Changeset 210829 in webkit

Timestamp:

Jan 17, 2017 3:52:55 PM (7 years ago)

Author:

fpizlo@apple.com

Message:

JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
​https://bugs.webkit.org/show_bug.cgi?id=167066

Reviewed by Keith Miller and Michael Saboff.
Source/JavaScriptCore:

This reduces the size of JSCell::classInfo() by half and removes some checks that
this function previously had to do in case it was called from destructors.

I changed all of the destructors so that they don't call JSCell::classInfo() and I
added an assertion to JSCell::classInfo() to catch cases where someone called it
from a destructor accidentally.

This means that we only have one place in destruction that needs to know the class:
the sweeper's call to the destructor.

One of the trickiest outcomes of this is the need to support inherits() tests in
JSObjectGetPrivate(), when it is called from the destructor callback on the object
being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
on any dead-but-not-destructed object other than the one being destructed right
now. The purpose of the inherits() tests is to distinguish between different kinds
of CallbackObjects, which may have different kinds of base classes. I think that
this was always subtly wrong - for example, if the object being destructed is a
JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
but does not have an immortal Structure - so classInfo() is not valid. This fixes
the issue by having ~JSCallbackObject know its classInfo. It now stashes its
classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
that it's being used on a currently-destructing object.

That was the only really weird part of this patch. The rest is mostly removing
illegal uses of jsCast<> in destructors. There were a few other genuine uses of
classInfo() but they were in code that already knew how to get its classInfo()
using other means:

• You can still say structure()->classInfo(), and I use this form in code that knows that its StructureIsImmortal.

• You can use this->classInfo() if it's overridden, like in subclasses of JSDestructibleObject.

Rolling this back in because I think I fixed the crashes.

• API/JSAPIWrapperObject.mm:

(JSAPIWrapperObjectHandleOwner::finalize):

• API/JSCallbackObject.h:
• API/JSCallbackObjectFunctions.h:

(JSC::JSCallbackObject<Parent>::~JSCallbackObject):
(JSC::JSCallbackObject<Parent>::init):

• API/JSObjectRef.cpp:

(classInfoPrivate):
(JSObjectGetPrivate):
(JSObjectSetPrivate):

• bytecode/EvalCodeBlock.cpp:

(JSC::EvalCodeBlock::destroy):

• bytecode/FunctionCodeBlock.cpp:

(JSC::FunctionCodeBlock::destroy):

• bytecode/ModuleProgramCodeBlock.cpp:

(JSC::ModuleProgramCodeBlock::destroy):

• bytecode/ProgramCodeBlock.cpp:

(JSC::ProgramCodeBlock::destroy):

• bytecode/UnlinkedEvalCodeBlock.cpp:

(JSC::UnlinkedEvalCodeBlock::destroy):

• bytecode/UnlinkedFunctionCodeBlock.cpp:

(JSC::UnlinkedFunctionCodeBlock::destroy):

• bytecode/UnlinkedFunctionExecutable.cpp:

(JSC::UnlinkedFunctionExecutable::destroy):

• bytecode/UnlinkedModuleProgramCodeBlock.cpp:

(JSC::UnlinkedModuleProgramCodeBlock::destroy):

• bytecode/UnlinkedProgramCodeBlock.cpp:

(JSC::UnlinkedProgramCodeBlock::destroy):

• heap/CodeBlockSet.cpp:

(JSC::CodeBlockSet::lastChanceToFinalize):
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):

• heap/MarkedAllocator.cpp:

(JSC::MarkedAllocator::allocateSlowCaseImpl):

• heap/MarkedBlock.cpp:

(JSC::MarkedBlock::Handle::sweep):

• jit/JITThunks.cpp:

(JSC::JITThunks::finalize):

• runtime/AbstractModuleRecord.cpp:

(JSC::AbstractModuleRecord::destroy):

• runtime/ExecutableBase.cpp:

(JSC::ExecutableBase::clearCode):

• runtime/JSCellInlines.h:

(JSC::JSCell::classInfo):
(JSC::JSCell::callDestructor):

• runtime/JSLock.h:

(JSC::JSLock::ownerThread):

• runtime/JSModuleNamespaceObject.cpp:

(JSC::JSModuleNamespaceObject::destroy):

• runtime/JSModuleRecord.cpp:

(JSC::JSModuleRecord::destroy):

• runtime/JSPropertyNameEnumerator.cpp:

(JSC::JSPropertyNameEnumerator::destroy):

• runtime/JSSegmentedVariableObject.h:
• runtime/SymbolTable.cpp:

(JSC::SymbolTable::destroy):

• runtime/VM.h:
• wasm/js/JSWebAssemblyCallee.cpp:

(JSC::JSWebAssemblyCallee::destroy):

• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::destroy):

• wasm/js/WebAssemblyToJSCallee.cpp:

(JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
(JSC::WebAssemblyToJSCallee::destroy):

Source/WebCore:

No new tests because no new behavior.

It's now necessary to avoid jsCast in destructors and finalizers. This was an easy
rule to introduce because this used to always be the rule.

• bindings/js/JSCSSValueCustom.cpp:

(WebCore::JSDeprecatedCSSOMValueOwner::finalize):

• bindings/js/JSDOMIterator.h:

(WebCore::IteratorTraits>::destroy):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateImplementation):

Source/WebKit2:

Just remove now-erroneous use of jsCast<>.

• WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:

(WebKit::NPRuntimeObjectMap::finalize):

Location:

trunk/Source

Files:

• JavaScriptCore/API/JSAPIWrapperObject.mm (modified) (1 diff)
• JavaScriptCore/API/JSCallbackObject.h (modified) (1 diff)
• JavaScriptCore/API/JSCallbackObjectFunctions.h (modified) (3 diffs)
• JavaScriptCore/API/JSObjectRef.cpp (modified) (1 diff)
• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/bytecode/EvalCodeBlock.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/FunctionCodeBlock.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/ProgramCodeBlock.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp (modified) (1 diff)
• JavaScriptCore/heap/CodeBlockSet.cpp (modified) (2 diffs)
• JavaScriptCore/heap/MarkedAllocator.cpp (modified) (1 diff)
• JavaScriptCore/heap/MarkedBlock.cpp (modified) (2 diffs)
• JavaScriptCore/jit/JITThunks.cpp (modified) (1 diff)
• JavaScriptCore/runtime/AbstractModuleRecord.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ExecutableBase.cpp (modified) (5 diffs)
• JavaScriptCore/runtime/JSCellInlines.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSLock.h (modified) (1 diff)
• JavaScriptCore/runtime/JSModuleNamespaceObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSModuleRecord.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSSegmentedVariableObject.h (modified) (1 diff)
• JavaScriptCore/runtime/StructureInlines.h (modified) (1 diff)
• JavaScriptCore/runtime/SymbolTable.cpp (modified) (1 diff)
• JavaScriptCore/runtime/VM.h (modified) (1 diff)
• JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp (modified) (1 diff)
• JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (modified) (1 diff)
• JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp (modified) (2 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSCSSValueCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMIterator.h (modified) (1 diff)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestException.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestInterface.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestIterable.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestObj.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp (modified) (1 diff)
• WebKit2/ChangeLog (modified) (1 diff)
• WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/API/JSAPIWrapperObject.mm

@@ -49 +49 @@
 void JSAPIWrapperObjectHandleOwner::finalize(JSC::Handle<JSC::Unknown> handle, void*)
 {
-    JSC::JSAPIWrapperObject* wrapperObject = JSC::jsCast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
+    JSC::JSAPIWrapperObject* wrapperObject = static_cast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
     if (!wrapperObject->wrappedObject())
         return;

trunk/Source/JavaScriptCore/API/JSCallbackObject.h

@@ -233 +233 @@
 
     std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
+    const ClassInfo* m_classInfo;
 };
 

trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

@@ -75 +75 @@
 JSCallbackObject<Parent>::~JSCallbackObject()
 {
+    VM* vm = this->HeapCell::vm();
+    vm->currentlyDestructingCallbackObject = this;
+    ASSERT(m_classInfo);
+    vm->currentlyDestructingCallbackObjectClassInfo = m_classInfo;
     JSObjectRef thisRef = toRef(static_cast<JSObject*>(this));
     for (JSClassRef jsClass = classRef(); jsClass; jsClass = jsClass->parentClass) {
@@ -80 +84 @@
             finalize(thisRef);
     }
+    vm->currentlyDestructingCallbackObject = nullptr;
+    vm->currentlyDestructingCallbackObjectClassInfo = nullptr;
 }
     
@@ -118 +124 @@
         initialize(toRef(exec), toRef(this));
     }
+    
+    m_classInfo = this->classInfo();
 }
 

trunk/Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -381 +381 @@
 }
 
+// API objects have private properties, which may get accessed during destruction. This
+// helper lets us get the ClassInfo of an API object from a function that may get called
+// during destruction.
+static const ClassInfo* classInfoPrivate(JSObject* jsObject)
+{
+    VM* vm = jsObject->vm();
+    
+    if (vm->currentlyDestructingCallbackObject != jsObject)
+        return jsObject->classInfo();
+
+    return vm->currentlyDestructingCallbackObjectClassInfo;
+}
+
 void* JSObjectGetPrivate(JSObjectRef object)
 {
     JSObject* jsObject = uncheckedToJS(object);
 
