commit 72da8116d0cc2878840f5f70c1a9717b0ad37500
author ggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat May 26 22:40:46 2012 +0000
committer ggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat May 26 22:40:46 2012 +0000
tree 0f1ebe79e19dd2574c2ff15bfef0b772652aa44e
parent 620b8728d85ec0b596edbf45c5be34e51eb9a272

WebKit should be lazy-finalization-safe (esp. the DOM) v2
https://bugs.webkit.org/show_bug.cgi?id=87581

Reviewed by Oliver Hunt.

../JavaScriptCore: 

* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::callDestructor):
* heap/WeakBlock.h:
* heap/WeakSetInlines.h:
(JSC::WeakBlock::finalize): Since we don't guarantee destruction order,
it's not valid to access GC pointers like the Structure pointer during
finalization. We NULL out the structure pointer in debug builds to try
to make this programming mistake more obvious.

* API/JSCallbackConstructor.cpp:
(JSC::JSCallbackConstructor::destroy):
* API/JSCallbackObject.cpp:
(JSC::::destroy):
(JSC::JSCallbackObjectData::finalize):
* runtime/Arguments.cpp:
(JSC::Arguments::destroy):
* runtime/DateInstance.cpp:
(JSC::DateInstance::destroy):
* runtime/Error.cpp:
(JSC::StrictModeTypeErrorFunction::destroy):
* runtime/Executable.cpp:
(JSC::ExecutableBase::destroy):
(JSC::NativeExecutable::destroy):
(JSC::ScriptExecutable::destroy):
(JSC::EvalExecutable::destroy):
(JSC::ProgramExecutable::destroy):
(JSC::FunctionExecutable::destroy):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::destroy):
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::destroy):
* runtime/JSStaticScopeObject.cpp:
(JSC::JSStaticScopeObject::destroy):
* runtime/JSString.cpp:
(JSC::JSString::destroy):
* runtime/JSVariableObject.cpp:
(JSC::JSVariableObject::destroy):
* runtime/NameInstance.cpp:
(JSC::NameInstance::destroy):
* runtime/RegExp.cpp:
(JSC::RegExp::destroy):
* runtime/RegExpConstructor.cpp:
(JSC::RegExpConstructor::destroy):
* runtime/Structure.cpp:
(JSC::Structure::destroy):
* runtime/StructureChain.cpp:
(JSC::StructureChain::destroy): Use static_cast instead of jsCast because
jsCast does Structure-based validation, and our Structure is not guaranteed
to be alive when we get finalized.

../WebCore: 

* bindings/js/JSDOMGlobalObject.cpp:
(WebCore::JSDOMGlobalObject::destroy):
* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::destroy):
* bindings/js/JSDOMWindowShell.cpp:
(WebCore::JSDOMWindowShell::destroy):
* bindings/js/JSNodeCustom.cpp:
(WebCore::JSNodeOwner::finalize):
* bindings/js/JSWorkerContextBase.cpp:
(WebCore::JSWorkerContextBase::destroy):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
(WebCore::JSTestActiveDOMObject::destroy):
(WebCore::JSTestActiveDOMObjectOwner::finalize):
* bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
(WebCore::JSTestCustomNamedGetter::destroy):
(WebCore::JSTestCustomNamedGetterOwner::finalize):
* bindings/scripts/test/JS/JSTestEventConstructor.cpp:
(WebCore::JSTestEventConstructor::destroy):
(WebCore::JSTestEventConstructorOwner::finalize):
* bindings/scripts/test/JS/JSTestEventTarget.cpp:
(WebCore::JSTestEventTarget::destroy):
(WebCore::JSTestEventTargetOwner::finalize):
* bindings/scripts/test/JS/JSTestException.cpp:
(WebCore::JSTestException::destroy):
(WebCore::JSTestExceptionOwner::finalize):
* bindings/scripts/test/JS/JSTestInterface.cpp:
(WebCore::JSTestInterface::destroy):
(WebCore::JSTestInterfaceOwner::finalize):
* bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:
(WebCore::JSTestMediaQueryListListener::destroy):
(WebCore::JSTestMediaQueryListListenerOwner::finalize):
* bindings/scripts/test/JS/JSTestNamedConstructor.cpp:
(WebCore::JSTestNamedConstructor::destroy):
(WebCore::JSTestNamedConstructorOwner::finalize):
* bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::JSTestObj::destroy):
(WebCore::JSTestObjOwner::finalize):
* bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:
(WebCore::JSTestSerializedScriptValueInterface::destroy):
(WebCore::JSTestSerializedScriptValueInterfaceOwner::finalize):
* bridge/objc/objc_runtime.mm:
(JSC::Bindings::ObjcFallbackObjectImp::destroy):
* bridge/qt/qt_runtime.cpp:
(JSC::Bindings::QtRuntimeMethod::destroy):
* bridge/qt/qt_runtime_qt4.cpp:
(JSC::Bindings::QtRuntimeMethod::destroy):
* bridge/runtime_array.cpp:
(JSC::RuntimeArray::destroy):
* bridge/runtime_method.cpp:
(JSC::RuntimeMethod::destroy):
* bridge/runtime_object.cpp:
(JSC::Bindings::RuntimeObject::destroy):
* bridge/runtime_root.cpp:
(JSC::Bindings::RootObject::finalize): Use static_cast instead of jsCast because
jsCast does Structure-based validation, and our Structure is not guaranteed
to be alive when we get finalized.

../WebKit2: 

* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::JSNPObject::destroy):
(WebKit::JSNPObject::leakNPObject):
* WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
(WebKit::NPRuntimeObjectMap::finalize): Use static_cast instead of jsCast because
jsCast does Structure-based validation, and our Structure is not guaranteed
to be alive when we get finalized.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118616 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index e007920..c80a458 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,60 @@
+2012-05-26  Geoffrey Garen  <ggaren@apple.com>
+
+        WebKit should be lazy-finalization-safe (esp. the DOM) v2
+        https://bugs.webkit.org/show_bug.cgi?id=87581
+
+        Reviewed by Oliver Hunt.
+
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::callDestructor):
+        * heap/WeakBlock.h:
+        * heap/WeakSetInlines.h:
+        (JSC::WeakBlock::finalize): Since we don't guarantee destruction order,
+        it's not valid to access GC pointers like the Structure pointer during
+        finalization. We NULL out the structure pointer in debug builds to try
+        to make this programming mistake more obvious.
+
+        * API/JSCallbackConstructor.cpp:
+        (JSC::JSCallbackConstructor::destroy):
+        * API/JSCallbackObject.cpp:
+        (JSC::::destroy):
+        (JSC::JSCallbackObjectData::finalize):
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::destroy):
+        * runtime/DateInstance.cpp:
+        (JSC::DateInstance::destroy):
+        * runtime/Error.cpp:
+        (JSC::StrictModeTypeErrorFunction::destroy):
+        * runtime/Executable.cpp:
+        (JSC::ExecutableBase::destroy):
+        (JSC::NativeExecutable::destroy):
+        (JSC::ScriptExecutable::destroy):
+        (JSC::EvalExecutable::destroy):
+        (JSC::ProgramExecutable::destroy):
+        (JSC::FunctionExecutable::destroy):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::destroy):
+        * runtime/JSPropertyNameIterator.cpp:
+        (JSC::JSPropertyNameIterator::destroy):
+        * runtime/JSStaticScopeObject.cpp:
+        (JSC::JSStaticScopeObject::destroy):
+        * runtime/JSString.cpp:
+        (JSC::JSString::destroy):
+        * runtime/JSVariableObject.cpp:
+        (JSC::JSVariableObject::destroy):
+        * runtime/NameInstance.cpp:
+        (JSC::NameInstance::destroy):
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::destroy):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::RegExpConstructor::destroy):
+        * runtime/Structure.cpp:
+        (JSC::Structure::destroy):
+        * runtime/StructureChain.cpp:
+        (JSC::StructureChain::destroy): Use static_cast instead of jsCast because
+        jsCast does Structure-based validation, and our Structure is not guaranteed
+        to be alive when we get finalized.
+
 2012-05-22  Filip Pizlo  <fpizlo@apple.com>
 
         DFG CSE should eliminate redundant WeakJSConstants