        (finalize):
+        (testGlobalContextWithFinalizer):
+        * API/tests/GlobalContextWithFinalizerTest.h: Added.
+        * API/tests/testapi.c:
+        (main):
+        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
+        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/HeapInlines.h:
+        (JSC::Heap::allocateObjectOfType):
+        (JSC::Heap::subspaceForObjectOfType):
+        (JSC::Heap::allocatorForObjectOfType):
+
 2015-03-19  Andreas Kling  <akling@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/testapi/testapi.vcxproj

@@ -297 +297 @@
     <ClCompile Include="..\..\API\tests\CustomGlobalObjectClassTest.c" />
     <ClInclude Include="..\..\API\tests\CustomGlobalObjectClassTest.h" />
+    <ClCompile Include="..\..\API\tests\GlobalContextWithFinalizerTest.cpp" />
+    <ClInclude Include="..\..\API\tests\GlobalContextWithFinalizerTest.h" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters

@@ -13 +13 @@
     <ClCompile Include="..\..\API\tests\CustomGlobalObjectClassTest.c" />
     <ClInclude Include="..\..\API\tests\CustomGlobalObjectClassTest.h" />
+    <ClCompile Include="..\..\API\tests\GlobalContextWithFinalizerTest.cpp" />
+    <ClInclude Include="..\..\API\tests\GlobalContextWithFinalizerTest.h" />
   </ItemGroup>
 </Project>

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1613 +1613 @@
                 E49DC16D12EF295300184A1F /* SourceProviderCacheItem.h in Headers */ = {isa = PBXBuildFile; fileRef = E49DC14912EF261A00184A1F /* SourceProviderCacheItem.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FE0D4A061AB8DD0A002F54BF /* ExecutionTimeLimitTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE0D4A041AB8DD0A002F54BF /* ExecutionTimeLimitTest.cpp */; };
+                FE0D4A091ABA2437002F54BF /* GlobalContextWithFinalizerTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE0D4A071ABA2437002F54BF /* GlobalContextWithFinalizerTest.cpp */; };
                 FE20CE9D15F04A9500DF3430 /* LLIntCLoop.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE20CE9B15F04A9500DF3430 /* LLIntCLoop.cpp */; };
                 FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */ = {isa = PBXBuildFile; fileRef = FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -3361 +3362 @@
                 FE0D4A041AB8DD0A002F54BF /* ExecutionTimeLimitTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = ExecutionTimeLimitTest.cpp; path = API/tests/ExecutionTimeLimitTest.cpp; sourceTree = "<group>"; };
                 FE0D4A051AB8DD0A002F54BF /* ExecutionTimeLimitTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ExecutionTimeLimitTest.h; path = API/tests/ExecutionTimeLimitTest.h; sourceTree = "<group>"; };
+                FE0D4A071ABA2437002F54BF /* GlobalContextWithFinalizerTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = GlobalContextWithFinalizerTest.cpp; path = API/tests/GlobalContextWithFinalizerTest.cpp; sourceTree = "<group>"; };
+                FE0D4A081ABA2437002F54BF /* GlobalContextWithFinalizerTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = GlobalContextWithFinalizerTest.h; path = API/tests/GlobalContextWithFinalizerTest.h; sourceTree = "<group>"; };
                 FE20CE9B15F04A9500DF3430 /* LLIntCLoop.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = LLIntCLoop.cpp; path = llint/LLIntCLoop.cpp; sourceTree = "<group>"; };
                 FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntCLoop.h; path = llint/LLIntCLoop.h; sourceTree = "<group>"; };
@@ -3748 +3751 @@
                                 FE0D4A041AB8DD0A002F54BF /* ExecutionTimeLimitTest.cpp */,
                                 FE0D4A051AB8DD0A002F54BF /* ExecutionTimeLimitTest.h */,
+                                FE0D4A071ABA2437002F54BF /* GlobalContextWithFinalizerTest.cpp */,
+                                FE0D4A081ABA2437002F54BF /* GlobalContextWithFinalizerTest.h */,
                                 C2181FC018A948FB0025A235 /* JSExportTests.h */,
                                 C2181FC118A948FB0025A235 /* JSExportTests.mm */,
@@ -6788 +6793 @@
                         buildActionMask = 2147483647;
                         files = (
+                                FE0D4A091ABA2437002F54BF /* GlobalContextWithFinalizerTest.cpp in Sources */,
                                 65570F5A1AA4C3EA009B3C23 /* Regress141275.mm in Sources */,
                                 C29ECB031804D0ED00D2CBB4 /* CurrentThisInsideBlockGetterTest.mm in Sources */,

trunk/Source/JavaScriptCore/heap/HeapInlines.h

@@ -30 +30 @@
 #include "JSCell.h"
 #include "Structure.h"
+#include <type_traits>
+#include <wtf/Assertions.h>
 
 namespace JSC {
@@ -238 +240 @@
 void* Heap::allocateObjectOfType(size_t bytes)
 {
+    // JSCell::classInfo() expects objects allocated with normal destructor to derive from JSDestructibleObject.
+    ASSERT((!ClassType::needsDestruction || ClassType::hasImmortalStructure || std::is_convertible<ClassType, JSDestructibleObject>::value));
+
     if (ClassType::needsDestruction && ClassType::hasImmortalStructure)
         return allocateWithImmortalStructureDestructor(bytes);
@@ -248 +253 @@
 MarkedSpace::Subspace& Heap::subspaceForObjectOfType()
 {
+    // JSCell::classInfo() expects objects allocated with normal destructor to derive from JSDestructibleObject.
+    ASSERT((!ClassType::needsDestruction || ClassType::hasImmortalStructure || std::is_convertible<ClassType, JSDestructibleObject>::value));
+    
     if (ClassType::needsDestruction && ClassType::hasImmortalStructure)
         return subspaceForObjectsWithImmortalStructure();
@@ -258 +266 @@
 MarkedAllocator& Heap::allocatorForObjectOfType(size_t bytes)
 {
+    // JSCell::classInfo() expects objects allocated with normal destructor to derive from JSDestructibleObject.
+    ASSERT((!ClassType::needsDestruction || ClassType::hasImmortalStructure || std::is_convertible<ClassType, JSDestructibleObject>::value));
+    
     if (ClassType::needsDestruction && ClassType::hasImmortalStructure)
         return allocatorForObjectWithImmortalStructureDestructor(bytes);