Commit 60de6041 authored by oliver@apple.com's avatar oliver@apple.com

2011-05-11 Oliver Hunt <oliver@apple.com>

        Reviewed by Darin Adler.

        Protect JSC from WebCore executing JS during JS wrapper finalization
        https://bugs.webkit.org/show_bug.cgi?id=60672
        <rdar://problem/9350997>

        Detect when we're trying to execute JS during GC and prevent the
        execution from happening.  We also assert that this isn't happening
        as it implies incorrect behaviour of an object's destructor.

        * JavaScriptCore.exp:
        * heap/Heap.cpp:
        * heap/Heap.h:
        (JSC::Heap::isBusy):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::isCollectorBusy):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@86300 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 818c82f1
2011-05-11 Oliver Hunt <oliver@apple.com>
Reviewed by Darin Adler.
Protect JSC from WebCore executing JS during JS wrapper finalization
https://bugs.webkit.org/show_bug.cgi?id=60672
<rdar://problem/9350997>
Detect when we're trying to execute JS during GC and prevent the
execution from happening. We also assert that this isn't happening
as it implies incorrect behaviour of an object's destructor.
* JavaScriptCore.exp:
* heap/Heap.cpp:
* heap/Heap.h:
(JSC::Heap::isBusy):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
* runtime/JSGlobalData.h:
(JSC::JSGlobalData::isCollectorBusy):
2011-05-11 Oliver Hunt <oliver@apple.com>
Reviewed by Gavin Barraclough.
......
......@@ -226,7 +226,6 @@ __ZN3JSC4Heap20protectedObjectCountEv
__ZN3JSC4Heap25protectedObjectTypeCountsEv
__ZN3JSC4Heap26protectedGlobalObjectCountEv
__ZN3JSC4Heap29reportExtraMemoryCostSlowCaseEm
__ZN3JSC4Heap6isBusyEv
__ZN3JSC4Heap7destroyEv
__ZN3JSC4Heap7protectENS_7JSValueE
__ZN3JSC4Heap9unprotectENS_7JSValueE
......
......@@ -376,11 +376,6 @@ PassOwnPtr<TypeCountSet> Heap::objectTypeCounts()
return typeCounter.take();
}
bool Heap::isBusy()
{
return m_operationInProgress != NoOperation;
}
void Heap::collectAllGarbage()
{
reset(DoSweep);
......
......@@ -76,7 +76,9 @@ namespace JSC {
GCActivityCallback* activityCallback();
void setActivityCallback(PassOwnPtr<GCActivityCallback>);
bool isBusy(); // true if an allocation or collection is in progress
// true if an allocation or collection is in progress
inline bool isBusy();
void* allocate(size_t);
void collectAllGarbage();
......@@ -146,6 +148,11 @@ namespace JSC {
size_t m_extraCost;
};
bool Heap::isBusy()
{
return m_operationInProgress != NoOperation;
}
inline bool Heap::isMarked(const JSCell* cell)
{
return MarkedSpace::isMarked(cell);
......
......@@ -728,6 +728,9 @@ static inline JSObject* checkedReturn(JSObject* returnValue)
JSValue Interpreter::execute(ProgramExecutable* program, CallFrame* callFrame, ScopeChainNode* scopeChain, JSObject* thisObj)
{
ASSERT(!scopeChain->globalData->exception);
ASSERT(!callFrame->globalData().isCollectorBusy());
if (callFrame->globalData().isCollectorBusy())
return jsNull();
if (m_reentryDepth >= MaxSmallThreadReentryDepth && m_reentryDepth >= callFrame->globalData().maxReentryDepth)
return checkedReturn(throwStackOverflowError(callFrame));
......@@ -786,6 +789,9 @@ JSValue Interpreter::execute(ProgramExecutable* program, CallFrame* callFrame, S
JSValue Interpreter::executeCall(CallFrame* callFrame, JSObject* function, CallType callType, const CallData& callData, JSValue thisValue, const ArgList& args)
{
ASSERT(!callFrame->hadException());
ASSERT(!callFrame->globalData().isCollectorBusy());
if (callFrame->globalData().isCollectorBusy())
return jsNull();
if (m_reentryDepth >= MaxSmallThreadReentryDepth && m_reentryDepth >= callFrame->globalData().maxReentryDepth)
return checkedReturn(throwStackOverflowError(callFrame));
......@@ -876,6 +882,11 @@ JSValue Interpreter::executeCall(CallFrame* callFrame, JSObject* function, CallT
JSObject* Interpreter::executeConstruct(CallFrame* callFrame, JSObject* constructor, ConstructType constructType, const ConstructData& constructData, const ArgList& args)
{
ASSERT(!callFrame->hadException());
ASSERT(!callFrame->globalData().isCollectorBusy());
// We throw in this case because we have to return something "valid" but we're
// already in an invalid state.
if (callFrame->globalData().isCollectorBusy())
return checkedReturn(throwStackOverflowError(callFrame));
if (m_reentryDepth >= MaxSmallThreadReentryDepth && m_reentryDepth >= callFrame->globalData().maxReentryDepth)
return checkedReturn(throwStackOverflowError(callFrame));
......@@ -1014,6 +1025,9 @@ CallFrameClosure Interpreter::prepareForRepeatCall(FunctionExecutable* FunctionE
JSValue Interpreter::execute(CallFrameClosure& closure)
{
ASSERT(!closure.oldCallFrame->globalData().isCollectorBusy());
if (closure.oldCallFrame->globalData().isCollectorBusy())
return jsNull();
closure.resetCallFrame();
Profiler** profiler = Profiler::enabledProfilerReference();
if (*profiler)
......@@ -1060,6 +1074,9 @@ JSValue Interpreter::execute(EvalExecutable* eval, CallFrame* callFrame, JSObjec
JSValue Interpreter::execute(EvalExecutable* eval, CallFrame* callFrame, JSObject* thisObj, int globalRegisterOffset, ScopeChainNode* scopeChain)
{
ASSERT(!scopeChain->globalData->exception);
ASSERT(!callFrame->globalData().isCollectorBusy());
if (callFrame->globalData().isCollectorBusy())
return jsNull();
DynamicGlobalObjectScope globalObjectScope(*scopeChain->globalData, scopeChain->globalObject.get());
......
......@@ -269,6 +269,8 @@ namespace JSC {
HandleSlot allocateLocalHandle() { return heap.allocateLocalHandle(); }
void clearBuiltinStructures();
bool isCollectorBusy() { return heap.isBusy(); }
private:
JSGlobalData(GlobalDataType, ThreadStackType);
static JSGlobalData*& sharedInstanceInternal();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment