Fixed memory leaks and crashes related to global TypedArra constructors and prototypes

Author: phoboslab

JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -557,6 +557,10 @@
 		B6D1888C1673751400D1037C /* GlobalDataHelper.h in Headers */ = {isa = PBXBuildFile; fileRef = B6D188881673751400D1037C /* GlobalDataHelper.h */; };
 		B6D1888E167381A400D1037C /* JSFloat32ArrayCustom.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B6D1888D167381A300D1037C /* JSFloat32ArrayCustom.cpp */; };
 		B6D1888F167381A400D1037C /* JSFloat32ArrayCustom.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B6D1888D167381A300D1037C /* JSFloat32ArrayCustom.cpp */; };
+		B6E02BB916D1666300616925 /* TypedArrayHashTableMap.h in Headers */ = {isa = PBXBuildFile; fileRef = B6E02BB616D1666300616925 /* TypedArrayHashTableMap.h */; };
+		B6E02BBA16D1666300616925 /* TypedArrayHashTableMap.h in Headers */ = {isa = PBXBuildFile; fileRef = B6E02BB616D1666300616925 /* TypedArrayHashTableMap.h */; };
+		B6E02BBC16D17CC400616925 /* TypedArrayHashTableMap.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B6E02BBB16D17CC400616925 /* TypedArrayHashTableMap.cpp */; };
+		B6E02BBD16D17CC400616925 /* TypedArrayHashTableMap.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B6E02BBB16D17CC400616925 /* TypedArrayHashTableMap.cpp */; };
 		B6E69991166BD63D005EF4B1 /* AbstractMacroAssembler.h in Headers */ = {isa = PBXBuildFile; fileRef = 860161DF0F3A83C100F84710 /* AbstractMacroAssembler.h */; };
 		B6E69992166BD63D005EF4B1 /* APICast.h in Headers */ = {isa = PBXBuildFile; fileRef = 1482B78A0A4305AB00517CFC /* APICast.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		B6E69993166BD63D005EF4B1 /* APIShims.h in Headers */ = {isa = PBXBuildFile; fileRef = 865F408710E7D56300947361 /* APIShims.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -1886,6 +1890,8 @@
 		B6D1886F1672DFE700D1037C /* JSFloat32Array.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSFloat32Array.h; sourceTree = "<group>"; };
 		B6D188881673751400D1037C /* GlobalDataHelper.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = GlobalDataHelper.h; sourceTree = "<group>"; };
 		B6D1888D167381A300D1037C /* JSFloat32ArrayCustom.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSFloat32ArrayCustom.cpp; sourceTree = "<group>"; };
+		B6E02BB616D1666300616925 /* TypedArrayHashTableMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TypedArrayHashTableMap.h; sourceTree = "<group>"; };
+		B6E02BBB16D17CC400616925 /* TypedArrayHashTableMap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TypedArrayHashTableMap.cpp; sourceTree = "<group>"; };
 		B6E69BC4166BD63D005EF4B1 /* libJavaScriptCore.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libJavaScriptCore.a; sourceTree = BUILT_PRODUCTS_DIR; };
 		B6E69BDB166BD6C1005EF4B1 /* libJSCLLIntOffsetsExtractor.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libJSCLLIntOffsetsExtractor.a; sourceTree = BUILT_PRODUCTS_DIR; };
 		B6E69BFD166BDCE7005EF4B1 /* libWTF.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libWTF.a; path = ../Build/libWTF.a; sourceTree = "<group>"; };
@@ -2964,6 +2970,8 @@
 			isa = PBXGroup;
 			children = (
 				B6D188881673751400D1037C /* GlobalDataHelper.h */,
+				B6E02BBB16D17CC400616925 /* TypedArrayHashTableMap.cpp */,
+				B6E02BB616D1666300616925 /* TypedArrayHashTableMap.h */,
 				B6D18814166FA73400D1037C /* JSArrayBuffer.cpp */,
 				B6D18815166FA73400D1037C /* JSArrayBuffer.h */,
 				B6D18816166FA73400D1037C /* JSArrayBufferCustom.cpp */,
@@ -3372,6 +3380,7 @@
 				B6F114B91673B116001F1324 /* JSUint16Array.h in Headers */,
 				B6F114BF1673B116001F1324 /* JSUint32Array.h in Headers */,
 				B6F114CA16755F98001F1324 /* JSTypedArray.h in Headers */,
+				B6E02BB916D1666300616925 /* TypedArrayHashTableMap.h in Headers */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -3731,6 +3740,7 @@
 				B6F114BA1673B116001F1324 /* JSUint16Array.h in Headers */,
 				B6F114C01673B116001F1324 /* JSUint32Array.h in Headers */,
 				B6F114CB16755F98001F1324 /* JSTypedArray.h in Headers */,
+				B6E02BBA16D1666300616925 /* TypedArrayHashTableMap.h in Headers */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -4498,6 +4508,7 @@
 				B6F114BD1673B116001F1324 /* JSUint32Array.cpp in Sources */,
 				B6F114C11673B116001F1324 /* JSUint32ArrayCustom.cpp in Sources */,
 				B6F114C816755F98001F1324 /* JSTypedArray.cpp in Sources */,
+				B6E02BBC16D17CC400616925 /* TypedArrayHashTableMap.cpp in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -4744,6 +4755,7 @@
 				B6F114BE1673B116001F1324 /* JSUint32Array.cpp in Sources */,
 				B6F114C21673B116001F1324 /* JSUint32ArrayCustom.cpp in Sources */,
 				B6F114C916755F98001F1324 /* JSTypedArray.cpp in Sources */,
+				B6E02BBD16D17CC400616925 /* TypedArrayHashTableMap.cpp in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

