2011-05-18 Oliver Hunt <oliver@apple.com>
authorOliver Hunt <oliver@apple.com>
Wed, 18 May 2011 20:41:54 +0000 (20:41 +0000)
committerAdemar de Souza Reis Jr <ademar.reis@openbossa.org>
Thu, 19 May 2011 20:09:22 +0000 (17:09 -0300)
commit203ddbc04fc0377e3aeeb6b060ed91ed1c18d5c9
treeb1afc566c8f434ffd72c35ab0213c548cd40c714
parentcace979a8c301b95d9ecd1c6a0eced1feb7fd516
2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
        https://bugs.webkit.org/show_bug.cgi?id=61090

        Remove the Structure-free JSGlobalObject constructor and instead always
        pass the structure into the JSGlobalObject constructor.
        Stop DebuggerActivation creating a new structure every time, and simply
        use a single shared structure held by the GlobalData.

        * API/JSContextRef.cpp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        * jsc.cpp:
        (GlobalObject::GlobalObject):
        (functionRun):
        (jscmain):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::clearBuiltinStructures):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:
2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
        https://bugs.webkit.org/show_bug.cgi?id=61090

        Rather than having Constructor objects create their structure
        as part of initialisation, we now pass their expected structure
        in as an argument.  This required fixing the few custom Constructors
        and the code generator.

        * bindings/js/JSAudioConstructor.cpp:
        (WebCore::JSAudioConstructor::JSAudioConstructor):
        * bindings/js/JSAudioConstructor.h:
        * bindings/js/JSDOMGlobalObject.h:
        (WebCore::getDOMConstructor):
          Pass the Constructor objects structure in as an argument
        * bindings/js/JSImageConstructor.cpp:
        (WebCore::JSImageConstructor::JSImageConstructor):
        * bindings/js/JSImageConstructor.h:
        * bindings/js/JSOptionConstructor.cpp:
        (WebCore::JSOptionConstructor::JSOptionConstructor):
        * bindings/js/JSOptionConstructor.h:
        * bindings/scripts/CodeGeneratorJS.pm:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@86785 268f45cc-cd09-0410-ab3c-d52691b4dbfc
16 files changed:
Source/JavaScriptCore/API/JSContextRef.cpp
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/debugger/DebuggerActivation.cpp
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/runtime/JSGlobalData.cpp
Source/JavaScriptCore/runtime/JSGlobalData.h
Source/JavaScriptCore/runtime/JSGlobalObject.h
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSAudioConstructor.cpp
Source/WebCore/bindings/js/JSAudioConstructor.h
Source/WebCore/bindings/js/JSDOMGlobalObject.h
Source/WebCore/bindings/js/JSImageConstructor.cpp
Source/WebCore/bindings/js/JSImageConstructor.h
Source/WebCore/bindings/js/JSOptionConstructor.cpp
Source/WebCore/bindings/js/JSOptionConstructor.h
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm