Changeset 86499 in webkit

Timestamp:

May 14, 2011 3:10:01 PM (13 years ago)

Author:

oliver@apple.com

Message:

2011-05-13 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

Make GC validation more aggressive
​https://bugs.webkit.org/show_bug.cgi?id=60802

This patch makes the checks performed under GC_VALIDATION
much more aggressive, and adds the checks to more places
in order to allow us to catch GC bugs much closer to the
point of failure.

• JavaScriptCore.exp:
• JavaScriptCore.xcodeproj/project.pbxproj:
• debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::visitChildren):
• heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock):
• heap/MarkedSpace.cpp:
• runtime/Arguments.cpp: (JSC::Arguments::visitChildren):
• runtime/Executable.cpp: (JSC::EvalExecutable::visitChildren): (JSC::ProgramExecutable::visitChildren): (JSC::FunctionExecutable::visitChildren):
• runtime/Executable.h:
• runtime/GetterSetter.cpp: (JSC::GetterSetter::visitChildren):
• runtime/GetterSetter.h:
• runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::createStructure): (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
• runtime/JSActivation.cpp: (JSC::JSActivation::visitChildren):
• runtime/JSArray.cpp: (JSC::JSArray::visitChildren):
• runtime/JSCell.cpp: (JSC::slowValidateCell):
• runtime/JSCell.h: (JSC::JSCell::JSCell::unvalidatedStructure): (JSC::JSCell::JSCell::JSCell):
• runtime/JSFunction.cpp: (JSC::JSFunction::visitChildren):
• runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::visitChildren): (JSC::slowValidateCell):
• runtime/JSONObject.h:
• runtime/JSObject.cpp: (JSC::JSObject::visitChildren):
• runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::visitChildren):
• runtime/JSPropertyNameIterator.h:
• runtime/JSStaticScopeObject.cpp: (JSC::JSStaticScopeObject::visitChildren):
• runtime/JSString.h: (JSC::RopeBuilder::JSString):
• runtime/JSWrapperObject.cpp: (JSC::JSWrapperObject::visitChildren):
• runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::visitChildren):
• runtime/PropertyMapHashTable.h: (JSC::PropertyMapEntry::PropertyMapEntry):
• runtime/RegExpObject.cpp: (JSC::RegExpObject::visitChildren):
• runtime/ScopeChain.cpp: (JSC::ScopeChainNode::visitChildren):
• runtime/ScopeChain.h: (JSC::ScopeChainNode::ScopeChainNode):
• runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::addPropertyTransition): (JSC::Structure::visitChildren):
• runtime/Structure.h: (JSC::JSCell::classInfo):
• runtime/StructureChain.cpp: (JSC::StructureChain::visitChildren):
• runtime/StructureChain.h:
• runtime/WriteBarrier.h: (JSC::validateCell): (JSC::JSCell): (JSC::JSGlobalObject): (JSC::WriteBarrierBase::set): (JSC::WriteBarrierBase::setMayBeNull): (JSC::WriteBarrierBase::setEarlyValue): (JSC::WriteBarrierBase::get): (JSC::WriteBarrierBase::operator*): (JSC::WriteBarrierBase::operator->): (JSC::WriteBarrierBase::unvalidatedGet): (JSC::WriteBarrier::WriteBarrier):
• wtf/Assertions.h:

2011-05-13 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

Make GC validation more aggressive
​https://bugs.webkit.org/show_bug.cgi?id=60802

This makes GC_VALIDATION much more aggressive in webcore,
adding logic to every visitChildren method to ensure that
the structure still has correct flags.

Additionally every function generated for the dom bindings
makes use of the new GC_VALIDATION object assertions to further
ensure that the object appears to be sensible.

• bindings/js/JSAttrCustom.cpp: (WebCore::JSAttr::visitChildren):
• bindings/js/JSAudioContextCustom.cpp: (WebCore::JSAudioContext::visitChildren):
• bindings/js/JSCSSRuleCustom.cpp: (WebCore::JSCSSRule::visitChildren):
• bindings/js/JSCSSStyleDeclarationCustom.cpp: (WebCore::JSCSSStyleDeclaration::visitChildren):
• bindings/js/JSCanvasRenderingContextCustom.cpp: (WebCore::JSCanvasRenderingContext::visitChildren):
• bindings/js/JSDOMGlobalObject.cpp: (WebCore::JSDOMGlobalObject::visitChildren): (WebCore::JSDOMGlobalObject::setInjectedScript):
• bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::visitChildren):
• bindings/js/JSDOMWindowShell.cpp: (WebCore::JSDOMWindowShell::visitChildren):
• bindings/js/JSEventListener.cpp: (WebCore::JSEventListener::JSEventListener):
• bindings/js/JSEventListener.h: (WebCore::JSEventListener::jsFunction):
• bindings/js/JSJavaScriptAudioNodeCustom.cpp: (WebCore::JSJavaScriptAudioNode::visitChildren):
• bindings/js/JSMessageChannelCustom.cpp: (WebCore::JSMessageChannel::visitChildren):
• bindings/js/JSMessagePortCustom.cpp: (WebCore::JSMessagePort::visitChildren):
• bindings/js/JSNamedNodeMapCustom.cpp: (WebCore::JSNamedNodeMap::visitChildren):
• bindings/js/JSNodeCustom.cpp: (WebCore::JSNode::visitChildren):
• bindings/js/JSNodeFilterCustom.cpp: (WebCore::JSNodeFilter::visitChildren):
• bindings/js/JSNodeIteratorCustom.cpp: (WebCore::JSNodeIterator::visitChildren):
• bindings/js/JSSVGElementInstanceCustom.cpp: (WebCore::JSSVGElementInstance::visitChildren):
• bindings/js/JSSharedWorkerCustom.cpp: (WebCore::JSSharedWorker::visitChildren):
• bindings/js/JSStyleSheetCustom.cpp: (WebCore::JSStyleSheet::visitChildren):
• bindings/js/JSTreeWalkerCustom.cpp: (WebCore::JSTreeWalker::visitChildren):
• bindings/js/JSWebGLRenderingContextCustom.cpp: (WebCore::JSWebGLRenderingContext::visitChildren):
• bindings/js/JSWorkerContextCustom.cpp: (WebCore::JSWorkerContext::visitChildren):
• bindings/js/JSXMLHttpRequestCustom.cpp: (WebCore::JSXMLHttpRequest::visitChildren):
• bindings/js/JSXPathResultCustom.cpp: (WebCore::JSXPathResult::visitChildren):
• bindings/scripts/CodeGeneratorJS.pm:

2011-05-13 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

Make GC validation more aggressive
​https://bugs.webkit.org/show_bug.cgi?id=60802

Add GC_VALIDATION calls to all the JSNPObject methods.