JavaScriptCore/runtime/JSGlobalData.h

@@ -55,6 +55,8 @@
 #include <wtf/ListHashSet.h>
 #endif
 
+#include "TypedArrayHashTableMap.h"
+
 struct OpaqueJSClass;
 struct OpaqueJSClassContextData;
 
@@ -405,6 +407,9 @@ namespace JSC {
         registerTypedArrayFunction(float32, Float32);
         registerTypedArrayFunction(float64, Float64);
 #undef registerTypedArrayFunction
+		
+		WebCore::TypedArrayHashTableMap typedArrayHashTableMap;
+
 
         JSLock& apiLock() { return m_apiLock; }
 

JavaScriptCore/runtime/JSGlobalObject.h

@@ -34,6 +34,8 @@
 #include <wtf/OwnPtr.h>
 #include <wtf/RandomNumber.h>
 
+#include "WriteBarrier.h"
+
 namespace JSC {
 
     class ArrayPrototype;
@@ -167,6 +169,9 @@ namespace JSC {
         }
 
         static JS_EXPORTDATA const ClassInfo s_info;
+				
+		HashMap<const JSC::ClassInfo*, JSC::WriteBarrier<JSC::JSObject> > typedArrayConstructorMap;
+		HashMap<const JSC::ClassInfo*, JSC::WriteBarrier<JSC::JSObject> > typedArrayPrototypeMap;
 
     protected:
         explicit JSGlobalObject(JSGlobalData& globalData, Structure* structure, const GlobalObjectMethodTable* globalObjectMethodTable = 0)

JavaScriptCore/runtime/TypedArrays/GlobalDataHelper.h

@@ -23,37 +23,38 @@ enum ParameterDefaultPolicy {
 #define MAYBE_MISSING_PARAMETER(exec, index, policy) (((policy) == DefaultIsNullString && (index) >= (exec)->argumentCount()) ? (JSValue()) : ((exec)->argument(index)))
 
 static inline const JSC::HashTable* getHashTableForGlobalData(JSC::JSGlobalData& globalData, const JSC::HashTable* staticTable) {
-	ASSERT_UNUSED(&globalData, &globalData);
-	// PL FIXME: this should return a copy per globalData. I think.
-	return staticTable;
+	return globalData.typedArrayHashTableMap.get(staticTable);
 }
 
-
 template<class ConstructorClass>
-static inline JSC::JSObject* getDOMConstructor(JSC::ExecState* exec, JSC::JSGlobalObject* globalObject)
+inline JSC::JSObject* getDOMConstructor(JSC::ExecState* exec, JSC::JSGlobalObject* globalObject)
 {
-	static ConstructorClass * globalConstructor;
-	if( !globalConstructor ) {
-		globalConstructor = ConstructorClass::create(exec, ConstructorClass::createStructure(exec->globalData(), globalObject, globalObject->objectPrototype()), globalObject);
-	}
-	return (JSC::JSObject *)globalConstructor;
+	if (JSC::JSObject* constructor = globalObject->typedArrayConstructorMap.get(&ConstructorClass::s_info).get())
+		return constructor;
+		
+	JSC::JSObject* constructor = ConstructorClass::create(exec, ConstructorClass::createStructure(exec->globalData(), globalObject, globalObject->objectPrototype()), globalObject);
+	
+	ASSERT(!globalObject->typedArrayConstructorMap.contains(&ConstructorClass::s_info));
+	JSC::WriteBarrier<JSC::JSObject> temp;
+	globalObject->typedArrayConstructorMap.add(&ConstructorClass::s_info, temp).iterator->second.set(exec->globalData(), globalObject, constructor);
+	return constructor;
 }
 
