Google Git
Sign in
webkit / WebKit / ac6f1fd44b47e2b2cdc7b09a8914e1d54a31dcb7^! / . / Source / JavaScriptCore / heap / Heap.cpp
commitac6f1fd44b47e2b2cdc7b09a8914e1d54a31dcb7[log] [tgz]
authormhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Nov 15 19:53:30 2013 +0000
committermhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Nov 15 19:53:30 2013 +0000
tree1641d055da09aa57e56e84784facf9a19b56ea35
parent53227d60d6c7f60925d4d423855d53bffe9712a4 [diff] [blame]
-dealloc callbacks from wrapped Objective-C objects can happen at bad times
https://bugs.webkit.org/show_bug.cgi?id=123821

Reviewed by Darin Adler.

Currently with the JSC Obj-C API, JS wrappers for client Obj-C objects retain their associated Obj-C 
object. When they are swept, they release their Obj-C objects which can trigger a call to that 
object's -dealloc method. These -dealloc methods can then call back into the same VM, which is not 
allowed during sweeping or VM shutdown.

We can handle this case by creating our own pool of Obj-C objects to be released when it is safe to do so.
This is accomplished by using DelayedReleaseScope, an RAII-style object that will retain all objects
that are unsafe to release until the end of the DelayedReleaseScope.

* API/APIShims.h:
(JSC::APICallbackShim::APICallbackShim):
(JSC::APICallbackShim::vmForDropAllLocks):
(JSC::APICallbackShim::execForDropAllLocks):
* API/JSAPIWrapperObject.mm:
(JSAPIWrapperObjectHandleOwner::finalize):
* API/ObjCCallbackFunction.mm:
(JSC::ObjCCallbackFunctionImpl::destroy):
(JSC::ObjCCallbackFunction::destroy):
* API/tests/testapi.mm:
(-[TinyDOMNode initWithVirtualMachine:]):
(-[TinyDOMNode dealloc]):
(-[TinyDOMNode appendChild:]):
(-[TinyDOMNode removeChildAtIndex:]):
(-[EvilAllocationObject initWithContext:]):
(-[EvilAllocationObject dealloc]):
(-[EvilAllocationObject doEvilThingsWithContext:]):
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/DelayedReleaseScope.h: Added.
(JSC::DelayedReleaseScope::DelayedReleaseScope):
(JSC::DelayedReleaseScope::~DelayedReleaseScope):
(JSC::DelayedReleaseScope::releaseSoon):
(JSC::MarkedSpace::releaseSoon):
* heap/Heap.cpp:
(JSC::Heap::collectAllGarbage):
* heap/Heap.h:
(JSC::Heap::releaseSoon):
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::allocateSlowCase):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::MarkedSpace):
(JSC::MarkedSpace::lastChanceToFinalize):
(JSC::MarkedSpace::sweep):
* heap/MarkedSpace.h:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159351 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp
index 07572ee..18f79c1 100644
--- a/Source/JavaScriptCore/heap/Heap.cpp
+++ b/Source/JavaScriptCore/heap/Heap.cpp

@@ -27,6 +27,7 @@
 #include "CopiedSpaceInlines.h"
 #include "CopyVisitorInlines.h"
 #include "DFGWorklist.h"
+#include "DelayedReleaseScope.h"
 #include "GCActivityCallback.h"
 #include "GCIncomingRefCountedSetInlines.h"
 #include "HeapIterationScope.h"
@@ -729,6 +730,7 @@
     if (!m_isSafeToCollect)
         return;
     
+    DelayedReleaseScope delayedReleaseScope(m_objectSpace);
     collect(DoSweep);
 }