+    const ClassInfo* classInfo = classInfoPrivate(jsObject);
+    
     // Get wrapped object if proxied
-    if (jsObject->inherits(JSProxy::info()))
+    if (classInfo->isSubClassOf(JSProxy::info())) {
+        jsObject = static_cast<JSProxy*>(jsObject)->target();
+        classInfo = jsObject->classInfo();
+    }
+
+    if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info()))
+        return static_cast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
+    if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info()))
+        return static_cast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
+#if JSC_OBJC_API_ENABLED
+    if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info()))
+        return static_cast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
+#endif
+    
+    return 0;
+}
+
+bool JSObjectSetPrivate(JSObjectRef object, void* data)
+{
+    JSObject* jsObject = uncheckedToJS(object);
+
+    const ClassInfo* classInfo = classInfoPrivate(jsObject);
+    
+    // Get wrapped object if proxied
+    if (classInfo->isSubClassOf(JSProxy::info())) {
         jsObject = jsCast<JSProxy*>(jsObject)->target();
-
-    if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info()))
-        return jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
-    if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info()))
-        return jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
+        classInfo = jsObject->classInfo();
+    }
+
+    if (classInfo->isSubClassOf(JSCallbackObject<JSGlobalObject>::info())) {
+        jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->setPrivate(data);
+        return true;
+    }
+    if (classInfo->isSubClassOf(JSCallbackObject<JSDestructibleObject>::info())) {
+        jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->setPrivate(data);
+        return true;
+    }
 #if JSC_OBJC_API_ENABLED
-    if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info()))
-        return jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->getPrivate();
-#endif
-    
-    return 0;
-}
-
-bool JSObjectSetPrivate(JSObjectRef object, void* data)
-{
-    JSObject* jsObject = uncheckedToJS(object);
-
-    // Get wrapped object if proxied
-    if (jsObject->inherits(JSProxy::info()))
-        jsObject = jsCast<JSProxy*>(jsObject)->target();
-
-    if (jsObject->inherits(JSCallbackObject<JSGlobalObject>::info())) {
-        jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->setPrivate(data);
-        return true;
-    }
-    if (jsObject->inherits(JSCallbackObject<JSDestructibleObject>::info())) {
-        jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->setPrivate(data);
-        return true;
-    }
-#if JSC_OBJC_API_ENABLED
-    if (jsObject->inherits(JSCallbackObject<JSAPIWrapperObject>::info())) {
+    if (classInfo->isSubClassOf(JSCallbackObject<JSAPIWrapperObject>::info())) {
         jsCast<JSCallbackObject<JSAPIWrapperObject>*>(jsObject)->setPrivate(data);
         return true;

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-01-16  Filip Pizlo  <fpizlo@apple.com>
+
+        JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+        https://bugs.webkit.org/show_bug.cgi?id=167066
+
+        Reviewed by Keith Miller and Michael Saboff.
+        
+        This reduces the size of JSCell::classInfo() by half and removes some checks that
+        this function previously had to do in case it was called from destructors.
+        
+        I changed all of the destructors so that they don't call JSCell::classInfo() and I
+        added an assertion to JSCell::classInfo() to catch cases where someone called it
+        from a destructor accidentally.
+        
+        This means that we only have one place in destruction that needs to know the class:
+        the sweeper's call to the destructor.
+        
+        One of the trickiest outcomes of this is the need to support inherits() tests in
+        JSObjectGetPrivate(), when it is called from the destructor callback on the object
+        being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
+        on any dead-but-not-destructed object other than the one being destructed right
+        now. The purpose of the inherits() tests is to distinguish between different kinds
+        of CallbackObjects, which may have different kinds of base classes. I think that
+        this was always subtly wrong - for example, if the object being destructed is a
+        JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
+        but does not have an immortal Structure - so classInfo() is not valid. This fixes
+        the issue by having ~JSCallbackObject know its classInfo. It now stashes its
+        classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
+        that it's being used on a currently-destructing object.
+        
+        That was the only really weird part of this patch. The rest is mostly removing
+        illegal uses of jsCast<> in destructors. There were a few other genuine uses of
+        classInfo() but they were in code that already knew how to get its classInfo()
+        using other means:
+        
+        - You can still say structure()->classInfo(), and I use this form in code that
+          knows that its StructureIsImmortal.
+        
+        - You can use this->classInfo() if it's overridden, like in subclasses of
+          JSDestructibleObject.
+        
+        Rolling this back in because I think I fixed the crashes.
+
+        * API/JSAPIWrapperObject.mm:
+        (JSAPIWrapperObjectHandleOwner::finalize):
+        * API/JSCallbackObject.h:
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
+        (JSC::JSCallbackObject<Parent>::init):
+        * API/JSObjectRef.cpp:
+        (classInfoPrivate):
+        (JSObjectGetPrivate):
+        (JSObjectSetPrivate):
+        * bytecode/EvalCodeBlock.cpp:
+        (JSC::EvalCodeBlock::destroy):
+        * bytecode/FunctionCodeBlock.cpp:
+        (JSC::FunctionCodeBlock::destroy):
+        * bytecode/ModuleProgramCodeBlock.cpp:
+        (JSC::ModuleProgramCodeBlock::destroy):
+        * bytecode/ProgramCodeBlock.cpp:
+        (JSC::ProgramCodeBlock::destroy):
+        * bytecode/UnlinkedEvalCodeBlock.cpp:
+        (JSC::UnlinkedEvalCodeBlock::destroy):
+        * bytecode/UnlinkedFunctionCodeBlock.cpp:
+        (JSC::UnlinkedFunctionCodeBlock::destroy):
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::destroy):
+        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
+        (JSC::UnlinkedModuleProgramCodeBlock::destroy):
+        * bytecode/UnlinkedProgramCodeBlock.cpp:
+        (JSC::UnlinkedProgramCodeBlock::destroy):
+        * heap/CodeBlockSet.cpp:
+        (JSC::CodeBlockSet::lastChanceToFinalize):
+        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::allocateSlowCaseImpl):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::sweep):
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::finalize):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::destroy):
+        * runtime/ExecutableBase.cpp:
+        (JSC::ExecutableBase::clearCode):
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::classInfo):
+        (JSC::JSCell::callDestructor):
+        * runtime/JSLock.h:
+        (JSC::JSLock::ownerThread):
+        * runtime/JSModuleNamespaceObject.cpp:
+        (JSC::JSModuleNamespaceObject::destroy):
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::destroy):
+        * runtime/JSPropertyNameEnumerator.cpp:
+        (JSC::JSPropertyNameEnumerator::destroy):
+        * runtime/JSSegmentedVariableObject.h:
+        * runtime/SymbolTable.cpp:
+        (JSC::SymbolTable::destroy):
+        * runtime/VM.h:
+        * wasm/js/JSWebAssemblyCallee.cpp:
+        (JSC::JSWebAssemblyCallee::destroy):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::destroy):
+        * wasm/js/WebAssemblyToJSCallee.cpp:
+        (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
+        (JSC::WebAssemblyToJSCallee::destroy):
+
 2017-01-17  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/EvalCodeBlock.cpp