• WebProcess/Plugins/Netscape/JSNPObject.cpp: (WebKit::JSNPObject::invalidate): (WebKit::JSNPObject::callMethod): (WebKit::JSNPObject::callObject): (WebKit::JSNPObject::callConstructor): (WebKit::JSNPObject::getCallData): (WebKit::JSNPObject::getConstructData): (WebKit::JSNPObject::getOwnPropertySlot): (WebKit::JSNPObject::getOwnPropertyDescriptor): (WebKit::JSNPObject::put): (WebKit::JSNPObject::getOwnPropertyNames): (WebKit::JSNPObject::propertyGetter): (WebKit::JSNPObject::methodGetter):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.exp (modified) (2 diffs)
• JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (1 diff)
• JavaScriptCore/debugger/DebuggerActivation.cpp (modified) (1 diff)
• JavaScriptCore/heap/MarkedBlock.cpp (modified) (1 diff)
• JavaScriptCore/heap/MarkedSpace.cpp (modified) (1 diff)
• JavaScriptCore/runtime/Arguments.cpp (modified) (1 diff)
• JavaScriptCore/runtime/Executable.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/Executable.h (modified) (7 diffs)
• JavaScriptCore/runtime/GetterSetter.cpp (modified) (1 diff)
• JavaScriptCore/runtime/GetterSetter.h (modified) (1 diff)
• JavaScriptCore/runtime/JSAPIValueWrapper.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSActivation.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSArray.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSCell.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSCell.h (modified) (4 diffs)
• JavaScriptCore/runtime/JSFunction.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSONObject.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSPropertyNameIterator.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSPropertyNameIterator.h (modified) (1 diff)
• JavaScriptCore/runtime/JSStaticScopeObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSString.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSWrapperObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/NativeErrorConstructor.cpp (modified) (1 diff)
• JavaScriptCore/runtime/PropertyMapHashTable.h (modified) (1 diff)
• JavaScriptCore/runtime/RegExpObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ScopeChain.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ScopeChain.h (modified) (2 diffs)
• JavaScriptCore/runtime/Structure.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/Structure.h (modified) (3 diffs)
• JavaScriptCore/runtime/StructureChain.cpp (modified) (1 diff)
• JavaScriptCore/runtime/StructureChain.h (modified) (2 diffs)
• JavaScriptCore/runtime/WriteBarrier.h (modified) (7 diffs)
• JavaScriptCore/wtf/Assertions.h (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSAttrCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSAudioContextCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSCSSRuleCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSCSSStyleDeclarationCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSCanvasRenderingContextCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMGlobalObject.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMWindowShell.cpp (modified) (1 diff)
• WebCore/bindings/js/JSEventListener.cpp (modified) (1 diff)
• WebCore/bindings/js/JSEventListener.h (modified) (1 diff)
• WebCore/bindings/js/JSJavaScriptAudioNodeCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSMessageChannelCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSMessagePortCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSNamedNodeMapCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSNodeCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSNodeFilterCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSNodeIteratorCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSSVGElementInstanceCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSSharedWorkerCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSStyleSheetCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSTreeWalkerCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSWorkerContextCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSXMLHttpRequestCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSXPathResultCustom.cpp (modified) (1 diff)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (10 diffs)
• WebKit2/ChangeLog (modified) (1 diff)
• WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp (modified) (12 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-05-13  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Make GC validation more aggressive
+        https://bugs.webkit.org/show_bug.cgi?id=60802
+
+        This patch makes the checks performed under GC_VALIDATION
+        much more aggressive, and adds the checks to more places
+        in order to allow us to catch GC bugs much closer to the
+        point of failure.
+
+        * JavaScriptCore.exp:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * debugger/DebuggerActivation.cpp:
+        (JSC::DebuggerActivation::visitChildren):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::MarkedBlock):
+        * heap/MarkedSpace.cpp:
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::visitChildren):
+        * runtime/Executable.cpp:
+        (JSC::EvalExecutable::visitChildren):
+        (JSC::ProgramExecutable::visitChildren):
+        (JSC::FunctionExecutable::visitChildren):
+        * runtime/Executable.h:
+        * runtime/GetterSetter.cpp:
+        (JSC::GetterSetter::visitChildren):
+        * runtime/GetterSetter.h:
+        * runtime/JSAPIValueWrapper.h:
+        (JSC::JSAPIValueWrapper::createStructure):
+        (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
+        * runtime/JSActivation.cpp:
+        (JSC::JSActivation::visitChildren):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::visitChildren):
+        * runtime/JSCell.cpp:
+        (JSC::slowValidateCell):
+        * runtime/JSCell.h:
+        (JSC::JSCell::JSCell::unvalidatedStructure):
+        (JSC::JSCell::JSCell::JSCell):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::visitChildren):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::visitChildren):
+        (JSC::slowValidateCell):
+        * runtime/JSONObject.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::visitChildren):
+        * runtime/JSPropertyNameIterator.cpp:
+        (JSC::JSPropertyNameIterator::visitChildren):
+        * runtime/JSPropertyNameIterator.h:
+        * runtime/JSStaticScopeObject.cpp:
+        (JSC::JSStaticScopeObject::visitChildren):
+        * runtime/JSString.h:
+        (JSC::RopeBuilder::JSString):
+        * runtime/JSWrapperObject.cpp:
+        (JSC::JSWrapperObject::visitChildren):
+        * runtime/NativeErrorConstructor.cpp:
+        (JSC::NativeErrorConstructor::visitChildren):
+        * runtime/PropertyMapHashTable.h:
+        (JSC::PropertyMapEntry::PropertyMapEntry):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::visitChildren):
+        * runtime/ScopeChain.cpp:
+        (JSC::ScopeChainNode::visitChildren):
+        * runtime/ScopeChain.h:
+        (JSC::ScopeChainNode::ScopeChainNode):
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        (JSC::Structure::addPropertyTransition):
+        (JSC::Structure::visitChildren):
+        * runtime/Structure.h:
+        (JSC::JSCell::classInfo):
+        * runtime/StructureChain.cpp:
+        (JSC::StructureChain::visitChildren):
+        * runtime/StructureChain.h:
+        * runtime/WriteBarrier.h:
+        (JSC::validateCell):
+        (JSC::JSCell):
+        (JSC::JSGlobalObject):
+        (JSC::WriteBarrierBase::set):
+        (JSC::WriteBarrierBase::setMayBeNull):
+        (JSC::WriteBarrierBase::setEarlyValue):
+        (JSC::WriteBarrierBase::get):
+        (JSC::WriteBarrierBase::operator*):
+        (JSC::WriteBarrierBase::operator->):
+        (JSC::WriteBarrierBase::unvalidatedGet):
+        (JSC::WriteBarrier::WriteBarrier):
+        * wtf/Assertions.h:
+
+2011-05-13  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Make GC validation more aggressive
+        https://bugs.webkit.org/show_bug.cgi?id=60802
+
+        This patch makes the checks performed under GC_VALIDATION
+        much more aggressive, and adds the checks to more places
+        in order to allow us to catch GC bugs much closer to the
+        point of failure.
+
+        * JavaScriptCore.exp:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * debugger/DebuggerActivation.cpp:
+        (JSC::DebuggerActivation::visitChildren):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::MarkedBlock):
+        * heap/MarkedSpace.cpp:
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::visitChildren):
+        * runtime/Executable.cpp:
+        (JSC::EvalExecutable::visitChildren):
+        (JSC::ProgramExecutable::visitChildren):
+        (JSC::FunctionExecutable::visitChildren):
+        * runtime/Executable.h:
+        * runtime/GetterSetter.cpp:
+        (JSC::GetterSetter::visitChildren):
+        * runtime/GetterSetter.h:
+        * runtime/JSAPIValueWrapper.h:
+        (JSC::JSAPIValueWrapper::createStructure):
+        (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
+        * runtime/JSActivation.cpp:
+        (JSC::JSActivation::visitChildren):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::visitChildren):
+        * runtime/JSCell.cpp:
+        (JSC::slowValidateCell):
+        * runtime/JSCell.h:
+        (JSC::JSCell::JSCell::unvalidatedStructure):
+        (JSC::JSCell::JSCell::JSCell):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::visitChildren):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::visitChildren):
+        (JSC::slowValidateCell):
+        * runtime/JSONObject.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::visitChildren):
+        * runtime/JSPropertyNameIterator.cpp:
+        (JSC::JSPropertyNameIterator::visitChildren):
+        * runtime/JSPropertyNameIterator.h:
+        * runtime/JSStaticScopeObject.cpp:
+        (JSC::JSStaticScopeObject::visitChildren):
+        * runtime/JSString.h:
+        (JSC::RopeBuilder::JSString):
+        * runtime/JSWrapperObject.cpp:
+        (JSC::JSWrapperObject::visitChildren):
+        * runtime/NativeErrorConstructor.cpp:
+        (JSC::NativeErrorConstructor::visitChildren):
+        * runtime/PropertyMapHashTable.h:
+        (JSC::PropertyMapEntry::PropertyMapEntry):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::visitChildren):
+        * runtime/ScopeChain.cpp:
+        (JSC::ScopeChainNode::visitChildren):
+        * runtime/ScopeChain.h:
+        (JSC::ScopeChainNode::ScopeChainNode):
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        (JSC::Structure::addPropertyTransition):
+        (JSC::Structure::visitChildren):
+        * runtime/Structure.h:
+        (JSC::JSCell::classInfo):
+        * runtime/StructureChain.cpp:
+        (JSC::StructureChain::visitChildren):
+        * runtime/StructureChain.h:
+        * runtime/WriteBarrier.h:
+        (JSC::validateCell):
+        (JSC::JSCell):
+        (JSC::JSGlobalObject):
+        (JSC::WriteBarrierBase::set):
+        (JSC::WriteBarrierBase::setMayBeNull):
+        (JSC::WriteBarrierBase::setEarlyValue):
+        (JSC::WriteBarrierBase::get):
+        (JSC::WriteBarrierBase::operator*):
+        (JSC::WriteBarrierBase::operator->):
+        (JSC::WriteBarrierBase::unvalidatedGet):
+        (JSC::WriteBarrier::WriteBarrier):
+        * wtf/Assertions.h:
+
 2011-05-14  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/Source/JavaScriptCore/JavaScriptCore.exp

@@ -168 +168 @@
 __ZN3JSC14SamplingThread4stopEv
 __ZN3JSC14SamplingThread5startEj
+__ZN3JSC14ScopeChainNode6s_infoE
 __ZN3JSC14TimeoutChecker10didTimeOutEPNS_9ExecStateE
 __ZN3JSC14TimeoutChecker5resetEv
@@ -184 +185 @@
 __ZN3JSC16JSVariableObject19getOwnPropertyNamesEPNS_9ExecStateERNS_17PropertyNameArrayENS_15EnumerationModeE
 __ZN3JSC16createRangeErrorEPNS_9ExecStateERKNS_7UStringE
+__ZN3JSC16slowValidateCellEPNS_14JSGlobalObjectE
+__ZN3JSC16slowValidateCellEPNS_6JSCellE
 __ZN3JSC16throwSyntaxErrorEPNS_9ExecStateE
 __ZN3JSC17BytecodeGenerator21setDumpsGeneratedCodeEb

trunk/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def

@@ -318 +318 @@
     ?size@Heap@JSC@@QBEIXZ
     ?slowAppend@MarkedArgumentBuffer@JSC@@AAEXVJSValue@2@@Z
+    ?slowValidateCell@JSC@@YAXPAVJSCell@1@@Z
+    ?slowValidateCell@JSC@@YAXPAVJSGlobalObject@1@@Z
     ?startProfiling@Profiler@JSC@@QAEXPAVExecState@2@ABVUString@2@@Z
     ?startSampling@JSGlobalData@JSC@@QAEXXZ

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -2701 +2701 @@
                         attributes = {
                                 BuildIndependentTargetsInParallel = YES;
+                                LastUpgradeCheck = 0420;
                         };
                         buildConfigurationList = 149C277108902AFE008A9EFC /* Build configuration list for PBXProject "JavaScriptCore" */;

trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp

@@ -41 +41 @@
 void DebuggerActivation::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     JSObject::visitChildren(visitor);
 

trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -61 +61 @@
     Structure* dummyMarkableCellStructure = globalData->dummyMarkableCellStructure.get();
     for (size_t i = firstAtom(); i < m_endAtom; i += m_atomsPerCell)
-        new (&atoms()[i]) JSCell(*globalData, dummyMarkableCellStructure);
+        new (&atoms()[i]) JSCell(*globalData, dummyMarkableCellStructure, JSCell::CreatingEarlyCell);
 }
 

trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp

@@ -22 +22 @@
 #include "MarkedSpace.h"
 
+#include "JSGlobalObject.h"
 #include "JSCell.h"
 #include "JSGlobalData.h"

trunk/Source/JavaScriptCore/runtime/Arguments.cpp

@@ -46 +46 @@
 void Arguments::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     JSObject::visitChildren(visitor);
 

trunk/Source/JavaScriptCore/runtime/Executable.cpp

@@ -146 +146 @@
 void EvalExecutable::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     ScriptExecutable::visitChildren(visitor);
     if (m_evalCodeBlock)
@@ -238 +241 @@
 void ProgramExecutable::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     ScriptExecutable::visitChildren(visitor);
     if (m_programCodeBlock)
@@ -350 +356 @@
 void FunctionExecutable::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     ScriptExecutable::visitChildren(visitor);
     if (m_codeBlockForCall)

trunk/Source/JavaScriptCore/runtime/Executable.h

@@ -67 +67 @@
 
         static Structure* createStructure(JSGlobalData& globalData, JSValue proto) { return Structure::create(globalData, proto, TypeInfo(CompoundType, StructureFlags), AnonymousSlotCount, &s_info); }
+        
+        static const ClassInfo s_info;
 
     protected:
         static const unsigned StructureFlags = 0;
-        static const ClassInfo s_info;
         int m_numParametersForCall;
         int m_numParametersForConstruct;
@@ -118 +119 @@
 
         static Structure* createStructure(JSGlobalData& globalData, JSValue proto) { return Structure::create(globalData, proto, TypeInfo(LeafType, StructureFlags), AnonymousSlotCount, &s_info); }
-
+        
+        static const ClassInfo s_info;
+    
     private:
 #if ENABLE(JIT)
@@ -144 +147 @@
         // trampoline. It may be easier to make NativeFunction be passed 'this' as a part of the ArgList.
         NativeFunction m_constructor;
-        static const ClassInfo s_info;
     };
 
@@ -237 +239 @@
             return Structure::create(globalData, proto, TypeInfo(CompoundType, StructureFlags), AnonymousSlotCount, &s_info);
         }
-
+        
+        static const ClassInfo s_info;
     private:
         static const unsigned StructureFlags = OverridesVisitChildren | ScriptExecutable::StructureFlags;
-        static const ClassInfo s_info;
         EvalExecutable(ExecState*, const SourceCode&, bool);
 
@@ -287 +289 @@
             return Structure::create(globalData, proto, TypeInfo(CompoundType, StructureFlags), AnonymousSlotCount, &s_info);
         }
+        
+        static const ClassInfo s_info;
 
     private:
         static const unsigned StructureFlags = OverridesVisitChildren | ScriptExecutable::StructureFlags;
-        static const ClassInfo s_info;
         ProgramExecutable(ExecState*, const SourceCode&);
 
@@ -383 +386 @@
             return Structure::create(globalData, proto, TypeInfo(CompoundType, StructureFlags), AnonymousSlotCount, &s_info);
         }
+        
+        static const ClassInfo s_info;
 
     private:
@@ -392 +397 @@
         
         static const unsigned StructureFlags = OverridesVisitChildren | ScriptExecutable::StructureFlags;
-        static const ClassInfo s_info;
         unsigned m_numCapturedVariables : 31;
         bool m_forceUsesArguments : 1;

trunk/Source/JavaScriptCore/runtime/GetterSetter.cpp

@@ -33 +33 @@
 void GetterSetter::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     JSCell::visitChildren(visitor);
 

trunk/Source/JavaScriptCore/runtime/GetterSetter.h

@@ -53 +53 @@
             return Structure::create(globalData, prototype, TypeInfo(GetterSetterType, OverridesVisitChildren), AnonymousSlotCount, &s_info);
         }
+        
+        static const ClassInfo s_info;
+
     private:
         virtual bool isGetterSetter() const;
-        static const ClassInfo s_info;
 
         WriteBarrier<JSObject> m_getter;

trunk/Source/JavaScriptCore/runtime/JSAPIValueWrapper.h

@@ -41 +41 @@
             return Structure::create(globalData, prototype, TypeInfo(CompoundType, OverridesVisitChildren | OverridesGetPropertyNames), AnonymousSlotCount, &s_info);
         }
+        
+        static const ClassInfo s_info;
 
-        
     private:
         JSAPIValueWrapper(ExecState* exec, JSValue value)
@@ -50 +51 @@
             ASSERT(!value.isCell());
         }
-        static const ClassInfo s_info;
 
         WriteBarrier<Unknown> m_value;

trunk/Source/JavaScriptCore/runtime/JSActivation.cpp

@@ -61 +61 @@
 void JSActivation::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -860 +860 @@
 void JSArray::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     visitChildrenDirect(visitor);
 }

trunk/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -222 +222 @@
 }
 
+void slowValidateCell(JSCell* cell)
+{
+    ASSERT_GC_OBJECT_LOOKS_VALID(cell);
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -72 +72 @@
         friend class Structure;
         friend class StructureChain;
+        enum CreatingEarlyCellTag { CreatingEarlyCell };
 
     protected:
@@ -79 +80 @@
         explicit JSCell(VPtrStealingHackType) { }
         JSCell(JSGlobalData&, Structure*);
+        JSCell(JSGlobalData&, Structure*, CreatingEarlyCellTag);
         virtual ~JSCell();
         static const ClassInfo s_dummyCellInfo;
@@ -149 +151 @@
         }
 
+#if ENABLE(GC_VALIDATION)
+        Structure* unvalidatedStructure() { return m_structure.unvalidatedGet(); }
+#endif
+        
     protected:
         static const unsigned AnonymousSlotCount = 0;
@@ -163 +169 @@
         : m_structure(globalData, this, structure)
     {
+        ASSERT(m_structure);
+    }
+
+    inline JSCell::JSCell(JSGlobalData& globalData, Structure* structure, CreatingEarlyCellTag)
+    {
+#if ENABLE(GC_VALIDATION)
+        if (structure)
+#endif
+            m_structure.setEarlyValue(globalData, this, structure);
         // Very first set of allocations won't have a real structure.
         ASSERT(m_structure || !globalData.dummyMarkableCellStructure);

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -136 +136 @@
 void JSFunction::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -311 +311 @@
 void JSGlobalObject::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     JSVariableObject::visitChildren(visitor);
 
@@ -460 +463 @@
 }
 
+void slowValidateCell(JSGlobalObject* globalObject)
+{
+    if (!globalObject->isGlobalObject())
+        CRASH();
+    ASSERT_GC_OBJECT_INHERITS(globalObject, &JSGlobalObject::s_info);
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSONObject.h

@@ -41 +41 @@
             return Structure::create(globalData, prototype, TypeInfo(ObjectType, StructureFlags), AnonymousSlotCount, &s_info);
         }
+        
+        static const ClassInfo s_info;
 
     protected:
@@ -49 +51 @@
         virtual bool getOwnPropertyDescriptor(ExecState*, const Identifier&, PropertyDescriptor&);
 
-        static const ClassInfo s_info;
     };
 

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -71 +71 @@
 void JSObject::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
 #ifndef NDEBUG
     bool wasCheckingForDefaultMarkViolation = visitor.m_isCheckingForDefaultMarkViolation;

trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp

@@ -98 +98 @@
 void JSPropertyNameIterator::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     visitor.appendValues(m_jsStrings.get(), m_jsStringsSize, MayContainNullValues);
     if (m_cachedPrototypeChain)

trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h

@@ -76 +76 @@
         void setCachedPrototypeChain(JSGlobalData& globalData, StructureChain* cachedPrototypeChain) { m_cachedPrototypeChain.set(globalData, this, cachedPrototypeChain); }
         StructureChain* cachedPrototypeChain() { return m_cachedPrototypeChain.get(); }
+        
+        static const ClassInfo s_info;
 
     private:
-        static const ClassInfo s_info;
         JSPropertyNameIterator(ExecState*, PropertyNameArrayData* propertyNameArrayData, size_t numCacheableSlot);
 

trunk/Source/JavaScriptCore/runtime/JSStaticScopeObject.cpp

@@ -35 +35 @@
 void JSStaticScopeObject::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     JSVariableObject::visitChildren(visitor);
     visitor.append(&m_registerStore);

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -331 +331 @@
             return Structure::create(globalData, proto, TypeInfo(StringType, OverridesGetOwnPropertySlot | NeedsThisConversion), AnonymousSlotCount, &s_info);
         }
+        
+        static const ClassInfo s_info;
 
     private:
@@ -338 +340 @@
         {
         }
-        static const ClassInfo s_info;
 
         void resolveRope(ExecState*) const;

trunk/Source/JavaScriptCore/runtime/JSWrapperObject.cpp

@@ -29 +29 @@
 void JSWrapperObject::visitChildren(SlotVisitor& visitor) 
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     JSObject::visitChildren(visitor);
     if (m_internalValue)

trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp

@@ -49 +49 @@
 void NativeErrorConstructor::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     InternalFunction::visitChildren(visitor);
     if (m_errorStructure)

trunk/Source/JavaScriptCore/runtime/PropertyMapHashTable.h

@@ -81 +81 @@
         , offset(offset)
         , attributes(attributes)
-        , specificValue(globalData, owner, specificValue)
+        , specificValue(globalData, owner, specificValue, WriteBarrier<JSCell>::MayBeNull)
     {
     }

trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp

@@ -75 +75 @@
 void RegExpObject::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     if (UNLIKELY(!d->lastIndex.get().isInt32()))

trunk/Source/JavaScriptCore/runtime/ScopeChain.cpp

@@ -70 +70 @@
 void ScopeChainNode::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     if (next)
         visitor.append(&next);

trunk/Source/JavaScriptCore/runtime/ScopeChain.h

@@ -40 +40 @@
             : JSCell(*globalData, globalData->scopeChainNodeStructure.get())
             , globalData(globalData)
-            , next(*globalData, this, next)
+            , next(*globalData, this, next, WriteBarrier<ScopeChainNode>::MayBeNull)
             , object(*globalData, this, object)
             , globalObject(*globalData, this, globalObject)
@@ -69 +69 @@
         static Structure* createStructure(JSGlobalData& globalData, JSValue proto) { return Structure::create(globalData, proto, TypeInfo(CompoundType, StructureFlags), AnonymousSlotCount, &s_info); }
         virtual void visitChildren(SlotVisitor&);
+        static JS_EXPORTDATA const ClassInfo s_info;
+
     private:
         static const unsigned StructureFlags = OverridesVisitChildren;
-        static const ClassInfo s_info;
     };
 

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -207 +207 @@
 
 Structure::Structure(JSGlobalData& globalData)
-    : JSCell(globalData, this)
+    : JSCell(globalData, this, CreatingEarlyCell)
     , m_typeInfo(CompoundType, OverridesVisitChildren)
     , m_prototype(globalData, this, jsNull())
@@ -359 +359 @@
     Structure* transition = create(globalData, structure);
 
-    transition->m_cachedPrototypeChain.set(globalData, transition, structure->m_cachedPrototypeChain.get());
+    transition->m_cachedPrototypeChain.setMayBeNull(globalData, transition, structure->m_cachedPrototypeChain.get());
     transition->m_previous.set(globalData, transition, structure);
     transition->m_nameInPrevious = propertyName.impl();
     transition->m_attributesInPrevious = attributes;
-    transition->m_specificValueInPrevious.set(globalData, transition, specificValue);
+    transition->m_specificValueInPrevious.setMayBeNull(globalData, transition, specificValue);
 
     if (structure->m_propertyTable) {
@@ -780 +780 @@
 void Structure::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     JSCell::visitChildren(visitor);
     if (m_prototype)

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -161 +161 @@
             return new (&globalData) Structure(globalData);
         }
+        
+        static JS_EXPORTDATA const ClassInfo s_info;
 
     private:
@@ -173 +175 @@
         }
         
-        static JS_EXPORTDATA const ClassInfo s_info;
-
         typedef enum { 
             NoneDictionaryKind = 0,
@@ -279 +279 @@
     inline const ClassInfo* JSCell::classInfo() const
     {
+#if ENABLE(GC_VALIDATION)
+        return m_structure.unvalidatedGet()->classInfo();
+#else
         return m_structure->classInfo();
+#endif
     }
 

trunk/Source/JavaScriptCore/runtime/StructureChain.cpp

@@ -56 +56 @@
 void StructureChain::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     size_t i = 0;
     while (m_vector[i])

trunk/Source/JavaScriptCore/runtime/StructureChain.h

@@ -48 +48 @@
 
         static Structure* createStructure(JSGlobalData& globalData, JSValue prototype) { return Structure::create(globalData, prototype, TypeInfo(CompoundType, OverridesVisitChildren), 0, &s_info); }
+        
+        static ClassInfo s_info;
 
     private:
@@ -53 +55 @@
         ~StructureChain();
         OwnArrayPtr<WriteBarrier<Structure> > m_vector;
-        static ClassInfo s_info;
     };
 

trunk/Source/JavaScriptCore/runtime/WriteBarrier.h

@@ -29 +29 @@
 #include "HandleTypes.h"
 #include "Heap.h"
+#include "TypeTraits.h"
 
 namespace JSC {
@@ -34 +35 @@
 class JSCell;
 class JSGlobalData;
+class JSGlobalObject;
 
 template<class T> class WriteBarrierBase;
 template<> class WriteBarrierBase<JSValue>;
 
+void slowValidateCell(JSCell*);
+void slowValidateCell(JSGlobalObject*);
+    
+#if ENABLE(GC_VALIDATION)
+template<class T> inline void validateCell(T cell)
+{
+    ASSERT_GC_OBJECT_INHERITS(cell, &WTF::RemovePointer<T>::Type::s_info);
+}
+
+template<> inline void validateCell<JSCell*>(JSCell* cell)
+{
+    slowValidateCell(cell);
+}
+
+template<> inline void validateCell<JSGlobalObject*>(JSGlobalObject* globalObject)
+{
+    slowValidateCell(globalObject);
+}
+#else
+template<class T> inline void validateCell(T)
+{
+}
+#endif
+
 // We have a separate base class with no constructors for use in Unions.
 template <typename T> class WriteBarrierBase {
 public:
-    void set(JSGlobalData&, const JSCell* owner, T* value)
+    void set(JSGlobalData& globalData, const JSCell* owner, T* value)
+    {
+        ASSERT(value);
+        validateCell(value);
+        setEarlyValue(globalData, owner, value);
+    }
+
+    void setMayBeNull(JSGlobalData& globalData, const JSCell* owner, T* value)
+    {
+        if (value)
+            validateCell(value);
+        setEarlyValue(globalData, owner, value);
+    }
+
+    // Should only be used by JSCell during early initialisation
+    // when some basic types aren't yet completely instantiated
+    void setEarlyValue(JSGlobalData&, const JSCell* owner, T* value)
     {
         this->m_cell = reinterpret_cast<JSCell*>(value);
@@ -53 +95 @@
     T* get() const
     {
+        if (m_cell)
+            validateCell(m_cell);
         return reinterpret_cast<T*>(m_cell);
     }
@@ -62 +106 @@
         ASSERT(!isZombie(m_cell));
 #endif
+        validateCell<T>(static_cast<T*>(m_cell));
         return static_cast<T*>(m_cell);
     }
@@ -68 +113 @@
     {
         ASSERT(m_cell);
+        validateCell(static_cast<T*>(m_cell));
         return static_cast<T*>(m_cell);
     }
@@ -87 +133 @@
 #endif
     }
+
+#if ENABLE(GC_VALIDATION)
+    T* unvalidatedGet() const { return reinterpret_cast<T*>(m_cell); }
+#endif
 
 private:
@@ -152 +202 @@
         this->set(globalData, owner, value);
     }
+
+    enum MayBeNullTag { MayBeNull };
+    WriteBarrier(JSGlobalData& globalData, const JSCell* owner, T* value, MayBeNullTag)
+    {
+        this->setMayBeNull(globalData, owner, value);
+    }
 };
 

trunk/Source/JavaScriptCore/wtf/Assertions.h

@@ -380 +380 @@
 #endif
 
+#if ENABLE(GC_VALIDATION)
+#define ASSERT_GC_OBJECT_LOOKS_VALID(cell) do { \
+    if (!(cell))\
+        CRASH();\
+    if (cell->unvalidatedStructure()->unvalidatedStructure() != cell->unvalidatedStructure()->unvalidatedStructure()->unvalidatedStructure())\
+        CRASH();\
+} while (0)
+
+#define ASSERT_GC_OBJECT_INHERITS(object, classInfo) do {\
+    ASSERT_GC_OBJECT_LOOKS_VALID(object); \
+    if (!object->inherits(classInfo)) \
+        CRASH();\
+} while (0)
+
+#else
+#define ASSERT_GC_OBJECT_LOOKS_VALID(cell) do { (void)cell; } while (0)
+#define ASSERT_GC_OBJECT_INHERITS(object, classInfo) do { (void)object; (void)classInfo; } while (0)
+#endif
+
 #endif /* WTF_Assertions_h */

