Changeset 217240 in webkit

Timestamp:

May 22, 2017 12:48:38 PM (7 years ago)

Author:

keith_miller@apple.com

Message:

[Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
​https://bugs.webkit.org/show_bug.cgi?id=167708

Reviewed by Geoffrey Garen.

This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.

Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
creating a wrapper for NSObject.

• API/APICast.h:

(toJSGlobalObject):

• API/JSContext.mm:

(-[JSContext ensureWrapperMap]):
(-[JSContext initWithVirtualMachine:]):
(-[JSContext dealloc]):
(-[JSContext wrapperMap]):
(-[JSContext initWithGlobalContextRef:]):
(-[JSContext wrapperForObjCObject:]):
(-[JSContext wrapperForJSObject:]):

• API/JSWrapperMap.h:
• API/JSWrapperMap.mm:

(-[JSObjCClassInfo initForClass:]):
(-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
(-[JSObjCClassInfo wrapperForObject:inContext:]):
(-[JSObjCClassInfo constructorInContext:]):
(-[JSObjCClassInfo prototypeInContext:]):
(-[JSWrapperMap initWithGlobalContextRef:]):
(-[JSWrapperMap classInfoForClass:]):
(-[JSWrapperMap jsWrapperForObject:inContext:]):
(-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
(-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
(-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
(-[JSObjCClassInfo wrapperForObject:]): Deleted.
(-[JSObjCClassInfo constructor]): Deleted.
(-[JSObjCClassInfo prototype]): Deleted.
(-[JSWrapperMap initWithContext:]): Deleted.
(-[JSWrapperMap jsWrapperForObject:]): Deleted.
(-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.

• API/tests/JSExportTests.mm:

(wrapperLifetimeIsTiedToGlobalObject):
(runJSExportTests):

• API/tests/testapi.mm:
• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::wrapperMap):
(JSC::JSGlobalObject::setWrapperMap):

Location:

trunk/Source/JavaScriptCore

Files:

• API/APICast.h (modified) (1 diff)
• API/JSContext.mm (modified) (9 diffs)
• API/JSWrapperMap.h (modified) (1 diff)
• API/JSWrapperMap.mm (modified) (16 diffs)
• API/tests/JSExportTests.mm (modified) (2 diffs)
• API/tests/testapi.mm (modified) (3 diffs)
• ChangeLog (modified) (1 diff)
• runtime/JSGlobalObject.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/API/APICast.h

@@ -59 +59 @@
     ASSERT(c);
     return reinterpret_cast<JSC::ExecState*>(c);
+}
+
+inline JSC::JSGlobalObject* toJSGlobalObject(JSGlobalContextRef context)
+{
+    return toJS(context)->lexicalGlobalObject();
 }
 

trunk/Source/JavaScriptCore/API/JSContext.mm

@@ -44 +44 @@
     JSVirtualMachine *m_virtualMachine;
     JSGlobalContextRef m_context;
-    JSWrapperMap *m_wrapperMap;
     JSC::Strong<JSC::JSObject> m_exception;
 }
@@ -51 +50 @@
 {
     return m_context;
+}
+
+- (void)ensureWrapperMap
+{
+    if (!toJS([self JSGlobalContextRef])->lexicalGlobalObject()->wrapperMap())
+        [[JSWrapperMap alloc] initWithGlobalContextRef:[self JSGlobalContextRef]];
 }
 
@@ -66 +71 @@
     m_virtualMachine = [virtualMachine retain];
     m_context = JSGlobalContextCreateInGroup(getGroupFromVirtualMachine(virtualMachine), 0);
-    m_wrapperMap = [[JSWrapperMap alloc] initWithContext:self];
 
     self.exceptionHandler = ^(JSContext *context, JSValue *exceptionValue) {
@@ -72 +76 @@
     };
 
+    [self ensureWrapperMap];
     [m_virtualMachine addContext:self forGlobalContextRef:m_context];
 
@@ -80 +85 @@
 {
     m_exception.clear();
-    [m_wrapperMap release];
     JSGlobalContextRelease(m_context);
     [m_virtualMachine release];
@@ -126 +130 @@
 - (JSWrapperMap *)wrapperMap
 {
-    return m_wrapperMap;
+    return toJS(m_context)->lexicalGlobalObject()->wrapperMap();
 }
 
