Context Navigation

← Previous Changeset
Next Changeset →

Changeset 185277 in webkit

Timestamp:

Jun 5, 2015, 5:33:43 PM (10 years ago)

Author:

mark.lam@apple.com

Message:

Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren().
https://bugs.webkit.org/show_bug.cgi?id=145709

Reviewed by Geoffrey Garen.

jsc.cpp:

(functionSetElementRoot):

The Element class has a member of type Root which extends JSDestructibleObject. It should be stored in a WriteBarrier, and visited by visitChildren().

runtime/ClonedArguments.cpp:

(JSC::ClonedArguments::materializeSpecialsIfNecessary):
(JSC::ClonedArguments::visitChildren):

runtime/ClonedArguments.h:
Add missing visitChildren().

tests/stress/cloned-arguments-should-visit-callee-during-gc.js: Added.

(makeTransientFunction.transientFunc):
(makeTransientFunction):

Location:

trunk/Source/JavaScriptCore

Files:

: 1 added
: 4 edited

ChangeLog (modified) (1 diff)
jsc.cpp (modified) (5 diffs)
runtime/ClonedArguments.cpp (modified) (1 diff)
runtime/ClonedArguments.h (modified) (1 diff)
tests/stress/cloned-arguments-should-visit-callee-during-gc.js (added)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/ChangeLog

-              r185268
+              r185277
+-06-05  Mark Lam  <mark.lam@apple.com>
+        Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren().
+        https://bugs.webkit.org/show_bug.cgi?id=145709
+        Reviewed by Geoffrey Garen.
+        * jsc.cpp:
+        (functionSetElementRoot):
+        - The Element class has a member of type Root which extends JSDestructibleObject.
+          It should be stored in a WriteBarrier, and visited by visitChildren().
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::materializeSpecialsIfNecessary):
+        (JSC::ClonedArguments::visitChildren):
+        * runtime/ClonedArguments.h:
+        - Add missing visitChildren().
+        * tests/stress/cloned-arguments-should-visit-callee-during-gc.js: Added.
+        (makeTransientFunction.transientFunc):
+        (makeTransientFunction):
 -06-05  Geoffrey Garen  <ggaren@apple.com>

trunk/Source/JavaScriptCore/jsc.cpp

-              r185259
+              r185277
 class Element : public JSNonFinalObject {
 public:
     Element(VM& vm, Structure* structure, Root* root)
+    Element(VM& vm, Structure* structure)
         : Base(vm, structure)
-        , m_root(root)
+    {
+    }
 …
     static const bool needsDestruction = false;
     Root* root() const { return m_root; }
     void setRoot(Root* root) { m_root = root; }
+    Root* root() const { return m_root.get(); }
+    void setRoot(VM& vm, Root* root) { m_root.set(vm, this, root); }
     static Element* create(VM& vm, JSGlobalObject* globalObject, Root* root)
+    {
         Structure* structure = createStructure(vm, globalObject, jsNull());
         Element* element = new (NotNull, allocateCell<Element>(vm.heap, sizeof(Element))) Element(vm, structure, root);
         element->finishCreation(vm);
+        Element* element = new (NotNull, allocateCell<Element>(vm.heap, sizeof(Element))) Element(vm, structure);
+        element->finishCreation(vm, root);
         return element;
+    }
+    void finishCreation(VM&);
+    void finishCreation(VM&, Root*);
+    static void visitChildren(JSCell* cell, SlotVisitor& visitor)
+    {
+        Element* thisObject = jsCast<Element*>(cell);
+        ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+        Base::visitChildren(thisObject, visitor);
+        visitor.append(&thisObject->m_root);
+    }
     static ElementHandleOwner* handleOwner();
 …
 private:
     Root* m_root;
+    WriteBarrier<Root> m_root;
 };
 …
+}
 void Element::finishCreation(VM& vm)
+void Element::finishCreation(VM& vm, Root* root)
+{
     Base::finishCreation(vm);
+    setRoot(vm, root);
     m_root->setElement(this);
+}
 …
     Element* element = jsCast<Element*>(exec->argument(0));
     Root* root = jsCast<Root*>(exec->argument(1));
     element->setRoot(root);
+    element->setRoot(exec->vm(), root);
     return JSValue::encode(jsUndefined());
+}

trunk/Source/JavaScriptCore/runtime/ClonedArguments.cpp

-              r182911
+              r185277
+}
+void ClonedArguments::visitChildren(JSCell* cell, SlotVisitor& visitor)
+{
+    ClonedArguments* thisObject = jsCast<ClonedArguments*>(cell);
+    ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+    Base::visitChildren(thisObject, visitor);
+    visitor.append(&thisObject->m_callee);
+}
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/ClonedArguments.h

r182911	r185277
56	56	static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype);
57	57
	58	static void visitChildren(JSCell*, SlotVisitor&);
	59
58	60	DECLARE_INFO;
59	61

Note: See TracChangeset for help on using the changeset viewer.