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-05-13  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Make GC validation more aggressive
+        https://bugs.webkit.org/show_bug.cgi?id=60802
+
+        This makes GC_VALIDATION much more aggressive in webcore,
+        adding logic to every visitChildren method to ensure that
+        the structure still has correct flags.
+
+        Additionally every function generated for the dom bindings
+        makes use of the new GC_VALIDATION object assertions to further
+        ensure that the object appears to be sensible.
+
+        * bindings/js/JSAttrCustom.cpp:
+        (WebCore::JSAttr::visitChildren):
+        * bindings/js/JSAudioContextCustom.cpp:
+        (WebCore::JSAudioContext::visitChildren):
+        * bindings/js/JSCSSRuleCustom.cpp:
+        (WebCore::JSCSSRule::visitChildren):
+        * bindings/js/JSCSSStyleDeclarationCustom.cpp:
+        (WebCore::JSCSSStyleDeclaration::visitChildren):
+        * bindings/js/JSCanvasRenderingContextCustom.cpp:
+        (WebCore::JSCanvasRenderingContext::visitChildren):
+        * bindings/js/JSDOMGlobalObject.cpp:
+        (WebCore::JSDOMGlobalObject::visitChildren):
+        (WebCore::JSDOMGlobalObject::setInjectedScript):
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::visitChildren):
+        * bindings/js/JSDOMWindowShell.cpp:
+        (WebCore::JSDOMWindowShell::visitChildren):
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::JSEventListener::JSEventListener):
+        * bindings/js/JSEventListener.h:
+        (WebCore::JSEventListener::jsFunction):
+        * bindings/js/JSJavaScriptAudioNodeCustom.cpp:
+        (WebCore::JSJavaScriptAudioNode::visitChildren):
+        * bindings/js/JSMessageChannelCustom.cpp:
+        (WebCore::JSMessageChannel::visitChildren):
+        * bindings/js/JSMessagePortCustom.cpp:
+        (WebCore::JSMessagePort::visitChildren):
+        * bindings/js/JSNamedNodeMapCustom.cpp:
+        (WebCore::JSNamedNodeMap::visitChildren):
+        * bindings/js/JSNodeCustom.cpp:
+        (WebCore::JSNode::visitChildren):
+        * bindings/js/JSNodeFilterCustom.cpp:
+        (WebCore::JSNodeFilter::visitChildren):
+        * bindings/js/JSNodeIteratorCustom.cpp:
+        (WebCore::JSNodeIterator::visitChildren):
+        * bindings/js/JSSVGElementInstanceCustom.cpp:
+        (WebCore::JSSVGElementInstance::visitChildren):
+        * bindings/js/JSSharedWorkerCustom.cpp:
+        (WebCore::JSSharedWorker::visitChildren):
+        * bindings/js/JSStyleSheetCustom.cpp:
+        (WebCore::JSStyleSheet::visitChildren):
+        * bindings/js/JSTreeWalkerCustom.cpp:
+        (WebCore::JSTreeWalker::visitChildren):
+        * bindings/js/JSWebGLRenderingContextCustom.cpp:
+        (WebCore::JSWebGLRenderingContext::visitChildren):
+        * bindings/js/JSWorkerContextCustom.cpp:
+        (WebCore::JSWorkerContext::visitChildren):
+        * bindings/js/JSXMLHttpRequestCustom.cpp:
+        (WebCore::JSXMLHttpRequest::visitChildren):
+        * bindings/js/JSXPathResultCustom.cpp:
+        (WebCore::JSXPathResult::visitChildren):
+        * bindings/scripts/CodeGeneratorJS.pm:
+
+2011-05-13  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Make GC validation more aggressive
+        https://bugs.webkit.org/show_bug.cgi?id=60802
+
+        This makes GC_VALIDATION much more aggressive in webcore,
+        adding logic to every visitChildren method to ensure that
+        the structure still has correct flags.
+
+        Additionally every function generated for the dom bindings
+        makes use of the new GC_VALIDATION object assertions to further
+        ensure that the object appears to be sensible.
+
+        * bindings/js/JSAttrCustom.cpp:
+        (WebCore::JSAttr::visitChildren):
+        * bindings/js/JSAudioContextCustom.cpp:
+        (WebCore::JSAudioContext::visitChildren):
+        * bindings/js/JSCSSRuleCustom.cpp:
+        (WebCore::JSCSSRule::visitChildren):
+        * bindings/js/JSCSSStyleDeclarationCustom.cpp:
+        (WebCore::JSCSSStyleDeclaration::visitChildren):
+        * bindings/js/JSCanvasRenderingContextCustom.cpp:
+        (WebCore::JSCanvasRenderingContext::visitChildren):
+        * bindings/js/JSDOMGlobalObject.cpp:
+        (WebCore::JSDOMGlobalObject::visitChildren):
+        (WebCore::JSDOMGlobalObject::setInjectedScript):
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::visitChildren):
+        * bindings/js/JSDOMWindowShell.cpp:
+        (WebCore::JSDOMWindowShell::visitChildren):
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::JSEventListener::JSEventListener):
+        * bindings/js/JSEventListener.h:
+        (WebCore::JSEventListener::jsFunction):
+        * bindings/js/JSJavaScriptAudioNodeCustom.cpp:
+        (WebCore::JSJavaScriptAudioNode::visitChildren):
+        * bindings/js/JSMessageChannelCustom.cpp:
+        (WebCore::JSMessageChannel::visitChildren):
+        * bindings/js/JSMessagePortCustom.cpp:
+        (WebCore::JSMessagePort::visitChildren):
+        * bindings/js/JSNamedNodeMapCustom.cpp:
+        (WebCore::JSNamedNodeMap::visitChildren):
+        * bindings/js/JSNodeCustom.cpp:
+        (WebCore::JSNode::visitChildren):
+        * bindings/js/JSNodeFilterCustom.cpp:
+        (WebCore::JSNodeFilter::visitChildren):
+        * bindings/js/JSNodeIteratorCustom.cpp:
+        (WebCore::JSNodeIterator::visitChildren):
+        * bindings/js/JSSVGElementInstanceCustom.cpp:
+        (WebCore::JSSVGElementInstance::visitChildren):
+        * bindings/js/JSSharedWorkerCustom.cpp:
+        (WebCore::JSSharedWorker::visitChildren):
+        * bindings/js/JSStyleSheetCustom.cpp:
+        (WebCore::JSStyleSheet::visitChildren):
+        * bindings/js/JSTreeWalkerCustom.cpp:
+        (WebCore::JSTreeWalker::visitChildren):
+        * bindings/js/JSWebGLRenderingContextCustom.cpp:
+        (WebCore::JSWebGLRenderingContext::visitChildren):
+        * bindings/js/JSWorkerContextCustom.cpp:
+        (WebCore::JSWorkerContext::visitChildren):
+        * bindings/js/JSXMLHttpRequestCustom.cpp:
+        (WebCore::JSXMLHttpRequest::visitChildren):
+        * bindings/js/JSXPathResultCustom.cpp:
+        (WebCore::JSXPathResult::visitChildren):
+        * bindings/scripts/CodeGeneratorJS.pm:
+
 2011-05-14  Oliver Hunt  <oliver@apple.com>
 

trunk/Source/WebCore/bindings/js/JSAttrCustom.cpp

@@ -42 +42 @@
 void JSAttr::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSAudioContextCustom.cpp

@@ -42 +42 @@
 void JSAudioContext::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     m_impl->visitJSEventListeners(visitor);

trunk/Source/WebCore/bindings/js/JSCSSRuleCustom.cpp

@@ -51 +51 @@
 void JSCSSRule::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     visitor.addOpaqueRoot(root(impl()));

trunk/Source/WebCore/bindings/js/JSCSSStyleDeclarationCustom.cpp

@@ -47 +47 @@
 void JSCSSStyleDeclaration::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     visitor.addOpaqueRoot(root(impl()));

trunk/Source/WebCore/bindings/js/JSCanvasRenderingContextCustom.cpp

@@ -42 +42 @@
 void JSCanvasRenderingContext::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp

@@ -53 +53 @@
 void JSDOMGlobalObject::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 
@@ -79 +82 @@
 void JSDOMGlobalObject::setInjectedScript(JSObject* injectedScript)
 {
-    m_injectedScript.set(globalData(), this, injectedScript);
+    m_injectedScript.setMayBeNull(globalData(), this, injectedScript);
 }
 

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -75 +75 @@
 void JSDOMWindow::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSDOMWindowShell.cpp

@@ -76 +76 @@
 void JSDOMWindowShell::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     if (m_window)

trunk/Source/WebCore/bindings/js/JSEventListener.cpp

@@ -41 +41 @@
 {
     if (wrapper)
-        m_jsFunction.set(*m_isolatedWorld->globalData(), wrapper, function);
+        m_jsFunction.setMayBeNull(*m_isolatedWorld->globalData(), wrapper, function);
     else
         ASSERT(!function);

trunk/Source/WebCore/bindings/js/JSEventListener.h

@@ -76 +76 @@
     {
         if (!m_jsFunction)
-            m_jsFunction.set(*scriptExecutionContext->globalData(), m_wrapper.get(), initializeJSFunction(scriptExecutionContext));
+            m_jsFunction.setMayBeNull(*scriptExecutionContext->globalData(), m_wrapper.get(), initializeJSFunction(scriptExecutionContext));
 
         // Verify that we have a valid wrapper protecting our function from

trunk/Source/WebCore/bindings/js/JSJavaScriptAudioNodeCustom.cpp

@@ -37 +37 @@
 void JSJavaScriptAudioNode::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     static_cast<JavaScriptAudioNode*>(impl())->visitJSEventListeners(visitor);

trunk/Source/WebCore/bindings/js/JSMessageChannelCustom.cpp

@@ -36 +36 @@
 void JSMessageChannel::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSMessagePortCustom.cpp

@@ -44 +44 @@
 void JSMessagePort::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSNamedNodeMapCustom.cpp

@@ -49 +49 @@
 void JSNamedNodeMap::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSNodeCustom.cpp

@@ -195 +195 @@
 void JSNode::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSNodeFilterCustom.cpp

@@ -39 +39 @@
 void JSNodeFilter::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     visitor.addOpaqueRoot(impl());

trunk/Source/WebCore/bindings/js/JSNodeIteratorCustom.cpp

@@ -32 +32 @@
 void JSNodeIterator::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSSVGElementInstanceCustom.cpp

@@ -36 +36 @@
 void JSSVGElementInstance::visitChildren(JSC::SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & JSC::OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     visitor.addOpaqueRoot(root(impl()->correspondingElement()));

trunk/Source/WebCore/bindings/js/JSSharedWorkerCustom.cpp

@@ -46 +46 @@
 void JSSharedWorker::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSStyleSheetCustom.cpp

@@ -38 +38 @@
 void JSStyleSheet::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     visitor.addOpaqueRoot(root(impl()));

trunk/Source/WebCore/bindings/js/JSTreeWalkerCustom.cpp

@@ -32 +32 @@
 void JSTreeWalker::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp

@@ -195 +195 @@
 void JSWebGLRenderingContext::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
     visitor.addOpaqueRoot(impl());

trunk/Source/WebCore/bindings/js/JSWorkerContextCustom.cpp

@@ -56 +56 @@
 void JSWorkerContext::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp

@@ -57 +57 @@
 void JSXMLHttpRequest::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/js/JSXPathResultCustom.cpp

@@ -39 +39 @@
 void JSXPathResult::visitChildren(SlotVisitor& visitor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
+    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+    ASSERT(structure()->typeInfo().overridesVisitChildren());
     Base::visitChildren(visitor);
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -908 +908 @@
         push(@headerContent, "ALWAYS_INLINE bool ${className}::getOwnPropertySlot(JSC::ExecState* exec, const JSC::Identifier& propertyName, JSC::PropertySlot& slot)\n");
         push(@headerContent, "{\n");
+        push(@headerContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
         push(@headerContent, GenerateGetOwnPropertySlotBody($dataNode, $interfaceName, $className, $implClassName, $numAttributes > 0, 1));
         push(@headerContent, "}\n\n");
         push(@headerContent, "ALWAYS_INLINE bool ${className}::getOwnPropertyDescriptor(JSC::ExecState* exec, const JSC::Identifier& propertyName, JSC::PropertyDescriptor& descriptor)\n");
         push(@headerContent, "{\n");
+        push(@headerContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
         push(@headerContent, GenerateGetOwnPropertyDescriptorBody($dataNode, $interfaceName, $className, $implClassName, $numAttributes > 0, 1));
         push(@headerContent, "}\n\n");
@@ -1453 +1455 @@
         push(@implContent, "void ${className}::visitChildren(SlotVisitor& visitor)\n");
         push(@implContent, "{\n");
+        push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
+        push(@implContent, "    COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);\n");
+        push(@implContent, "    ASSERT(structure()->typeInfo().overridesVisitChildren());\n");
         push(@implContent, "    Base::visitChildren(visitor);\n");
         push(@implContent, "    impl()->visitJSEventListeners(visitor);\n");
@@ -1485 +1490 @@
             push(@implContent, "bool ${className}::getOwnPropertySlot(ExecState* exec, const Identifier& propertyName, PropertySlot& slot)\n");
             push(@implContent, "{\n");
+            push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
             push(@implContent, GenerateGetOwnPropertySlotBody($dataNode, $interfaceName, $className, $implClassName, $numAttributes > 0, 0));
             push(@implContent, "}\n\n");
             push(@implContent, "bool ${className}::getOwnPropertyDescriptor(ExecState* exec, const Identifier& propertyName, PropertyDescriptor& descriptor)\n");
             push(@implContent, "{\n");
+            push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
             push(@implContent, GenerateGetOwnPropertyDescriptorBody($dataNode, $interfaceName, $className, $implClassName, $numAttributes > 0, 0));
             push(@implContent, "}\n\n");
@@ -1497 +1504 @@
             push(@implContent, "bool ${className}::getOwnPropertySlot(ExecState* exec, unsigned propertyName, PropertySlot& slot)\n");
             push(@implContent, "{\n");
+            push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
             push(@implContent, "    if (propertyName < static_cast<$implClassName*>(impl())->length()) {\n");
             if ($dataNode->extendedAttributes->{"HasCustomIndexGetter"} || $dataNode->extendedAttributes->{"HasNumericIndexGetter"}) {
@@ -1648 +1656 @@
                 push(@implContent, "void ${className}::put(ExecState* exec, const Identifier& propertyName, JSValue value, PutPropertySlot& slot)\n");
                 push(@implContent, "{\n");
+                push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
                 if ($dataNode->extendedAttributes->{"HasCustomIndexSetter"}) {
                     push(@implContent, "    bool ok;\n");
@@ -1672 +1681 @@
                 push(@implContent, "void ${className}::put(ExecState* exec, unsigned propertyName, JSValue value)\n");
                 push(@implContent, "{\n");
+                push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
                 push(@implContent, "    indexSetter(exec, propertyName, value);\n");
                 push(@implContent, "    return;\n");
@@ -1826 +1836 @@
         push(@implContent, "void ${className}::getOwnPropertyNames(ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)\n");
         push(@implContent, "{\n");
+        push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
         if ($dataNode->extendedAttributes->{"HasIndexGetter"} || $dataNode->extendedAttributes->{"HasCustomIndexGetter"} || $dataNode->extendedAttributes->{"HasNumericIndexGetter"}) {
             push(@implContent, "    for (unsigned i = 0; i < static_cast<${implClassName}*>(impl())->length(); ++i)\n");
@@ -1876 +1887 @@
                 push(@implContent, "    $className* castedThis = static_cast<$className*>(asObject(thisValue));\n");
             }
+            push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(castedThis, &${className}::s_info);\n");
 
             if ($dataNode->extendedAttributes->{"CheckDomainSecurity"} && 
@@ -2107 +2119 @@
         push(@implContent, "{\n");
         push(@implContent, "    ${className}* thisObj = static_cast<$className*>(asObject(slotBase));\n");
+        push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(thisObj, &s_info);\n");
         if (IndexGetterReturnsStrings($implClassName)) {
             $implIncludes{"KURL.h"} = 1;
@@ -2123 +2136 @@
         push(@implContent, "\nJSValue ${className}::getByIndex(ExecState*, unsigned index)\n");
         push(@implContent, "{\n");
+        push(@implContent, "    ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
         push(@implContent, "    return jsNumber(static_cast<$implClassName*>(impl())->item(index));\n");
         push(@implContent, "}\n\n");

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2011-05-13  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Make GC validation more aggressive
+        https://bugs.webkit.org/show_bug.cgi?id=60802
+
+        Add GC_VALIDATION calls to all the JSNPObject methods.
+
+        * WebProcess/Plugins/Netscape/JSNPObject.cpp:
+        (WebKit::JSNPObject::invalidate):
+        (WebKit::JSNPObject::callMethod):
+        (WebKit::JSNPObject::callObject):
+        (WebKit::JSNPObject::callConstructor):
+        (WebKit::JSNPObject::getCallData):
+        (WebKit::JSNPObject::getConstructData):
+        (WebKit::JSNPObject::getOwnPropertySlot):
+        (WebKit::JSNPObject::getOwnPropertyDescriptor):
+        (WebKit::JSNPObject::put):
+        (WebKit::JSNPObject::getOwnPropertyNames):
+        (WebKit::JSNPObject::propertyGetter):
+        (WebKit::JSNPObject::methodGetter):
+
+2011-05-13  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Make GC validation more aggressive
+        https://bugs.webkit.org/show_bug.cgi?id=60802
+
+        Add GC_VALIDATION calls to all the JSNPObject methods.
+
+        * WebProcess/Plugins/Netscape/JSNPObject.cpp:
+        (WebKit::JSNPObject::invalidate):
+        (WebKit::JSNPObject::callMethod):
+        (WebKit::JSNPObject::callObject):
+        (WebKit::JSNPObject::callConstructor):
+        (WebKit::JSNPObject::getCallData):
+        (WebKit::JSNPObject::getConstructData):
+        (WebKit::JSNPObject::getOwnPropertySlot):
+        (WebKit::JSNPObject::getOwnPropertyDescriptor):
+        (WebKit::JSNPObject::put):
+        (WebKit::JSNPObject::getOwnPropertyNames):
+        (WebKit::JSNPObject::propertyGetter):
+        (WebKit::JSNPObject::methodGetter):
+
 2011-05-14  Alexey Proskuryakov  <ap@apple.com>
 

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp

@@ -73 +73 @@
 {
     ASSERT(m_npObject);
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
 
     releaseNPObject(m_npObject);
@@ -80 +81 @@
 JSValue JSNPObject::callMethod(ExecState* exec, NPIdentifier methodName)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
     if (!m_npObject)
         return throwInvalidAccessError(exec);
@@ -119 +121 @@
 JSC::JSValue JSNPObject::callObject(JSC::ExecState* exec)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
     if (!m_npObject)
         return throwInvalidAccessError(exec);
@@ -158 +161 @@
 JSValue JSNPObject::callConstructor(ExecState* exec)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
     if (!m_npObject)
         return throwInvalidAccessError(exec);
@@ -201 +205 @@
 JSC::CallType JSNPObject::getCallData(JSC::CallData& callData)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
     if (!m_npObject || !m_npObject->_class->invokeDefault)
         return CallTypeNone;
@@ -218 +223 @@
 ConstructType JSNPObject::getConstructData(ConstructData& constructData)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
     if (!m_npObject || !m_npObject->_class->construct)
         return ConstructTypeNone;
@@ -227 +233 @@
 bool JSNPObject::getOwnPropertySlot(ExecState* exec, const Identifier& propertyName, PropertySlot& slot)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
     if (!m_npObject) {
         throwInvalidAccessError(exec);
@@ -251 +258 @@
 bool JSNPObject::getOwnPropertyDescriptor(ExecState* exec, const Identifier& propertyName, PropertyDescriptor& descriptor)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
     if (!m_npObject) {
         throwInvalidAccessError(exec);
@@ -279 +287 @@
 void JSNPObject::put(ExecState* exec, const Identifier& propertyName, JSValue value, PutPropertySlot&)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
     if (!m_npObject) {
         throwInvalidAccessError(exec);
@@ -316 +325 @@
 void JSNPObject::getOwnPropertyNames(ExecState* exec, PropertyNameArray& propertyNameArray, EnumerationMode mode)
 {
+    ASSERT_GC_OBJECT_INHERITS(this, &s_info);
     if (!m_npObject) {
         throwInvalidAccessError(exec);
@@ -363 +373 @@
 {
     JSNPObject* thisObj = static_cast<JSNPObject*>(asObject(slotBase));
-
+    ASSERT_GC_OBJECT_INHERITS(thisObj, &s_info);
+    
     if (!thisObj->m_npObject)
         return throwInvalidAccessError(exec);
@@ -398 +409 @@
 {
     JSNPObject* thisObj = static_cast<JSNPObject*>(asObject(slotBase));
+    ASSERT_GC_OBJECT_INHERITS(thisObj, &s_info);
     
     if (!thisObj->m_npObject)