@@ -40 +40 @@
 void EvalCodeBlock::destroy(JSCell* cell)
 {
-    jsCast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
+    static_cast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
 }
 

trunk/Source/JavaScriptCore/bytecode/FunctionCodeBlock.cpp

@@ -40 +40 @@
 void FunctionCodeBlock::destroy(JSCell* cell)
 {
-    jsCast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
+    static_cast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
 }
 

trunk/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.cpp

@@ -40 +40 @@
 void ModuleProgramCodeBlock::destroy(JSCell* cell)
 {
-    jsCast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
+    static_cast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
 }
 

trunk/Source/JavaScriptCore/bytecode/ProgramCodeBlock.cpp

@@ -40 +40 @@
 void ProgramCodeBlock::destroy(JSCell* cell)
 {
-    jsCast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
+    static_cast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
 }
 

trunk/Source/JavaScriptCore/bytecode/UnlinkedEvalCodeBlock.cpp

@@ -35 +35 @@
 void UnlinkedEvalCodeBlock::destroy(JSCell* cell)
 {
-    jsCast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
+    static_cast<UnlinkedEvalCodeBlock*>(cell)->~UnlinkedEvalCodeBlock();
 }
 

trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionCodeBlock.cpp

@@ -35 +35 @@
 void UnlinkedFunctionCodeBlock::destroy(JSCell* cell)
 {
-    jsCast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
+    static_cast<UnlinkedFunctionCodeBlock*>(cell)->~UnlinkedFunctionCodeBlock();
 }
 

trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp

@@ -120 +120 @@
 void UnlinkedFunctionExecutable::destroy(JSCell* cell)
 {
-    jsCast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
+    static_cast<UnlinkedFunctionExecutable*>(cell)->~UnlinkedFunctionExecutable();
 }
 

trunk/Source/JavaScriptCore/bytecode/UnlinkedModuleProgramCodeBlock.cpp

@@ -43 +43 @@
 void UnlinkedModuleProgramCodeBlock::destroy(JSCell* cell)
 {
-    jsCast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
+    static_cast<UnlinkedModuleProgramCodeBlock*>(cell)->~UnlinkedModuleProgramCodeBlock();
 }
 

trunk/Source/JavaScriptCore/bytecode/UnlinkedProgramCodeBlock.cpp

@@ -43 +43 @@
 void UnlinkedProgramCodeBlock::destroy(JSCell* cell)
 {
-    jsCast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
+    static_cast<UnlinkedProgramCodeBlock*>(cell)->~UnlinkedProgramCodeBlock();
 }
 

trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp

@@ -66 +66 @@
     LockHolder locker(&m_lock);
     for (CodeBlock* codeBlock : m_newCodeBlocks)
-        codeBlock->classInfo()->methodTable.destroy(codeBlock);
+        codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
 
     for (CodeBlock* codeBlock : m_oldCodeBlocks)
-        codeBlock->classInfo()->methodTable.destroy(codeBlock);
+        codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
 }
 
@@ -84 +84 @@
         }
         for (CodeBlock* codeBlock : unmarked) {
-            codeBlock->classInfo()->methodTable.destroy(codeBlock);
+            codeBlock->structure()->classInfo()->methodTable.destroy(codeBlock);
             set.remove(codeBlock);
         }

trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp

@@ -212 +212 @@
     didConsumeFreeList();
     
-    AllocatingScope healpingHeap(*m_heap);
+    AllocatingScope helpingHeap(*m_heap);
 
     m_heap->collectIfNecessaryOrDefer(deferralContext);

trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -27 +27 @@
 #include "MarkedBlock.h"
 
+#include "HelpingGCScope.h"
 #include "JSCell.h"
 #include "JSDestructibleObject.h"
@@ -196 +197 @@
 FreeList MarkedBlock::Handle::sweep(SweepMode sweepMode)
 {
+    // FIXME: Maybe HelpingGCScope should just be called SweepScope?
+    HelpingGCScope helpingGCScope(*heap());
+    
     m_allocator->setIsUnswept(NoLockingNecessary, this, false);
     

trunk/Source/JavaScriptCore/jit/JITThunks.cpp

@@ -85 +85 @@
 void JITThunks::finalize(Handle<Unknown> handle, void*)
 {
-    auto* nativeExecutable = jsCast<NativeExecutable*>(handle.get().asCell());
+    auto* nativeExecutable = static_cast<NativeExecutable*>(handle.get().asCell());
     weakRemove(*m_hostFunctionStubMap, std::make_tuple(nativeExecutable->function(), nativeExecutable->constructor(), nativeExecutable->name()), nativeExecutable);
 }

trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp

@@ -47 +47 @@
 void AbstractModuleRecord::destroy(JSCell* cell)
 {
-    AbstractModuleRecord* thisObject = jsCast<AbstractModuleRecord*>(cell);
+    AbstractModuleRecord* thisObject = static_cast<AbstractModuleRecord*>(cell);
     thisObject->AbstractModuleRecord::~AbstractModuleRecord();
 }

trunk/Source/JavaScriptCore/runtime/ExecutableBase.cpp

@@ -61 +61 @@
     m_numParametersForConstruct = NUM_PARAMETERS_NOT_COMPILED;
 
-    if (classInfo() == FunctionExecutable::info()) {
-        FunctionExecutable* executable = jsCast<FunctionExecutable*>(this);
+    if (structure()->classInfo() == FunctionExecutable::info()) {
+        FunctionExecutable* executable = static_cast<FunctionExecutable*>(this);
         executable->m_codeBlockForCall.clear();
         executable->m_codeBlockForConstruct.clear();
@@ -68 +68 @@
     }
 
-    if (classInfo() == EvalExecutable::info()) {
-        EvalExecutable* executable = jsCast<EvalExecutable*>(this);
+    if (structure()->classInfo() == EvalExecutable::info()) {
+        EvalExecutable* executable = static_cast<EvalExecutable*>(this);
         executable->m_evalCodeBlock.clear();
         executable->m_unlinkedEvalCodeBlock.clear();
@@ -75 +75 @@
     }
     
-    if (classInfo() == ProgramExecutable::info()) {
-        ProgramExecutable* executable = jsCast<ProgramExecutable*>(this);
+    if (structure()->classInfo() == ProgramExecutable::info()) {
+        ProgramExecutable* executable = static_cast<ProgramExecutable*>(this);
         executable->m_programCodeBlock.clear();
         executable->m_unlinkedProgramCodeBlock.clear();
@@ -82 +82 @@
     }
 
-    if (classInfo() == ModuleProgramExecutable::info()) {
-        ModuleProgramExecutable* executable = jsCast<ModuleProgramExecutable*>(this);
+    if (structure()->classInfo() == ModuleProgramExecutable::info()) {
+        ModuleProgramExecutable* executable = static_cast<ModuleProgramExecutable*>(this);
         executable->m_moduleProgramCodeBlock.clear();
         executable->m_unlinkedModuleProgramCodeBlock.clear();
@@ -90 +90 @@
     }
     
-    ASSERT(classInfo() == NativeExecutable::info());
+    ASSERT(structure()->classInfo() == NativeExecutable::info());
 }
 

trunk/Source/JavaScriptCore/runtime/JSCellInlines.h

@@ -268 +268 @@
 ALWAYS_INLINE const ClassInfo* JSCell::classInfo() const
 {
-    if (isLargeAllocation()) {
-        LargeAllocation& allocation = largeAllocation();
-        if (allocation.attributes().destruction == NeedsDestruction
-            && !(inlineTypeFlags() & StructureIsImmortal))
-            return static_cast<const JSDestructibleObject*>(this)->classInfo();
-        return structure(*allocation.vm())->classInfo();
-    }
-    MarkedBlock& block = markedBlock();
-    if (block.needsDestruction() && !(inlineTypeFlags() & StructureIsImmortal))
-        return static_cast<const JSDestructibleObject*>(this)->classInfo();
-    return structure(*block.vm())->classInfo();
+    VM* vm;
+    if (isLargeAllocation())
+        vm = largeAllocation().vm();
+    else
+        vm = markedBlock().vm();
+    ASSERT(vm->heap.mutatorState() == MutatorState::Running || vm->apiLock().ownerThread() != std::this_thread::get_id());
+    return structure(*vm)->classInfo();
 }
 
@@ -308 +304 @@
         destroy(this);
     } else
-        jsCast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
+        static_cast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
     zap();
 }

trunk/Source/JavaScriptCore/runtime/JSLock.h

@@ -100 +100 @@
         return m_ownerThreadID;
     }
+    std::thread::id ownerThread() const { return m_ownerThreadID; }
     JS_EXPORT_PRIVATE void setExclusiveThread(std::thread::id);
     JS_EXPORT_PRIVATE bool currentThreadIsHoldingLock();

trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp

@@ -84 +84 @@
 void JSModuleNamespaceObject::destroy(JSCell* cell)
 {
-    JSModuleNamespaceObject* thisObject = jsCast<JSModuleNamespaceObject*>(cell);
+    JSModuleNamespaceObject* thisObject = static_cast<JSModuleNamespaceObject*>(cell);
     thisObject->JSModuleNamespaceObject::~JSModuleNamespaceObject();
 }

trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp

@@ -60 +60 @@
 void JSModuleRecord::destroy(JSCell* cell)
 {
-    JSModuleRecord* thisObject = jsCast<JSModuleRecord*>(cell);
+    JSModuleRecord* thisObject = static_cast<JSModuleRecord*>(cell);
     thisObject->JSModuleRecord::~JSModuleRecord();
 }

trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp

@@ -84 +84 @@
 void JSPropertyNameEnumerator::destroy(JSCell* cell)
 {
-    jsCast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
+    static_cast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
 }
 

trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h

@@ -47 +47 @@
 // JSSegmentedVariableObject has its own GC tracing functionality, since it knows the
 // exact dimensions of the variables array at all times.
+
+// Except for JSGlobalObject, subclasses of this don't call the destructor and leak memory.
 
 class JSSegmentedVariableObject : public JSSymbolTableObject {

trunk/Source/JavaScriptCore/runtime/StructureInlines.h

@@ -260 +260 @@
         return true;
     
-    RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize());
     unsigned totalSize = propertyTable->propertyStorageSize();
-    RELEASE_ASSERT((totalSize < inlineCapacity() ? 0 : totalSize - inlineCapacity()) == numberOfOutOfLineSlotsForLastOffset(m_offset));
+    unsigned inlineOverflowAccordingToTotalSize = totalSize < m_inlineCapacity ? 0 : totalSize - m_inlineCapacity;
+
+    auto fail = [&] (const char* description) {
+        dataLog("Detected offset inconsistency: ", description, "!\n");
+        dataLog("this = ", RawPointer(this), "\n");
+        dataLog("m_offset = ", m_offset, "\n");
+        dataLog("m_inlineCapacity = ", m_inlineCapacity, "\n");
+        dataLog("propertyTable = ", RawPointer(propertyTable), "\n");
+        dataLog("numberOfSlotsForLastOffset = ", numberOfSlotsForLastOffset(m_offset, m_inlineCapacity), "\n");
+        dataLog("totalSize = ", totalSize, "\n");
+        dataLog("inlineOverflowAccordingToTotalSize = ", inlineOverflowAccordingToTotalSize, "\n");
+        dataLog("numberOfOutOfLineSlotsForLastOffset = ", numberOfOutOfLineSlotsForLastOffset(m_offset), "\n");
+        UNREACHABLE_FOR_PLATFORM();
+    };
+    
+    if (numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) != totalSize)
+        fail("numberOfSlotsForLastOffset doesn't match totalSize");
+    if (inlineOverflowAccordingToTotalSize != numberOfOutOfLineSlotsForLastOffset(m_offset))
+        fail("inlineOverflowAccordingToTotalSize doesn't match numberOfOutOfLineSlotsForLastOffset");
 
     return true;

trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp

@@ -50 +50 @@
 void SymbolTable::destroy(JSCell* cell)
 {
-    SymbolTable* thisObject = jsCast<SymbolTable*>(cell);
+    SymbolTable* thisObject = static_cast<SymbolTable*>(cell);
     thisObject->SymbolTable::~SymbolTable();
 }

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -364 +364 @@
     std::unique_ptr<Wasm::SignatureInformation> m_wasmSignatureInformation;
 #endif
+    
+    JSCell* currentlyDestructingCallbackObject;
+    const ClassInfo* currentlyDestructingCallbackObjectClassInfo;
 
     AtomicStringTable* m_atomicStringTable;

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp

@@ -48 +48 @@
 void JSWebAssemblyCallee::destroy(JSCell* cell)
 {
-    JSWebAssemblyCallee* thisObject = jsCast<JSWebAssemblyCallee*>(cell);
+    JSWebAssemblyCallee* thisObject = static_cast<JSWebAssemblyCallee*>(cell);
     thisObject->JSWebAssemblyCallee::~JSWebAssemblyCallee();
 }

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

@@ -65 +65 @@
 void WebAssemblyModuleRecord::destroy(JSCell* cell)
 {
-    WebAssemblyModuleRecord* thisObject = jsCast<WebAssemblyModuleRecord*>(cell);
+    WebAssemblyModuleRecord* thisObject = static_cast<WebAssemblyModuleRecord*>(cell);
     thisObject->WebAssemblyModuleRecord::~WebAssemblyModuleRecord();
 }

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.cpp

@@ -49 +49 @@
 WebAssemblyToJSCallee::WebAssemblyToJSCallee(VM& vm, Structure* structure)
     : Base(vm, structure)
-{ }
+{
+}
 
 void WebAssemblyToJSCallee::finishCreation(VM& vm)
@@ -58 +59 @@
 void WebAssemblyToJSCallee::destroy(JSCell* cell)
 {
-    WebAssemblyToJSCallee* thisObject = jsCast<WebAssemblyToJSCallee*>(cell);
+    WebAssemblyToJSCallee* thisObject = static_cast<WebAssemblyToJSCallee*>(cell);
     thisObject->WebAssemblyToJSCallee::~WebAssemblyToJSCallee();
 }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-01-16  Filip Pizlo  <fpizlo@apple.com>
+
+        JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+        https://bugs.webkit.org/show_bug.cgi?id=167066
+
+        Reviewed by Keith Miller and Michael Saboff.
+
+        No new tests because no new behavior.
+        
+        It's now necessary to avoid jsCast in destructors and finalizers. This was an easy
+        rule to introduce because this used to always be the rule.
+
+        * bindings/js/JSCSSValueCustom.cpp:
+        (WebCore::JSDeprecatedCSSOMValueOwner::finalize):
+        * bindings/js/JSDOMIterator.h:
+        (WebCore::IteratorTraits>::destroy):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateImplementation):
+
 2017-01-17  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/WebCore/bindings/js/JSCSSValueCustom.cpp

