Changeset 37631 in webkit

Timestamp:

Oct 16, 2008 1:00:53 AM (16 years ago)

Author:

ap@webkit.org

Message:

Reviewed by Darin Adler.

​https://bugs.webkit.org/show_bug.cgi?id=21609
Make MessagePorts protect their peers across heaps

JavaScriptCore:

• JavaScriptCore.exp:
• kjs/JSGlobalObject.cpp: (JSC::JSGlobalObject::markCrossHeapDependentObjects):
• kjs/JSGlobalObject.h:
• kjs/collector.cpp: (JSC::Heap::collect): Before GC sweep phase, a function supplied by global object is now called for all global objects in the heap, making it possible to implement cross-heap dependencies.

WebCore:

• dom/MessagePort.cpp: (WebCore::MessagePort::MessagePort):
• dom/MessagePort.h: (WebCore::MessagePort::setJSWrapperIsKnownToBeInaccessible): (WebCore::MessagePort::jsWrapperIsKnownToBeInaccessible): Track objects whose JS wrappers are no longer reachable in MessagePort. Unfortunately, this means that the implementation object knows about JS bindings - but it is not possible to access JS wrappers from another heap/thread.

• bindings/js/JSDOMBinding.cpp: (WebCore::markCrossHeapDependentObjectsForDocument):
• bindings/js/JSDOMBinding.h:
• bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::markCrossHeapDependentObjects):
• bindings/js/JSDOMWindowBase.h: Implement cross-heap dependency tracking for entangled MessagePorts. If a wrapper object hasn't been marked normally, it is marked as inaccessible. It is then marked manually, as long as its entangled port is accessible itself.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.exp (modified) (1 diff)
• JavaScriptCore/kjs/JSGlobalObject.cpp (modified) (1 diff)
• JavaScriptCore/kjs/JSGlobalObject.h (modified) (1 diff)
• JavaScriptCore/kjs/collector.cpp (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSDOMBinding.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMBinding.h (modified) (1 diff)
• WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMWindowBase.h (modified) (1 diff)
• WebCore/dom/MessagePort.cpp (modified) (1 diff)
• WebCore/dom/MessagePort.h (modified) (5 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2008-10-15  Alexey Proskuryakov  <ap@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=21609
+        Make MessagePorts protect their peers across heaps
+
+        * JavaScriptCore.exp:
+        * kjs/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::markCrossHeapDependentObjects):
+        * kjs/JSGlobalObject.h:
+        * kjs/collector.cpp:
+        (JSC::Heap::collect):
+        Before GC sweep phase, a function supplied by global object is now called for all global
+        objects in the heap, making it possible to implement cross-heap dependencies.
+
 2008-10-15  Alexey Proskuryakov  <ap@webkit.org>
 

trunk/JavaScriptCore/JavaScriptCore.exp

@@ -148 +148 @@
 __ZN3JSC14JSGlobalObject17putWithAttributesEPNS_9ExecStateERKNS_10IdentifierEPNS_7JSValueEj
 __ZN3JSC14JSGlobalObject17startTimeoutCheckEv
+__ZN3JSC14JSGlobalObject29markCrossHeapDependentObjectsEv
 __ZN3JSC14JSGlobalObject3putEPNS_9ExecStateERKNS_10IdentifierEPNS_7JSValueERNS_15PutPropertySlotE
 __ZN3JSC14JSGlobalObject4initEPNS_8JSObjectE

trunk/JavaScriptCore/kjs/JSGlobalObject.cpp

@@ -400 +400 @@
 }
 
+void JSGlobalObject::markCrossHeapDependentObjects()
+{
+    // Overridden by subclasses.
+}
+
 JSGlobalObject* JSGlobalObject::toGlobalObject(ExecState*) const
 {

trunk/JavaScriptCore/kjs/JSGlobalObject.h

@@ -159 +159 @@
 
         virtual void mark();
+        virtual void markCrossHeapDependentObjects();
 
         virtual bool getOwnPropertySlot(ExecState*, const Identifier&, PropertySlot&);

trunk/JavaScriptCore/kjs/collector.cpp

@@ -970 +970 @@
     m_globalData->smallStrings.mark();
 
+    JSGlobalObject* globalObject = m_globalData->head;
+    do {
+        globalObject->markCrossHeapDependentObjects();
+        globalObject = globalObject->next();
+    } while (globalObject != m_globalData->head);
+
     JAVASCRIPTCORE_GC_MARKED();
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-10-15  Alexey Proskuryakov  <ap@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=21609
+        Make MessagePorts protect their peers across heaps
+
+        * dom/MessagePort.cpp:
+        (WebCore::MessagePort::MessagePort):
+        * dom/MessagePort.h:
+        (WebCore::MessagePort::setJSWrapperIsKnownToBeInaccessible):
+        (WebCore::MessagePort::jsWrapperIsKnownToBeInaccessible):
+        Track objects whose JS wrappers are no longer reachable in MessagePort. Unfortunately, this
+        means that the implementation object knows about JS bindings - but it is not possible to
+        access JS wrappers from another heap/thread.
+
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::markCrossHeapDependentObjectsForDocument):
+        * bindings/js/JSDOMBinding.h:
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::markCrossHeapDependentObjects):
+        * bindings/js/JSDOMWindowBase.h:
+        Implement cross-heap dependency tracking for entangled MessagePorts. If a wrapper object
+        hasn't been marked normally, it is marked as inaccessible. It is then marked manually,
+        as long as its entangled port is accessible itself.
+
 2008-10-15  Jon Honeycutt  <jhoneycutt@apple.com>
 

trunk/WebCore/bindings/js/JSDOMBinding.cpp

@@ -269 +269 @@
 }
 
+void markCrossHeapDependentObjectsForDocument(JSGlobalData& globalData, Document* document)
+{
+    const HashSet<MessagePort*>& messagePorts = document->messagePorts();
+    HashSet<MessagePort*>::const_iterator portsEnd = messagePorts.end();
+    for (HashSet<MessagePort*>::const_iterator iter = messagePorts.begin(); iter != portsEnd; ++iter) {
+        MessagePort* port = *iter;
+        RefPtr<MessagePort> entangledPort = port->entangledPort();
+        if (entangledPort) {
+            // No wrapper, or wrapper is already marked - no need to examine cross-heap dependencies.
+            DOMObject* wrapper = getCachedDOMObjectWrapper(globalData, port);
+            if (!wrapper || wrapper->marked())
+                continue;
+
+            // If the wrapper hasn't been marked during the mark phase of GC, then the port shouldn't protect its entangled one.
+            // It's important not to call this when there is no wrapper. E.g., if GC is triggered after a MessageChannel is created, but before its ports are used from JS,
+            // irreversibly telling the object that its (not yet existing) wrapper is inaccessible would be wrong. Similarly, ports posted via postMessage() may not
+            // have wrappers until delivered.
+            port->setJSWrapperIsInaccessible();
+
+            // If the port is protected by its entangled one, mark it.
+            // This is an atomic read of a boolean value, no synchronization between threads is required (at least on platforms that guarantee cache coherency).
+            if (!entangledPort->jsWrapperIsInaccessible())
+                wrapper->mark();
+        }
+    }
+}
+
 void updateDOMNodeDocument(Node* node, Document* oldDocument, Document* newDocument)
 {

trunk/WebCore/bindings/js/JSDOMBinding.h

@@ -70 +70 @@
     void markDOMNodesForDocument(Document*);
     void markActiveObjectsForDocument(JSC::JSGlobalData&, Document*);
+    void markCrossHeapDependentObjectsForDocument(JSC::JSGlobalData&, Document*);
 
     JSC::StructureID* getCachedDOMStructure(JSC::ExecState*, const JSC::ClassInfo*);

trunk/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -508 +508 @@
 }
 
+void JSDOMWindowBase::markCrossHeapDependentObjects()
+{
+    Document* document = impl()->document();
+    if (!document)
+        return;
+
+    markCrossHeapDependentObjectsForDocument(*globalData(), document);
+}
+
 bool JSDOMWindowBase::getOwnPropertySlot(ExecState* exec, const Identifier& propertyName, PropertySlot& slot)
 {

trunk/WebCore/bindings/js/JSDOMWindowBase.h

@@ -64 +64 @@
 
         void disconnectFrame();
+
+        virtual void markCrossHeapDependentObjects();
 
         virtual bool getOwnPropertySlot(JSC::ExecState*, const JSC::Identifier&, JSC::PropertySlot&);

trunk/WebCore/dom/MessagePort.cpp

@@ -69 +69 @@
     , m_document(document)
     , m_pendingActivity(0)
+    , m_jsWrapperIsInaccessible(false)
 {
     document->createdMessagePort(this);

trunk/WebCore/dom/MessagePort.h

@@ -34 +34 @@
 #include <wtf/MessageQueue.h>
 #include <wtf/PassRefPtr.h>
-#include <wtf/RefCounted.h>
 #include <wtf/RefPtr.h>
+#include <wtf/Threading.h>
 #include <wtf/Vector.h>
 
@@ -46 +46 @@
     class String;
 
-    class MessagePort : public RefCounted<MessagePort>, public EventTarget {
+    class MessagePort : public ThreadSafeShared<MessagePort>, public EventTarget {
     public:
         static PassRefPtr<MessagePort> create(Document* document) { return adoptRef(new MessagePort(document)); }
@@ -84 +84 @@
         EventListenersMap& eventListeners() { return m_eventListeners; }
 
-        using RefCounted<MessagePort>::ref;
-        using RefCounted<MessagePort>::deref;
+        using ThreadSafeShared<MessagePort>::ref;
+        using ThreadSafeShared<MessagePort>::deref;
 
         bool hasPendingActivity() { return m_pendingActivity; }
@@ -94 +94 @@
         void setOnclose(PassRefPtr<EventListener> eventListener) { m_onCloseListener = eventListener; }
         EventListener* onclose() const { return m_onCloseListener.get(); }
+
+        void setJSWrapperIsInaccessible() { m_jsWrapperIsInaccessible = true; }
+        bool jsWrapperIsInaccessible() const { return m_jsWrapperIsInaccessible; }
 
     private:
@@ -120 +123 @@
 
         unsigned m_pendingActivity;
+        bool m_jsWrapperIsInaccessible;
     };