Commit b6b94a90 authored by oliver@apple.com's avatar oliver@apple.com
Browse files

Add some hardening to methodTable()

https://bugs.webkit.org/show_bug.cgi?id=108253

Reviewed by Mark Hahnenberg.

When accessing methodTable() we now always make sure that our
structure _could_ be valid.  Added a separate method to get a
classes methodTable during destruction as it's not possible to
validate the structure at that point.  This separation might
also make it possible to improve the performance of methodTable
access more generally in future.

* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::callDestructor):
* runtime/JSCell.h:
(JSCell):
* runtime/JSCellInlines.h:
(JSC::JSCell::methodTableForDestruction):
(JSC):
(JSC::JSCell::methodTable):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141190 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 02eb3abb
2013-01-29 Oliver Hunt <oliver@apple.com>
Add some hardening to methodTable()
https://bugs.webkit.org/show_bug.cgi?id=108253
Reviewed by Mark Hahnenberg.
When accessing methodTable() we now always make sure that our
structure _could_ be valid. Added a separate method to get a
classes methodTable during destruction as it's not possible to
validate the structure at that point. This separation might
also make it possible to improve the performance of methodTable
access more generally in future.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::callDestructor):
* runtime/JSCell.h:
(JSCell):
* runtime/JSCellInlines.h:
(JSC::JSCell::methodTableForDestruction):
(JSC):
(JSC::JSCell::methodTable):
2013-01-29 Filip Pizlo <fpizlo@apple.com>
 
offlineasm BaseIndex handling is broken on ARM due to MIPS changes
......
......@@ -62,7 +62,7 @@ inline void MarkedBlock::callDestructor(JSCell* cell)
m_heap->m_destroyedTypeCounts.countVPtr(vptr);
#endif
cell->methodTable()->destroy(cell);
cell->methodTableForDestruction()->destroy(cell);
cell->zap();
}
......
......@@ -105,6 +105,7 @@ public:
// Object operations, with the toObject operation included.
const ClassInfo* classInfo() const;
const MethodTable* methodTable() const;
const MethodTable* methodTableForDestruction() const;
static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
......
......@@ -137,8 +137,16 @@ inline void JSCell::setStructure(JSGlobalData& globalData, Structure* structure)
m_structure.set(globalData, this, structure);
}
inline const MethodTable* JSCell::methodTableForDestruction() const
{
return &classInfo()->methodTable;
}
inline const MethodTable* JSCell::methodTable() const
{
if (Structure* rootStructure = m_structure->structure())
RELEASE_ASSERT(rootStructure == rootStructure->structure());
return &classInfo()->methodTable;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment