Commit 825f980b authored by fpizlo@apple.com's avatar fpizlo@apple.com
Browse files

It should be possible to create an inheritorID for the global this object without crashing

https://bugs.webkit.org/show_bug.cgi?id=84200
<rdar://problem/11251082>

Reviewed by Oliver Hunt.

Source/JavaScriptCore: 

* runtime/JSGlobalThis.cpp:
(JSC::JSGlobalThis::setUnwrappedObject):
* runtime/JSGlobalThis.h:
(JSC::JSGlobalThis::unwrappedObject):
(JSGlobalThis):
* runtime/JSObject.cpp:
(JSC::JSObject::createInheritorID):
* runtime/JSObject.h:
(JSObject):
(JSC::JSObject::resetInheritorID):

Source/WebCore: 

No new tests, because the circumstances necessary to make this happen are rather hairy.

* bindings/js/JSDOMWindowShell.h:
(WebCore::JSDOMWindowShell::window):
(WebCore::JSDOMWindowShell::setWindow):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@114457 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 93c71bf1
2012-04-17 Filip Pizlo <fpizlo@apple.com>
It should be possible to create an inheritorID for the global this object without crashing
https://bugs.webkit.org/show_bug.cgi?id=84200
<rdar://problem/11251082>
Reviewed by Oliver Hunt.
* runtime/JSGlobalThis.cpp:
(JSC::JSGlobalThis::setUnwrappedObject):
* runtime/JSGlobalThis.h:
(JSC::JSGlobalThis::unwrappedObject):
(JSGlobalThis):
* runtime/JSObject.cpp:
(JSC::JSObject::createInheritorID):
* runtime/JSObject.h:
(JSObject):
(JSC::JSObject::resetInheritorID):
2012-04-17 Filip Pizlo <fpizlo@apple.com>
 
DFG and LLInt should not clobber the frame pointer on ARMv7
......@@ -48,9 +48,12 @@ void JSGlobalThis::visitChildren(JSCell* cell, SlotVisitor& visitor)
visitor.append(&thisObject->m_unwrappedObject);
}
JSGlobalObject* JSGlobalThis::unwrappedObject()
void JSGlobalThis::setUnwrappedObject(JSGlobalData& globalData, JSGlobalObject* globalObject)
{
return m_unwrappedObject.get();
ASSERT_ARG(globalObject, globalObject);
m_unwrappedObject.set(globalData, this, globalObject);
setPrototype(globalData, globalObject->prototype());
resetInheritorID();
}
} // namespace JSC
......@@ -48,7 +48,7 @@ public:
static JS_EXPORTDATA const JSC::ClassInfo s_info;
JSGlobalObject* unwrappedObject();
JSGlobalObject* unwrappedObject() const { return m_unwrappedObject.get(); }
protected:
JSGlobalThis(JSGlobalData& globalData, Structure* structure)
......@@ -65,6 +65,9 @@ protected:
JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
JS_EXPORT_PRIVATE void setUnwrappedObject(JSGlobalData&, JSGlobalObject*);
private:
WriteBarrier<JSGlobalObject> m_unwrappedObject;
};
......
......@@ -541,7 +541,13 @@ NEVER_INLINE void JSObject::fillGetterPropertySlot(PropertySlot& slot, WriteBarr
Structure* JSObject::createInheritorID(JSGlobalData& globalData)
{
m_inheritorID.set(globalData, this, createEmptyObjectStructure(globalData, structure()->globalObject(), this));
JSGlobalObject* globalObject;
if (isGlobalThis())
globalObject = static_cast<JSGlobalThis*>(this)->unwrappedObject();
else
globalObject = structure()->globalObject();
ASSERT(globalObject);
m_inheritorID.set(globalData, this, createEmptyObjectStructure(globalData, globalObject, this));
ASSERT(m_inheritorID->isEmpty());
return m_inheritorID.get();
}
......
......@@ -264,6 +264,11 @@ namespace JSC {
// To instantiate objects you likely want JSFinalObject, below.
// To create derived types you likely want JSNonFinalObject, below.
JSObject(JSGlobalData&, Structure*, PropertyStorage inlineStorage);
void resetInheritorID()
{
m_inheritorID.clear();
}
private:
friend class LLIntOffsetsExtractor;
......
2012-04-17 Filip Pizlo <fpizlo@apple.com>
It should be possible to create an inheritorID for the global this object without crashing
https://bugs.webkit.org/show_bug.cgi?id=84200
<rdar://problem/11251082>
Reviewed by Oliver Hunt.
No new tests, because the circumstances necessary to make this happen are rather hairy.
* bindings/js/JSDOMWindowShell.h:
(WebCore::JSDOMWindowShell::window):
(WebCore::JSDOMWindowShell::setWindow):
2012-04-17 Luke Macpherson <macpherson@chromium.org>
 
Make CSSParser::parseValue()'s handling of CSSPropertyCursor more obviously correct.
......@@ -43,12 +43,11 @@ namespace WebCore {
JSDOMWindowShell(PassRefPtr<DOMWindow>, JSC::Structure*, DOMWrapperWorld*);
static void destroy(JSCell*);
JSDOMWindow* window() const { return JSC::jsCast<JSDOMWindow*>(m_unwrappedObject.get()); }
JSDOMWindow* window() const { return JSC::jsCast<JSDOMWindow*>(unwrappedObject()); }
void setWindow(JSC::JSGlobalData& globalData, JSDOMWindow* window)
{
ASSERT_ARG(window, window);
m_unwrappedObject.set(globalData, this, window);
setPrototype(globalData, window->prototype());
setUnwrappedObject(globalData, window);
}
void setWindow(PassRefPtr<DOMWindow>);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment