Changeset 212618 in webkit

Timestamp:

Feb 19, 2017, 5:46:04 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

CachedCall should let GC know to keep its arguments alive.
​https://bugs.webkit.org/show_bug.cgi?id=168567
<rdar://problem/30475767>

Reviewed by Saam Barati.

Source/JavaScriptCore:

We fix this by having CachedCall use a MarkedArgumentBuffer to store its
arguments instead of a Vector.

Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
correctness.

• interpreter/CachedCall.h:

(JSC::CachedCall::CachedCall):
(JSC::CachedCall::call):
(JSC::CachedCall::clearArguments):
(JSC::CachedCall::appendArgument):
(JSC::CachedCall::setArgument): Deleted.

• interpreter/CallFrame.h:

(JSC::ExecState::emptyList):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::prepareForRepeatCall):

• interpreter/Interpreter.h:
• interpreter/ProtoCallFrame.h:
• runtime/ArgList.cpp:

(JSC::MarkedArgumentBuffer::expandCapacity):

• runtime/ArgList.h:

(JSC::MarkedArgumentBuffer::ensureCapacity):

• runtime/StringPrototype.cpp:

(JSC::replaceUsingRegExpSearch):

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:

Source/WTF:

Added a WTF_FORBID_HEAP_ALLOCATION that will cause a compilation failure if
a class declared with it is malloced.

While this doesn't prevent that class declared WTF_FORBID_HEAP_ALLOCATION from
being embedded in another class that is heap allocated, it does at minimum
document the intent and gives the users of this class a chance to do the
right thing.

• WTF.xcodeproj/project.pbxproj:
• wtf/ForbidHeapAllocation.h: Added.

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/interpreter/CachedCall.h (modified) (5 diffs)
• JavaScriptCore/interpreter/CallFrame.h (modified) (2 diffs)
• JavaScriptCore/interpreter/Interpreter.cpp (modified) (3 diffs)
• JavaScriptCore/interpreter/Interpreter.h (modified) (2 diffs)
• JavaScriptCore/interpreter/ProtoCallFrame.h (modified) (2 diffs)
• JavaScriptCore/runtime/ArgList.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/ArgList.h (modified) (4 diffs)
• JavaScriptCore/runtime/StringPrototype.cpp (modified) (5 diffs)
• JavaScriptCore/runtime/VM.cpp (modified) (1 diff)
• JavaScriptCore/runtime/VM.h (modified) (1 diff)
• WTF/ChangeLog (modified) (1 diff)
• WTF/WTF.xcodeproj/project.pbxproj (modified) (4 diffs)
• WTF/wtf/ForbidHeapAllocation.h (added)

trunk/Source/JavaScriptCore/ChangeLog ¶

@@ +1 @@
+2017-02-19  Mark Lam  <mark.lam@apple.com>
+
+        CachedCall should let GC know to keep its arguments alive.
+        https://bugs.webkit.org/show_bug.cgi?id=168567
+        <rdar://problem/30475767>
+
+        Reviewed by Saam Barati.
+
+        We fix this by having CachedCall use a MarkedArgumentBuffer to store its
+        arguments instead of a Vector.
+
+        Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
+        WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
+        correctness.
+
+        * interpreter/CachedCall.h:
+        (JSC::CachedCall::CachedCall):
+        (JSC::CachedCall::call):
+        (JSC::CachedCall::clearArguments):
+        (JSC::CachedCall::appendArgument):
+        (JSC::CachedCall::setArgument): Deleted.
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::emptyList):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::prepareForRepeatCall):
+        * interpreter/Interpreter.h:
+        * interpreter/ProtoCallFrame.h:
+        * runtime/ArgList.cpp:
+        (JSC::MarkedArgumentBuffer::expandCapacity):
+        * runtime/ArgList.h:
+        (JSC::MarkedArgumentBuffer::ensureCapacity):
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingRegExpSearch):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
 2017-02-19  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/JavaScriptCore/interpreter/CachedCall.h ¶

@@ -1 +1 @@
 /*
- * Copyright (C) 2009, 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +34 @@
 #include "VMEntryScope.h"
 #include "VMInlines.h"
+#include <wtf/ForbidHeapAllocation.h>
 
 namespace JSC {
     class CachedCall {
-        WTF_MAKE_NONCOPYABLE(CachedCall); WTF_MAKE_FAST_ALLOCATED;
+        WTF_MAKE_NONCOPYABLE(CachedCall);
+        WTF_FORBID_HEAP_ALLOCATION;
     public:
         CachedCall(CallFrame* callFrame, JSFunction* function, int argumentCount)
@@ -50 +52 @@
             ASSERT(!function->isHostFunctionNonInline());
             if (UNLIKELY(vm.isSafeToRecurseSoft())) {
-                m_arguments.resize(argumentCount);
-                m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments.data());
+                m_arguments.ensureCapacity(argumentCount);
+                m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments);
             } else
                 throwStackOverflowError(callFrame, scope);
@@ -60 +62 @@
         { 
             ASSERT(m_valid);
+            ASSERT(m_arguments.size() == static_cast<size_t>(m_protoCallFrame.argumentCount()));
             return m_interpreter->execute(m_closure);
         }
         void setThis(JSValue v) { m_protoCallFrame.setThisValue(v); }
-        void setArgument(int n, JSValue v) { m_protoCallFrame.setArgument(n, v); }
+
+        void clearArguments() { m_arguments.clear(); }
+        void appendArgument(JSValue v) { m_arguments.append(v); }
 
     private:
@@ -71 +76 @@
         VMEntryScope m_entryScope;
         ProtoCallFrame m_protoCallFrame;
-        Vector<JSValue> m_arguments;
+        MarkedArgumentBuffer m_arguments;
         CallFrameClosure m_closure;
     };

trunk/Source/JavaScriptCore/interpreter/CallFrame.h ¶

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2007-2008, 2011, 2013-2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2017 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -120 +120 @@
         AtomicStringTable* atomicStringTable() const { return vm().atomicStringTable(); }
         const CommonIdentifiers& propertyNames() const { return *vm().propertyNames; }
-        const MarkedArgumentBuffer& emptyList() const { return *vm().emptyList; }
+        const ArgList& emptyList() const { return *vm().emptyList; }
         Interpreter* interpreter() { return vm().interpreter; }
         Heap* heap() { return &vm().heap; }

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp ¶

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2010, 2012-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Cameron Zwarich <cwzwarich@uwaterloo.ca>
  *
@@ -1006 +1006 @@
 }
 
-CallFrameClosure Interpreter::prepareForRepeatCall(FunctionExecutable* functionExecutable, CallFrame* callFrame, ProtoCallFrame* protoCallFrame, JSFunction* function, int argumentCountIncludingThis, JSScope* scope, JSValue* args)
+CallFrameClosure Interpreter::prepareForRepeatCall(FunctionExecutable* functionExecutable, CallFrame* callFrame, ProtoCallFrame* protoCallFrame, JSFunction* function, int argumentCountIncludingThis, JSScope* scope, const ArgList& args)
 {
     VM& vm = *scope->vm();
@@ -1026 +1026 @@
     size_t argsCount = argumentCountIncludingThis;
 
-    protoCallFrame->init(newCodeBlock, function, jsUndefined(), argsCount, args);
+    protoCallFrame->init(newCodeBlock, function, jsUndefined(), argsCount, args.data());
     // Return the successful closure:
     CallFrameClosure result = { callFrame, protoCallFrame, function, functionExecutable, &vm, scope, newCodeBlock->numParameters(), argumentCountIncludingThis };

trunk/Source/JavaScriptCore/interpreter/Interpreter.h ¶

@@ -1 +1 @@
 /*
- * Copyright (C) 2008, 2013, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2012 Research In Motion Limited. All rights reserved.
  *
@@ -155 +155 @@
         enum ExecutionFlag { Normal, InitializeAndReturn };
 
-        CallFrameClosure prepareForRepeatCall(FunctionExecutable*, CallFrame*, ProtoCallFrame*, JSFunction*, int argumentCountIncludingThis, JSScope*, JSValue*);
+        CallFrameClosure prepareForRepeatCall(FunctionExecutable*, CallFrame*, ProtoCallFrame*, JSFunction*, int argumentCountIncludingThis, JSScope*, const ArgList&);
 
         JSValue execute(CallFrameClosure&);

trunk/Source/JavaScriptCore/interpreter/ProtoCallFrame.h ¶

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 
 #include "Register.h"
+#include <wtf/ForbidHeapAllocation.h>
 
 namespace JSC {
 
 struct JS_EXPORT_PRIVATE ProtoCallFrame {
+    WTF_FORBID_HEAP_ALLOCATION;
+public:
     Register codeBlockValue;
     Register calleeValue;

trunk/Source/JavaScriptCore/runtime/ArgList.cpp ¶

@@ -1 +1 @@
 /*
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009, 2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2017 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -64 +64 @@
 }
 
+void MarkedArgumentBuffer::slowEnsureCapacity(size_t requestedCapacity)
+{
+    int newCapacity = Checked<int>(requestedCapacity).unsafeGet();
+    expandCapacity(newCapacity);
+}
+
 void MarkedArgumentBuffer::expandCapacity()
 {
     int newCapacity = (Checked<int>(m_capacity) * 2).unsafeGet();
+    expandCapacity(newCapacity);
+}
+
+void MarkedArgumentBuffer::expandCapacity(int newCapacity)
+{
+    ASSERT(m_capacity < newCapacity);
     size_t size = (Checked<size_t>(newCapacity) * sizeof(EncodedJSValue)).unsafeGet();
     EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(size));

trunk/Source/JavaScriptCore/runtime/ArgList.h ¶

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003, 2007, 2008, 2009, 2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2017 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -23 +23 @@
 
 #include "CallFrame.h"
+#include <wtf/ForbidHeapAllocation.h>
 #include <wtf/HashSet.h>
 
@@ -29 +30 @@
 class MarkedArgumentBuffer {
     WTF_MAKE_NONCOPYABLE(MarkedArgumentBuffer);
+    WTF_FORBID_HEAP_ALLOCATION;
     friend class VM;
     friend class ArgList;
@@ -95 +97 @@
     static void markLists(SlotVisitor&, ListSet&);
 
+    void ensureCapacity(size_t requestedCapacity)
+    {
+        if (requestedCapacity > static_cast<size_t>(m_capacity))
+            slowEnsureCapacity(requestedCapacity);
+    }
+
 private:
     void expandCapacity();
+    void expandCapacity(int newCapacity);
+    void slowEnsureCapacity(size_t requestedCapacity);
 
     void addMarkSet(JSValue);

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp ¶

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
- *  Copyright (C) 2004-2008, 2013, 2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  *  Copyright (C) 2009 Torch Mobile, Inc.
  *  Copyright (C) 2015 Jordan Harband (ljharb@gmail.com)
@@ -540 +540 @@
 
                 unsigned i = 0;
+                cachedCall.clearArguments();
                 for (; i < regExp->numSubpatterns() + 1; ++i) {
                     int matchStart = ovector[i * 2];
@@ -545 +546 @@
 
                     if (matchStart < 0)
-                        cachedCall.setArgument(i, jsUndefined());
+                        cachedCall.appendArgument(jsUndefined());
                     else
-                        cachedCall.setArgument(i, jsSubstring(&vm, source, matchStart, matchLen));
+                        cachedCall.appendArgument(jsSubstring(&vm, source, matchStart, matchLen));
                 }
 
-                cachedCall.setArgument(i++, jsNumber(result.start));
-                cachedCall.setArgument(i++, string);
+                cachedCall.appendArgument(jsNumber(result.start));
+                cachedCall.appendArgument(string);
 
                 cachedCall.setThis(jsUndefined());
@@ -579 +580 @@
 
                 unsigned i = 0;
+                cachedCall.clearArguments();
                 for (; i < regExp->numSubpatterns() + 1; ++i) {
                     int matchStart = ovector[i * 2];
@@ -584 +586 @@
 
                     if (matchStart < 0)
-                        cachedCall.setArgument(i, jsUndefined());
+                        cachedCall.appendArgument(jsUndefined());
                     else
-                        cachedCall.setArgument(i, jsSubstring(&vm, source, matchStart, matchLen));
+                        cachedCall.appendArgument(jsSubstring(&vm, source, matchStart, matchLen));
                 }
 
-                cachedCall.setArgument(i++, jsNumber(result.start));
-                cachedCall.setArgument(i++, string);
+                cachedCall.appendArgument(jsNumber(result.start));
+                cachedCall.appendArgument(string);
 
                 cachedCall.setThis(jsUndefined());

trunk/Source/JavaScriptCore/runtime/VM.cpp ¶

@@ -181 +181 @@
     , m_atomicStringTable(vmType == Default ? wtfThreadData().atomicStringTable() : new AtomicStringTable)
     , propertyNames(nullptr)
-    , emptyList(new MarkedArgumentBuffer)
+    , emptyList(new ArgList)
     , machineCodeBytesPerBytecodeWordForBaselineJIT(std::make_unique<SimpleStats>())
     , customGetterSetterFunctionMap(*this)

trunk/Source/JavaScriptCore/runtime/VM.h ¶

@@ -386 +386 @@
     TemplateRegistryKeyTable m_templateRegistryKeytable;
     CommonIdentifiers* propertyNames;
-    const MarkedArgumentBuffer* emptyList; // Lists are supposed to be allocated on the stack to have their elements properly marked, which is not the case here - but this list has nothing to mark.
+    const ArgList* emptyList;
     SmallStrings smallStrings;
     NumericStrings numericStrings;

trunk/Source/WTF/ChangeLog ¶

@@ +1 @@
+2017-02-19  Mark Lam  <mark.lam@apple.com>
+
+        CachedCall should let GC know to keep its arguments alive.
+        https://bugs.webkit.org/show_bug.cgi?id=168567
+        <rdar://problem/30475767>
+
+        Reviewed by Saam Barati.
+
+        Added a WTF_FORBID_HEAP_ALLOCATION that will cause a compilation failure if
+        a class declared with it is malloced.
+
+        While this doesn't prevent that class declared WTF_FORBID_HEAP_ALLOCATION from
+        being embedded in another class that is heap allocated, it does at minimum
+        document the intent and gives the users of this class a chance to do the
+        right thing.
+
+        * WTF.xcodeproj/project.pbxproj:
+        * wtf/ForbidHeapAllocation.h: Added.
+
 2017-02-19  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WTF/WTF.xcodeproj/project.pbxproj ¶

@@ -369 +369 @@
                 EB95E1F0161A72410089A2F5 /* ByteOrder.h in Headers */ = {isa = PBXBuildFile; fileRef = EB95E1EF161A72410089A2F5 /* ByteOrder.h */; };
                 FE8225311B2A1E5B00BA68FD /* NakedPtr.h in Headers */ = {isa = PBXBuildFile; fileRef = FE8225301B2A1E5B00BA68FD /* NakedPtr.h */; };
+                FE86A8751E59440200111BBF /* ForbidHeapAllocation.h in Headers */ = {isa = PBXBuildFile; fileRef = FE86A8741E59440200111BBF /* ForbidHeapAllocation.h */; };
                 FE8925B01D00DAEC0046907E /* Indenter.h in Headers */ = {isa = PBXBuildFile; fileRef = FE8925AF1D00DAEC0046907E /* Indenter.h */; };
                 FEDACD3D1630F83F00C69634 /* StackStats.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FEDACD3B1630F83F00C69634 /* StackStats.cpp */; };
@@ -752 +753 @@
                 F72BBDB107FA424886178B9E /* SymbolImpl.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SymbolImpl.cpp; sourceTree = "<group>"; };
                 FE8225301B2A1E5B00BA68FD /* NakedPtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NakedPtr.h; sourceTree = "<group>"; };
+                FE86A8741E59440200111BBF /* ForbidHeapAllocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ForbidHeapAllocation.h; sourceTree = "<group>"; };
                 FE8925AF1D00DAEC0046907E /* Indenter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Indenter.h; sourceTree = "<group>"; };
                 FEDACD3B1630F83F00C69634 /* StackStats.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StackStats.cpp; sourceTree = "<group>"; };
@@ -963 +965 @@
                                 0F9D335C165DBA73005AD387 /* FilePrintStream.h */,
                                 0F2B66A517B6B4F700A7AE3F /* FlipBytes.h */,
+                                FE86A8741E59440200111BBF /* ForbidHeapAllocation.h */,
                                 A8A472A6151A825A004123FF /* Forward.h */,
                                 83F2BADE1CF9524E003E99C3 /* Function.h */,
@@ -1419 +1422 @@
                                 1A1D8B9C173186CE00141DA4 /* FunctionDispatcher.h in Headers */,
                                 A8A473CA151A825B004123FF /* GetPtr.h in Headers */,
+                                FE86A8751E59440200111BBF /* ForbidHeapAllocation.h in Headers */,
                                 0FEC84AF1BD825310080FF74 /* GraphNodeWorklist.h in Headers */,
                                 2C05385415BC819000F21B96 /* GregorianDateTime.h in Headers */,