@@ -51 +51 @@
 void JSDeprecatedCSSOMValueOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    JSDeprecatedCSSOMValue* jsCSSValue = jsCast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
+    JSDeprecatedCSSOMValue* jsCSSValue = static_cast<JSDeprecatedCSSOMValue*>(handle.slot()->asCell());
     DOMWrapperWorld& world = *static_cast<DOMWrapperWorld*>(context);
     world.m_deprecatedCSSOMValueRoots.remove(&jsCSSValue->wrapped());

trunk/Source/WebCore/bindings/js/JSDOMIterator.h

@@ -226 +226 @@
 void JSDOMIterator<JSWrapper, IteratorTraits>::destroy(JSCell* cell)
 {
-    JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = JSC::jsCast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
+    JSDOMIterator<JSWrapper, IteratorTraits>* thisObject = static_cast<JSDOMIterator<JSWrapper, IteratorTraits>*>(cell);
     thisObject->JSDOMIterator<JSWrapper, IteratorTraits>::~JSDOMIterator();
 }

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -4244 +4244 @@
         push(@implContent, "void JS${interfaceName}Owner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)\n");
         push(@implContent, "{\n");
-        push(@implContent, "    auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
+        push(@implContent, "    auto* js${interfaceName} = static_cast<JS${interfaceName}*>(handle.slot()->asCell());\n");
         push(@implContent, "    auto& world = *static_cast<DOMWrapperWorld*>(context);\n");
         push(@implContent, "    uncacheWrapper(world, &js${interfaceName}->wrapped(), js${interfaceName});\n");

trunk/Source/WebCore/bindings/scripts/test/JS/JSInterfaceName.cpp

@@ -175 +175 @@
 void JSInterfaceNameOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsInterfaceName = jsCast<JSInterfaceName*>(handle.slot()->asCell());
+    auto* jsInterfaceName = static_cast<JSInterfaceName*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsInterfaceName->wrapped(), jsInterfaceName);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp

@@ -256 +256 @@
 void JSTestActiveDOMObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestActiveDOMObject = jsCast<JSTestActiveDOMObject*>(handle.slot()->asCell());
+    auto* jsTestActiveDOMObject = static_cast<JSTestActiveDOMObject*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestActiveDOMObject->wrapped(), jsTestActiveDOMObject);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp

@@ -316 +316 @@
 void JSTestCEReactionsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestCEReactions = jsCast<JSTestCEReactions*>(handle.slot()->asCell());
+    auto* jsTestCEReactions = static_cast<JSTestCEReactions*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestCEReactions->wrapped(), jsTestCEReactions);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp

@@ -233 +233 @@
 void JSTestCEReactionsStringifierOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestCEReactionsStringifier = jsCast<JSTestCEReactionsStringifier*>(handle.slot()->asCell());
+    auto* jsTestCEReactionsStringifier = static_cast<JSTestCEReactionsStringifier*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestCEReactionsStringifier->wrapped(), jsTestCEReactionsStringifier);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp

@@ -174 +174 @@
 void JSTestClassWithJSBuiltinConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestClassWithJSBuiltinConstructor = jsCast<JSTestClassWithJSBuiltinConstructor*>(handle.slot()->asCell());
+    auto* jsTestClassWithJSBuiltinConstructor = static_cast<JSTestClassWithJSBuiltinConstructor*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestClassWithJSBuiltinConstructor->wrapped(), jsTestClassWithJSBuiltinConstructor);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp

@@ -165 +165 @@
 void JSTestCustomConstructorWithNoInterfaceObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestCustomConstructorWithNoInterfaceObject = jsCast<JSTestCustomConstructorWithNoInterfaceObject*>(handle.slot()->asCell());
+    auto* jsTestCustomConstructorWithNoInterfaceObject = static_cast<JSTestCustomConstructorWithNoInterfaceObject*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestCustomConstructorWithNoInterfaceObject->wrapped(), jsTestCustomConstructorWithNoInterfaceObject);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp

@@ -228 +228 @@
 void JSTestCustomNamedGetterOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestCustomNamedGetter = jsCast<JSTestCustomNamedGetter*>(handle.slot()->asCell());
+    auto* jsTestCustomNamedGetter = static_cast<JSTestCustomNamedGetter*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestCustomNamedGetter->wrapped(), jsTestCustomNamedGetter);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp

@@ -198 +198 @@
 void JSTestExceptionOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestException = jsCast<JSTestException*>(handle.slot()->asCell());
+    auto* jsTestException = static_cast<JSTestException*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestException->wrapped(), jsTestException);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp

@@ -161 +161 @@
 void JSTestGenerateIsReachableOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestGenerateIsReachable = jsCast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
+    auto* jsTestGenerateIsReachable = static_cast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestGenerateIsReachable->wrapped(), jsTestGenerateIsReachable);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp

@@ -503 +503 @@
 void JSTestGlobalObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestGlobalObject = jsCast<JSTestGlobalObject*>(handle.slot()->asCell());
+    auto* jsTestGlobalObject = static_cast<JSTestGlobalObject*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestGlobalObject->wrapped(), jsTestGlobalObject);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp

@@ -991 +991 @@
 void JSTestInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestInterface = jsCast<JSTestInterface*>(handle.slot()->asCell());
+    auto* jsTestInterface = static_cast<JSTestInterface*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestInterface->wrapped(), jsTestInterface);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp

@@ -185 +185 @@
 void JSTestInterfaceLeadingUnderscoreOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestInterfaceLeadingUnderscore = jsCast<JSTestInterfaceLeadingUnderscore*>(handle.slot()->asCell());
+    auto* jsTestInterfaceLeadingUnderscore = static_cast<JSTestInterfaceLeadingUnderscore*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestInterfaceLeadingUnderscore->wrapped(), jsTestInterfaceLeadingUnderscore);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp

@@ -245 +245 @@
 void JSTestIterableOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestIterable = jsCast<JSTestIterable*>(handle.slot()->asCell());
+    auto* jsTestIterable = static_cast<JSTestIterable*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestIterable->wrapped(), jsTestIterable);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp

@@ -194 +194 @@
 void JSTestMediaQueryListListenerOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestMediaQueryListListener = jsCast<JSTestMediaQueryListListener*>(handle.slot()->asCell());
+    auto* jsTestMediaQueryListListener = static_cast<JSTestMediaQueryListListener*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestMediaQueryListListener->wrapped(), jsTestMediaQueryListListener);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp

@@ -205 +205 @@
 void JSTestNamedConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestNamedConstructor = jsCast<JSTestNamedConstructor*>(handle.slot()->asCell());
+    auto* jsTestNamedConstructor = static_cast<JSTestNamedConstructor*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestNamedConstructor->wrapped(), jsTestNamedConstructor);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp

@@ -8618 +8618 @@
 void JSTestObjOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestObj = jsCast<JSTestObj*>(handle.slot()->asCell());
+    auto* jsTestObj = static_cast<JSTestObj*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestObj->wrapped(), jsTestObj);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp

@@ -261 +261 @@
 void JSTestOverloadedConstructorsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestOverloadedConstructors = jsCast<JSTestOverloadedConstructors*>(handle.slot()->asCell());
+    auto* jsTestOverloadedConstructors = static_cast<JSTestOverloadedConstructors*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestOverloadedConstructors->wrapped(), jsTestOverloadedConstructors);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp

@@ -212 +212 @@
 void JSTestOverloadedConstructorsWithSequenceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestOverloadedConstructorsWithSequence = jsCast<JSTestOverloadedConstructorsWithSequence*>(handle.slot()->asCell());
+    auto* jsTestOverloadedConstructorsWithSequence = static_cast<JSTestOverloadedConstructorsWithSequence*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestOverloadedConstructorsWithSequence->wrapped(), jsTestOverloadedConstructorsWithSequence);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp

@@ -233 +233 @@
 void JSTestOverrideBuiltinsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestOverrideBuiltins = jsCast<JSTestOverrideBuiltins*>(handle.slot()->asCell());
+    auto* jsTestOverrideBuiltins = static_cast<JSTestOverrideBuiltins*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestOverrideBuiltins->wrapped(), jsTestOverrideBuiltins);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerialization.cpp

@@ -398 +398 @@
 void JSTestSerializationOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestSerialization = jsCast<JSTestSerialization*>(handle.slot()->asCell());
+    auto* jsTestSerialization = static_cast<JSTestSerialization*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestSerialization->wrapped(), jsTestSerialization);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp

@@ -366 +366 @@
 void JSTestSerializedScriptValueInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestSerializedScriptValueInterface = jsCast<JSTestSerializedScriptValueInterface*>(handle.slot()->asCell());
+    auto* jsTestSerializedScriptValueInterface = static_cast<JSTestSerializedScriptValueInterface*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestSerializedScriptValueInterface->wrapped(), jsTestSerializedScriptValueInterface);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp

@@ -771 +771 @@
 void JSTestTypedefsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    auto* jsTestTypedefs = jsCast<JSTestTypedefs*>(handle.slot()->asCell());
+    auto* jsTestTypedefs = static_cast<JSTestTypedefs*>(handle.slot()->asCell());
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestTypedefs->wrapped(), jsTestTypedefs);

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2017-01-17  Filip Pizlo  <fpizlo@apple.com>
+
+        JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
+        https://bugs.webkit.org/show_bug.cgi?id=167066
+
+        Reviewed by Keith Miller and Michael Saboff.
+        
+        Just remove now-erroneous use of jsCast<>.
+
+        * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
+        (WebKit::NPRuntimeObjectMap::finalize):
+
 2017-01-17  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp

@@ -300 +300 @@
 void NPRuntimeObjectMap::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
 {
-    JSNPObject* object = jsCast<JSNPObject*>(handle.get().asCell());
+    JSNPObject* object = static_cast<JSNPObject*>(handle.get().asCell());
     weakRemove(m_jsNPObjects, static_cast<NPObject*>(context), object);
     addToInvalidationQueue(object->leakNPObject());