@@ -259 +263 @@
     ASSERT(m_virtualMachine);
     m_context = JSGlobalContextRetain(context);
-    m_wrapperMap = [[JSWrapperMap alloc] initWithContext:self];
+    [self ensureWrapperMap];
 
     self.exceptionHandler = ^(JSContext *context, JSValue *exceptionValue) {
@@ -310 +314 @@
 {
     JSC::JSLockHolder locker(toJS(m_context));
-    return [m_wrapperMap jsWrapperForObject:object];
+    return [[self wrapperMap] jsWrapperForObject:object inContext:self];
 }
 
@@ -316 +320 @@
 {
     JSC::JSLockHolder locker(toJS(m_context));
-    return [m_wrapperMap objcWrapperForJSValueRef:value];
+    return [[self wrapperMap] objcWrapperForJSValueRef:value inContext:self];
 }
 

trunk/Source/JavaScriptCore/API/JSWrapperMap.h

@@ -32 +32 @@
 @interface JSWrapperMap : NSObject
 
-- (id)initWithContext:(JSContext *)context;
+- (id)initWithGlobalContextRef:(JSGlobalContextRef)context;
 
-- (JSValue *)jsWrapperForObject:(id)object;
+- (JSValue *)jsWrapperForObject:(id)object inContext:(JSContext *)context;
 
-- (JSValue *)objcWrapperForJSValueRef:(JSValueRef)value;
+- (JSValue *)objcWrapperForJSValueRef:(JSValueRef)value inContext:(JSContext *)context;
 
 @end

trunk/Source/JavaScriptCore/API/JSWrapperMap.mm

@@ -36 +36 @@
 #import "ObjCCallbackFunction.h"
 #import "ObjcRuntimeExtras.h"
+#import "ObjectConstructor.h"
 #import "WeakGCMap.h"
 #import "WeakGCMapInlines.h"
@@ -364 +365 @@
 
 @interface JSObjCClassInfo : NSObject {
-    JSContext *m_context;
     Class m_class;
     bool m_block;
@@ -372 +372 @@
 }
 
-- (id)initWithContext:(JSContext *)context forClass:(Class)cls;
-- (JSC::JSObject *)wrapperForObject:(id)object;
-- (JSC::JSObject *)constructor;
-- (JSC::JSObject *)prototype;
+- (id)initForClass:(Class)cls;
+- (JSC::JSObject *)wrapperForObject:(id)object inContext:(JSContext *)context;
+- (JSC::JSObject *)constructorInContext:(JSContext *)context;
+- (JSC::JSObject *)prototypeInContext:(JSContext *)context;
 
 @end
@@ -381 +381 @@
 @implementation JSObjCClassInfo
 
-- (id)initWithContext:(JSContext *)context forClass:(Class)cls
+- (id)initForClass:(Class)cls
 {
     self = [super init];
@@ -388 +388 @@
 
     const char* className = class_getName(cls);
-    m_context = context;
     m_class = cls;
     m_block = [cls isSubclassOfClass:getNSBlockClass()];
@@ -459 +458 @@
 typedef std::pair<JSC::JSObject*, JSC::JSObject*> ConstructorPrototypePair;
 
-- (ConstructorPrototypePair)allocateConstructorAndPrototype
-{
-    JSObjCClassInfo* superClassInfo = [m_context.wrapperMap classInfoForClass:class_getSuperclass(m_class)];
+- (ConstructorPrototypePair)allocateConstructorAndPrototypeInContext:(JSContext *)context
+{
+    JSObjCClassInfo* superClassInfo = [context.wrapperMap classInfoForClass:class_getSuperclass(m_class)];
 
     ASSERT(!m_constructor || !m_prototype);
@@ -470 +469 @@
 
     if (!superClassInfo) {
-        JSContextRef cContext = [m_context JSGlobalContextRef];
-        JSValue *constructor = m_context[@"Object"];
+        JSC::JSGlobalObject* globalObject = toJSGlobalObject([context JSGlobalContextRef]);
         if (!jsConstructor)
-            jsConstructor = toJS(JSValueToObject(cContext, valueInternalValue(constructor), 0));
-
-        if (!jsPrototype) {
-            JSValue *prototype = constructor[@"prototype"];
-            jsPrototype = toJS(JSValueToObject(cContext, valueInternalValue(prototype), 0));
-        }
+            jsConstructor = globalObject->objectConstructor();
+
+        if (!jsPrototype)
+            jsPrototype = globalObject->objectPrototype();
     } else {
         const char* className = class_getName(m_class);
@@ -484 +480 @@
         // Create or grab the prototype/constructor pair.
         if (!jsPrototype)
-            jsPrototype = objectWithCustomBrand(m_context, [NSString stringWithFormat:@"%sPrototype", className]);
+            jsPrototype = objectWithCustomBrand(context, [NSString stringWithFormat:@"%sPrototype", className]);
 
         if (!jsConstructor)
-            jsConstructor = allocateConstructorForCustomClass(m_context, className, m_class);
-
-        JSValue* prototype = [JSValue valueWithJSValueRef:toRef(jsPrototype) inContext:m_context];
-        JSValue* constructor = [JSValue valueWithJSValueRef:toRef(jsConstructor) inContext:m_context];
+            jsConstructor = allocateConstructorForCustomClass(context, className, m_class);
+
+        JSValue* prototype = [JSValue valueWithJSValueRef:toRef(jsPrototype) inContext:context];
+        JSValue* constructor = [JSValue valueWithJSValueRef:toRef(jsConstructor) inContext:context];
         putNonEnumerable(prototype, @"constructor", constructor);
         putNonEnumerable(constructor, @"prototype", prototype);
@@ -496 +492 @@
         Protocol *exportProtocol = getJSExportProtocol();
         forEachProtocolImplementingProtocol(m_class, exportProtocol, ^(Protocol *protocol){
-            copyPrototypeProperties(m_context, m_class, protocol, prototype);
-            copyMethodsToObject(m_context, m_class, protocol, NO, constructor);
+            copyPrototypeProperties(context, m_class, protocol, prototype);
+            copyMethodsToObject(context, m_class, protocol, NO, constructor);
         });
 
         // Set [Prototype].
-        JSC::JSObject* superClassPrototype = [superClassInfo prototype];
-        JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(jsPrototype), toRef(superClassPrototype));
+        JSC::JSObject* superClassPrototype = [superClassInfo prototypeInContext:context];
+        JSObjectSetPrototype([context JSGlobalContextRef], toRef(jsPrototype), toRef(superClassPrototype));
     }
 
@@ -510 +506 @@
 }
 
-- (JSC::JSObject*)wrapperForObject:(id)object
+- (JSC::JSObject*)wrapperForObject:(id)object inContext:(JSContext *)context
 {
     ASSERT([object isKindOfClass:m_class]);
     ASSERT(m_block == [object isKindOfClass:getNSBlockClass()]);
     if (m_block) {
-        if (JSObjectRef method = objCCallbackFunctionForBlock(m_context, object)) {
-            JSValue *constructor = [JSValue valueWithJSValueRef:method inContext:m_context];
-            JSValue *prototype = [JSValue valueWithNewObjectInContext:m_context];
+        if (JSObjectRef method = objCCallbackFunctionForBlock(context, object)) {
+            JSValue *constructor = [JSValue valueWithJSValueRef:method inContext:context];
+            JSValue *prototype = [JSValue valueWithNewObjectInContext:context];
             putNonEnumerable(constructor, @"prototype", prototype);
             putNonEnumerable(prototype, @"constructor", constructor);
@@ -524 +520 @@
     }
 
-    JSC::JSObject* prototype = [self prototype];
-
-    JSC::JSObject* wrapper = makeWrapper([m_context JSGlobalContextRef], m_classRef, object);
-    JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(wrapper), toRef(prototype));
+    JSC::JSObject* prototype = [self prototypeInContext:context];
+
+    JSC::JSObject* wrapper = makeWrapper([context JSGlobalContextRef], m_classRef, object);
+    JSObjectSetPrototype([context JSGlobalContextRef], toRef(wrapper), toRef(prototype));
     return wrapper;
 }
 
-- (JSC::JSObject*)constructor
+- (JSC::JSObject*)constructorInContext:(JSContext *)context
 {
     JSC::JSObject* constructor = m_constructor.get();
     if (!constructor)
-        constructor = [self allocateConstructorAndPrototype].first;
+        constructor = [self allocateConstructorAndPrototypeInContext:context].first;
     ASSERT(!!constructor);
     return constructor;
 }
 
-- (JSC::JSObject*)prototype
+- (JSC::JSObject*)prototypeInContext:(JSContext *)context
 {
     JSC::JSObject* prototype = m_prototype.get();
     if (!prototype)
-        prototype = [self allocateConstructorAndPrototype].second;
+        prototype = [self allocateConstructorAndPrototypeInContext:context].second;
     ASSERT(!!prototype);
     return prototype;
@@ -552 +548 @@
 
