Changeset 86785 in webkit


Ignore:
Timestamp:
May 18, 2011 1:41:54 PM (13 years ago)
Author:
oliver@apple.com
Message:

2011-05-18 Oliver Hunt <oliver@apple.com>

Reviewed by Sam Weinig.

JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
https://bugs.webkit.org/show_bug.cgi?id=61090

Remove the Structure-free JSGlobalObject constructor and instead always
pass the structure into the JSGlobalObject constructor.
Stop DebuggerActivation creating a new structure every time, and simply
use a single shared structure held by the GlobalData.

  • API/JSContextRef.cpp:
  • debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::DebuggerActivation):
  • jsc.cpp: (GlobalObject::GlobalObject): (functionRun): (jscmain):
  • runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::clearBuiltinStructures):
  • runtime/JSGlobalData.h:
  • runtime/JSGlobalObject.h:

2011-05-18 Oliver Hunt <oliver@apple.com>

Reviewed by Sam Weinig.

JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
https://bugs.webkit.org/show_bug.cgi?id=61090

Rather than having Constructor objects create their structure
as part of initialisation, we now pass their expected structure
in as an argument. This required fixing the few custom Constructors
and the code generator.

  • bindings/js/JSAudioConstructor.cpp: (WebCore::JSAudioConstructor::JSAudioConstructor):
  • bindings/js/JSAudioConstructor.h:
  • bindings/js/JSDOMGlobalObject.h: (WebCore::getDOMConstructor): Pass the Constructor objects structure in as an argument
  • bindings/js/JSImageConstructor.cpp: (WebCore::JSImageConstructor::JSImageConstructor):
  • bindings/js/JSImageConstructor.h:
  • bindings/js/JSOptionConstructor.cpp: (WebCore::JSOptionConstructor::JSOptionConstructor):
  • bindings/js/JSOptionConstructor.h:
  • bindings/scripts/CodeGeneratorJS.pm:
Location:
trunk/Source
Files:
16 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/API/JSContextRef.cpp

    r86712 r86785  
    9494
    9595    if (!globalObjectClass) {
    96         JSGlobalObject* globalObject = new (globalData.get()) JSGlobalObject(*globalData);
     96        JSGlobalObject* globalObject = new (globalData.get()) JSGlobalObject(*globalData, JSGlobalObject::createStructure(*globalData, jsNull()));
    9797        return JSGlobalContextRetain(toGlobalRef(globalObject->globalExec()));
    9898    }

  • trunk/Source/JavaScriptCore/ChangeLog

    r86779 r86785  
     12011-05-18  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Sam Weinig.
     4
     5        JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
     6        https://bugs.webkit.org/show_bug.cgi?id=61090
     7
     8        Remove the Structure-free JSGlobalObject constructor and instead always
     9        pass the structure into the JSGlobalObject constructor.
     10        Stop DebuggerActivation creating a new structure every time, and simply
     11        use a single shared structure held by the GlobalData.
     12
     13        * API/JSContextRef.cpp:
     14        * debugger/DebuggerActivation.cpp:
     15        (JSC::DebuggerActivation::DebuggerActivation):
     16        * jsc.cpp:
     17        (GlobalObject::GlobalObject):
     18        (functionRun):
     19        (jscmain):
     20        * runtime/JSGlobalData.cpp:
     21        (JSC::JSGlobalData::JSGlobalData):
     22        (JSC::JSGlobalData::clearBuiltinStructures):
     23        * runtime/JSGlobalData.h:
     24        * runtime/JSGlobalObject.h:
     25
    1262011-05-18  Oliver Hunt  <oliver@apple.com>
    227

  • trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp

    r86499 r86785  
    3232
    3333DebuggerActivation::DebuggerActivation(JSGlobalData& globalData, JSObject* activation)
    34     : JSNonFinalObject(globalData, DebuggerActivation::createStructure(globalData, jsNull()))
     34    : JSNonFinalObject(globalData, globalData.debuggerActivationStructure.get())
    3535{
    3636    ASSERT(activation);

  • trunk/Source/JavaScriptCore/jsc.cpp

    r84052 r86785  
    142142class GlobalObject : public JSGlobalObject {
    143143public:
    144     GlobalObject(JSGlobalData&, const Vector<UString>& arguments);
     144    GlobalObject(JSGlobalData&, Structure*, const Vector<UString>& arguments);
    145145    virtual UString className() const { return "global"; }
    146146};
     
    148148ASSERT_CLASS_FITS_IN_CELL(GlobalObject);
    149149
    150 GlobalObject::GlobalObject(JSGlobalData& globalData, const Vector<UString>& arguments)
    151     : JSGlobalObject(globalData)
     150GlobalObject::GlobalObject(JSGlobalData& globalData, Structure* structure, const Vector<UString>& arguments)
     151    : JSGlobalObject(globalData, structure)
    152152{
    153153    putDirectFunction(globalExec(), new (globalExec()) JSFunction(globalExec(), this, functionStructure(), 1, Identifier(globalExec(), "debug"), functionDebug));
     
    213213        return JSValue::encode(throwError(exec, createError(exec, "Could not open file.")));
    214214
    215     GlobalObject* globalObject = new (&exec->globalData()) GlobalObject(exec->globalData(), Vector<UString>());
     215    GlobalObject* globalObject = new (&exec->globalData()) GlobalObject(exec->globalData(), GlobalObject::createStructure(exec->globalData(), jsNull()), Vector<UString>());
    216216
    217217    StopWatch stopWatch;
     
    538538    parseArguments(argc, argv, options, globalData);
    539539
    540     GlobalObject* globalObject = new (globalData) GlobalObject(*globalData, options.arguments);
     540    GlobalObject* globalObject = new (globalData) GlobalObject(*globalData, GlobalObject::createStructure(*globalData, jsNull()), options.arguments);
    541541    bool success = runWithScripts(globalObject, options.scripts, options.dump);
    542542    if (options.interactive && success)

  • trunk/Source/JavaScriptCore/runtime/JSGlobalData.cpp

    r86727 r86785  
    3333#include "Heap.h"
    3434#include "CommonIdentifiers.h"
     35#include "DebuggerActivation.h"
    3536#include "FunctionConstructor.h"
    3637#include "GetterSetter.h"
     
    201202    JSLock lock(SilenceAssertionsOnly);
    202203    structureStructure.set(*this, Structure::createStructure(*this));
     204    debuggerActivationStructure.set(*this, DebuggerActivation::createStructure(*this, jsNull()));
    203205    activationStructure.set(*this, JSActivation::createStructure(*this, jsNull()));
    204206    interruptedExecutionErrorStructure.set(*this, JSNonFinalObject::createStructure(*this, jsNull()));
     
    260262{
    261263    structureStructure.clear();
     264    debuggerActivationStructure.clear();
    262265    activationStructure.clear();
    263266    interruptedExecutionErrorStructure.clear();

  • trunk/Source/JavaScriptCore/runtime/JSGlobalData.h

    r86727 r86785  
    157157       
    158158        Strong<Structure> structureStructure;
     159        Strong<Structure> debuggerActivationStructure;
    159160        Strong<Structure> activationStructure;
    160161        Strong<Structure> interruptedExecutionErrorStructure;

  • trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

    r86727 r86785  
    124124    public:
    125125        void* operator new(size_t, JSGlobalData*);
    126        
    127         explicit JSGlobalObject(JSGlobalData& globalData)
    128             : JSVariableObject(globalData, JSGlobalObject::createStructure(globalData, jsNull()), &m_symbolTable, 0)
    129             , m_registerArraySize(0)
    130             , m_globalScopeChain()
    131             , m_weakRandom(static_cast<unsigned>(randomNumber() * (std::numeric_limits<unsigned>::max() + 1.0)))
    132             , m_isEvalEnabled(true)
    133         {
    134             COMPILE_ASSERT(JSGlobalObject::AnonymousSlotCount == 1, JSGlobalObject_has_only_a_single_slot);
    135             putThisToAnonymousValue(0);
    136             init(this);
    137         }
    138        
     126
    139127        explicit JSGlobalObject(JSGlobalData& globalData, Structure* structure)
    140128            : JSVariableObject(globalData, structure, &m_symbolTable, 0)

  • trunk/Source/WebCore/ChangeLog

    r86781 r86785  
     12011-05-18  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Sam Weinig.
     4
     5        JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
     6        https://bugs.webkit.org/show_bug.cgi?id=61090
     7
     8        Rather than having Constructor objects create their structure
     9        as part of initialisation, we now pass their expected structure
     10        in as an argument.  This required fixing the few custom Constructors
     11        and the code generator.
     12
     13        * bindings/js/JSAudioConstructor.cpp:
     14        (WebCore::JSAudioConstructor::JSAudioConstructor):
     15        * bindings/js/JSAudioConstructor.h:
     16        * bindings/js/JSDOMGlobalObject.h:
     17        (WebCore::getDOMConstructor):
     18          Pass the Constructor objects structure in as an argument
     19        * bindings/js/JSImageConstructor.cpp:
     20        (WebCore::JSImageConstructor::JSImageConstructor):
     21        * bindings/js/JSImageConstructor.h:
     22        * bindings/js/JSOptionConstructor.cpp:
     23        (WebCore::JSOptionConstructor::JSOptionConstructor):
     24        * bindings/js/JSOptionConstructor.h:
     25        * bindings/scripts/CodeGeneratorJS.pm:
     26
    1272011-05-18  Abhishek Arya  <inferno@chromium.org>
    228

  • trunk/Source/WebCore/bindings/js/JSAudioConstructor.cpp

    r84556 r86785  
    4040const ClassInfo JSAudioConstructor::s_info = { "AudioConstructor", &DOMConstructorWithDocument::s_info, 0, 0 };
    4141
    42 JSAudioConstructor::JSAudioConstructor(ExecState* exec, JSDOMGlobalObject* globalObject)
    43     : DOMConstructorWithDocument(JSAudioConstructor::createStructure(globalObject->globalData(), globalObject->objectPrototype()), globalObject)
     42JSAudioConstructor::JSAudioConstructor(ExecState* exec, Structure* structure, JSDOMGlobalObject* globalObject)
     43    : DOMConstructorWithDocument(structure, globalObject)
    4444{
    4545    ASSERT(inherits(&s_info));

  • trunk/Source/WebCore/bindings/js/JSAudioConstructor.h

    r84052 r86785  
    3737    class JSAudioConstructor : public DOMConstructorWithDocument {
    3838    public:
    39         JSAudioConstructor(JSC::ExecState*, JSDOMGlobalObject*);
     39        JSAudioConstructor(JSC::ExecState*, JSC::Structure*, JSDOMGlobalObject*);
    4040
    4141        static JSC::Structure* createStructure(JSC::JSGlobalData& globalData, JSC::JSValue prototype)

  • trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.h

    r84556 r86785  
    8989        if (JSC::JSObject* constructor = const_cast<JSDOMGlobalObject*>(globalObject)->constructors().get(&ConstructorClass::s_info).get())
    9090            return constructor;
    91         JSC::JSObject* constructor = new (exec) ConstructorClass(exec, const_cast<JSDOMGlobalObject*>(globalObject));
     91        JSC::JSObject* constructor = new (exec) ConstructorClass(exec, ConstructorClass::createStructure(exec->globalData(), globalObject->objectPrototype()), const_cast<JSDOMGlobalObject*>(globalObject));
    9292        ASSERT(!const_cast<JSDOMGlobalObject*>(globalObject)->constructors().contains(&ConstructorClass::s_info));
    9393        JSC::WriteBarrier<JSC::JSObject> temp;

  • trunk/Source/WebCore/bindings/js/JSImageConstructor.cpp

    r84556 r86785  
    3535const ClassInfo JSImageConstructor::s_info = { "ImageConstructor", &DOMConstructorWithDocument::s_info, 0, 0 };
    3636
    37 JSImageConstructor::JSImageConstructor(ExecState* exec, JSDOMGlobalObject* globalObject)
    38     : DOMConstructorWithDocument(JSImageConstructor::createStructure(globalObject->globalData(), globalObject->objectPrototype()), globalObject)
     37JSImageConstructor::JSImageConstructor(ExecState* exec, Structure* structure, JSDOMGlobalObject* globalObject)
     38    : DOMConstructorWithDocument(structure, globalObject)
    3939{
    4040    ASSERT(inherits(&s_info));

  • trunk/Source/WebCore/bindings/js/JSImageConstructor.h

    r84052 r86785  
    2828    class JSImageConstructor : public DOMConstructorWithDocument {
    2929    public:
    30         JSImageConstructor(JSC::ExecState*, JSDOMGlobalObject*);
     30        JSImageConstructor(JSC::ExecState*, JSC::Structure*, JSDOMGlobalObject*);
    3131
    3232        static JSC::Structure* createStructure(JSC::JSGlobalData& globalData, JSC::JSValue prototype)

  • trunk/Source/WebCore/bindings/js/JSOptionConstructor.cpp

    r81272 r86785  
    3636const ClassInfo JSOptionConstructor::s_info = { "OptionConstructor", &DOMConstructorWithDocument::s_info, 0, 0 };
    3737
    38 JSOptionConstructor::JSOptionConstructor(ExecState* exec, JSDOMGlobalObject* globalObject)
    39     : DOMConstructorWithDocument(JSOptionConstructor::createStructure(globalObject->globalData(), globalObject->objectPrototype()), globalObject)
     38JSOptionConstructor::JSOptionConstructor(ExecState* exec, Structure* structure, JSDOMGlobalObject* globalObject)
     39    : DOMConstructorWithDocument(structure, globalObject)
    4040{
    4141    ASSERT(inherits(&s_info));

  • trunk/Source/WebCore/bindings/js/JSOptionConstructor.h

    r84052 r86785  
    2929    class JSOptionConstructor : public DOMConstructorWithDocument {
    3030    public:
    31         JSOptionConstructor(JSC::ExecState*, JSDOMGlobalObject*);
     31        JSOptionConstructor(JSC::ExecState*, JSC::Structure*, JSDOMGlobalObject*);
    3232
    3333        static JSC::Structure* createStructure(JSC::JSGlobalData& globalData, JSC::JSValue prototype)

  • trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

    r86499 r86785  
    29752975    push(@$outputArray, "class ${constructorClassName} : public DOMConstructorObject {\n");
    29762976    push(@$outputArray, "public:\n");
    2977     push(@$outputArray, "    ${constructorClassName}(JSC::ExecState*, JSDOMGlobalObject*);\n\n");
     2977    push(@$outputArray, "    ${constructorClassName}(JSC::ExecState*, JSC::Structure*, JSDOMGlobalObject*);\n\n");
    29782978
    29792979    push(@$outputArray, "    virtual bool getOwnPropertySlot(JSC::ExecState*, const JSC::Identifier&, JSC::PropertySlot&);\n");
     
    30143014    push(@$outputArray, "const ClassInfo ${constructorClassName}::s_info = { \"${visibleClassName}Constructor\", &DOMConstructorObject::s_info, &${constructorClassName}Table, 0 };\n\n");
    30153015
    3016     push(@$outputArray, "${constructorClassName}::${constructorClassName}(ExecState* exec, JSDOMGlobalObject* globalObject)\n");
    3017     push(@$outputArray, "    : DOMConstructorObject(${constructorClassName}::createStructure(globalObject->globalData(), globalObject->objectPrototype()), globalObject)\n");
     3016    push(@$outputArray, "${constructorClassName}::${constructorClassName}(ExecState* exec, Structure* structure, JSDOMGlobalObject* globalObject)\n");
     3017    push(@$outputArray, "    : DOMConstructorObject(structure, globalObject)\n");
    30183018    push(@$outputArray, "{\n");
    30193019    push(@$outputArray, "    ASSERT(inherits(&s_info));\n");
Note: See TracChangeset for help on using the changeset viewer.