 @implementation JSWrapperMap {
-    JSContext *m_context;
     NSMutableDictionary *m_classMap;
     std::unique_ptr<JSC::WeakGCMap<id, JSC::JSObject>> m_cachedJSWrappers;
@@ -558 +553 @@
 }
 
-- (id)initWithContext:(JSContext *)context
+- (id)initWithGlobalContextRef:(JSGlobalContextRef)context
 {
     self = [super init];
@@ -568 +563 @@
     m_cachedObjCWrappers = [[NSMapTable alloc] initWithKeyOptions:keyOptions valueOptions:valueOptions capacity:0];
 
-    m_cachedJSWrappers = std::make_unique<JSC::WeakGCMap<id, JSC::JSObject>>(toJS([context JSGlobalContextRef])->vm());
-
-    m_context = context;
+    m_cachedJSWrappers = std::make_unique<JSC::WeakGCMap<id, JSC::JSObject>>(toJS(context)->vm());
+
+    ASSERT(!toJSGlobalObject(context)->wrapperMap());
+    toJSGlobalObject(context)->setWrapperMap(self);
     m_classMap = [[NSMutableDictionary alloc] init];
     return self;
@@ -595 +591 @@
         return m_classMap[cls] = [self classInfoForClass:class_getSuperclass(cls)];
 
-    return m_classMap[cls] = [[[JSObjCClassInfo alloc] initWithContext:m_context forClass:cls] autorelease];
-}
-
-- (JSValue *)jsWrapperForObject:(id)object
-{
+    return m_classMap[cls] = [[[JSObjCClassInfo alloc] initForClass:cls] autorelease];
+}
+
+- (JSValue *)jsWrapperForObject:(id)object inContext:(JSContext *)context
+{
+    ASSERT(toJSGlobalObject([context JSGlobalContextRef])->wrapperMap() == self);
     JSC::JSObject* jsWrapper = m_cachedJSWrappers->get(object);
     if (jsWrapper)
-        return [JSValue valueWithJSValueRef:toRef(jsWrapper) inContext:m_context];
+        return [JSValue valueWithJSValueRef:toRef(jsWrapper) inContext:context];
 
     if (class_isMetaClass(object_getClass(object)))
-        jsWrapper = [[self classInfoForClass:(Class)object] constructor];
+        jsWrapper = [[self classInfoForClass:(Class)object] constructorInContext:context];
     else {
         JSObjCClassInfo* classInfo = [self classInfoForClass:[object class]];
-        jsWrapper = [classInfo wrapperForObject:object];
+        jsWrapper = [classInfo wrapperForObject:object inContext:context];
     }
 
@@ -617 +614 @@
     //     but still, would probably nicer if we made it so that only one associated object was required, broadcasting object dealloc.
     m_cachedJSWrappers->set(object, jsWrapper);
-    return [JSValue valueWithJSValueRef:toRef(jsWrapper) inContext:m_context];
-}
-
-- (JSValue *)objcWrapperForJSValueRef:(JSValueRef)value
-{
+    return [JSValue valueWithJSValueRef:toRef(jsWrapper) inContext:context];
+}
+
+- (JSValue *)objcWrapperForJSValueRef:(JSValueRef)value inContext:context
+{
+    ASSERT(toJSGlobalObject([context JSGlobalContextRef])->wrapperMap() == self);
     JSValue *wrapper = static_cast<JSValue *>(NSMapGet(m_cachedObjCWrappers, value));
     if (!wrapper) {
-        wrapper = [[[JSValue alloc] initWithValue:value inContext:m_context] autorelease];
+        wrapper = [[[JSValue alloc] initWithValue:value inContext:context] autorelease];
         NSMapInsert(m_cachedObjCWrappers, value, wrapper);
     }

trunk/Source/JavaScriptCore/API/tests/JSExportTests.mm

@@ -126 +126 @@
 @end
 
+@protocol AJSExport <JSExport>
+- (instancetype)init;
+@end
+
+@interface A : NSObject <AJSExport>
+@end
+
+@implementation A
+@end
+
+static void wrapperLifetimeIsTiedToGlobalObject()
+{
+    JSGlobalContextRef contextRef;
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        contextRef = JSGlobalContextRetain(context.JSGlobalContextRef);
+        context[@"A"] = A.class;
+        checkResult(@"Initial wrapper's constructor is itself", [[context evaluateScript:@"new A().constructor === A"] toBool]);
+    }
+
+    @autoreleasepool {
+        JSContext *context = [JSContext contextWithJSGlobalContextRef:contextRef];
+        checkResult(@"New context's wrapper's constructor is itself", [[context evaluateScript:@"new A().constructor === A"] toBool]);
+    }
+
+    JSGlobalContextRelease(contextRef);
+}
+
+static void wrapperForNSObjectisObject()
+{
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        context[@"Object"] = [[NSNull alloc] init];
+        context.exception = nil;
+
+        context[@"A"] = NSObject.class;
+        NSLog(@"here: %@", [context exception]);
+    }
+}
+
 void runJSExportTests()
 {
@@ -133 +173 @@
         [JSExportTests exportDynamicallyGeneratedProtocolTest];
     }
+    wrapperLifetimeIsTiedToGlobalObject();
+    wrapperForNSObjectisObject();
 }
 

trunk/Source/JavaScriptCore/API/tests/testapi.mm

@@ -513 +513 @@
 static void testObjectiveCAPIMain()
 {
+    runJSExportTests();
+
     @autoreleasepool {
         JSVirtualMachine* vm = [[JSVirtualMachine alloc] init];
@@ -1469 +1471 @@
         checkResult(@"Ran code in five concurrent VMs that GC'd", ok);
     }
-    
+
     currentThisInsideBlockGetterTest();
     runDateTests();
@@ -1508 +1510 @@
 }
 
+
 void testObjectiveCAPI()
 {

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-05-22  Keith Miller  <keith_miller@apple.com>
+
+        [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
+        https://bugs.webkit.org/show_bug.cgi?id=167708
+
+        Reviewed by Geoffrey Garen.
+
+        This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
+        class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.
+
+        Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
+        creating a wrapper for NSObject.
+
+        * API/APICast.h:
+        (toJSGlobalObject):
+        * API/JSContext.mm:
+        (-[JSContext ensureWrapperMap]):
+        (-[JSContext initWithVirtualMachine:]):
+        (-[JSContext dealloc]):
+        (-[JSContext wrapperMap]):
+        (-[JSContext initWithGlobalContextRef:]):
+        (-[JSContext wrapperForObjCObject:]):
+        (-[JSContext wrapperForJSObject:]):
+        * API/JSWrapperMap.h:
+        * API/JSWrapperMap.mm:
+        (-[JSObjCClassInfo initForClass:]):
+        (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
+        (-[JSObjCClassInfo wrapperForObject:inContext:]):
+        (-[JSObjCClassInfo constructorInContext:]):
+        (-[JSObjCClassInfo prototypeInContext:]):
+        (-[JSWrapperMap initWithGlobalContextRef:]):
+        (-[JSWrapperMap classInfoForClass:]):
+        (-[JSWrapperMap jsWrapperForObject:inContext:]):
+        (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
+        (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
+        (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
+        (-[JSObjCClassInfo wrapperForObject:]): Deleted.
+        (-[JSObjCClassInfo constructor]): Deleted.
+        (-[JSObjCClassInfo prototype]): Deleted.
+        (-[JSWrapperMap initWithContext:]): Deleted.
+        (-[JSWrapperMap jsWrapperForObject:]): Deleted.
+        (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
+        * API/tests/JSExportTests.mm:
+        (wrapperLifetimeIsTiedToGlobalObject):
+        (runJSExportTests):
+        * API/tests/testapi.mm:
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::wrapperMap):
+        (JSC::JSGlobalObject::setWrapperMap):
+
 2017-05-22  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -46 +46 @@
 #include <array>
 #include <wtf/HashSet.h>
+#include <wtf/RetainPtr.h>
 
 struct OpaqueJSClass;
 struct OpaqueJSClassContextData;
+OBJC_CLASS JSWrapperMap;
 
 namespace Inspector {
@@ -830 +832 @@
     bool needsSiteSpecificQuirks() const { return m_needsSiteSpecificQuirks; }
 
+#if JSC_OBJC_API_ENABLED
+    JSWrapperMap* wrapperMap() const { return m_wrapperMap.get(); }
+    void setWrapperMap(JSWrapperMap* map) { m_wrapperMap = map; }
+#endif
+
 protected:
     struct GlobalPropertyInfo {
@@ -859 +866 @@
 
     bool m_needsSiteSpecificQuirks { false };
+#if JSC_OBJC_API_ENABLED
+    RetainPtr<JSWrapperMap> m_wrapperMap;
+#endif
 };