-
 template<class PrototypeClass>
-static inline JSC::JSObject* getDOMPrototype(JSC::ExecState* exec, JSC::JSGlobalObject* globalObject)
+inline JSC::JSObject* getDOMPrototype(JSC::ExecState* exec, JSC::JSGlobalObject* globalObject)
 {
-	static PrototypeClass * globalPrototype;
-	if( !globalPrototype ) {
-		JSC::JSGlobalData &data = exec->globalData();
+	if (JSC::JSObject* prototype = globalObject->typedArrayPrototypeMap.get(&PrototypeClass::s_info).get())
+		return prototype;
 
-		globalPrototype = PrototypeClass::create(data, globalObject,
-			PrototypeClass::createStructure(data, globalObject, globalObject->objectPrototype()));
-	}
-	return (JSC::JSObject *)globalPrototype;
+	JSC::JSObject* prototype = PrototypeClass::create(exec->globalData(), globalObject,
+		PrototypeClass::createStructure(exec->globalData(), globalObject, globalObject->objectPrototype()));
+	
+	ASSERT(!globalObject->typedArrayPrototypeMap.contains(&PrototypeClass::s_info));
+	JSC::WriteBarrier<JSC::JSObject> temp;
+	globalObject->typedArrayPrototypeMap.add(&PrototypeClass::s_info, temp).iterator->second.set(exec->globalData(), globalObject, prototype);
+	return prototype;
 }
 
-
 }
 
 #endif /* defined(__JavaScriptCore__GlobalDataHelper__) */

JavaScriptCore/runtime/TypedArrays/JSArrayBuffer.cpp

@@ -96,20 +96,15 @@ static const HashTableValue JSArrayBufferPrototypeTableValues[] =
 static const HashTable JSArrayBufferPrototypeTable = { 2, 1, JSArrayBufferPrototypeTableValues, 0 };
 static const HashTable* getJSArrayBufferPrototypeTable(ExecState* exec)
 {
-	ASSERT_UNUSED(exec, exec);
-	return &JSArrayBufferPrototypeTable; // PL FIXME: should be one instance per global data, not super global
+	return getHashTableForGlobalData(exec->globalData(), &JSArrayBufferPrototypeTable);
 }
 
 const ClassInfo JSArrayBufferPrototype::s_info = { "ArrayBufferPrototype", &Base::s_info, 0, getJSArrayBufferPrototypeTable, CREATE_METHOD_TABLE(JSArrayBufferPrototype) };
 
 static JSObject * globalProto = NULL;
 JSObject* JSArrayBufferPrototype::self(ExecState* exec, JSGlobalObject* globalObject)
 {
-	// PL FIXME: dirty hack to provide one global prototype
-	if( !globalProto ) {
-		globalProto = JSArrayBuffer::createPrototype(exec, globalObject);
-	}
-	return globalProto;
+	return getDOMPrototype<JSArrayBufferPrototype>(exec, globalObject);
 }
 
 bool JSArrayBufferPrototype::getOwnPropertySlot(JSCell* cell, ExecState* exec, const Identifier& propertyName, PropertySlot& slot)

JavaScriptCore/runtime/TypedArrays/JSArrayBufferView.cpp

@@ -55,8 +55,7 @@ static const HashTableValue JSArrayBufferViewPrototypeTableValues[] =
 static const HashTable JSArrayBufferViewPrototypeTable = { 1, 0, JSArrayBufferViewPrototypeTableValues, 0 };
 static const HashTable* getJSArrayBufferViewPrototypeTable(ExecState* exec)
 {
-	ASSERT_UNUSED(exec, exec);
-	return &JSArrayBufferViewPrototypeTable; // PL FIXME: should be one instance per global data, not super global
+	return getHashTableForGlobalData(exec->globalData(), &JSArrayBufferViewPrototypeTable);
 }
 
 const ClassInfo JSArrayBufferViewPrototype::s_info = { "ArrayBufferViewPrototype", &Base::s_info, 0, getJSArrayBufferViewPrototypeTable, CREATE_METHOD_TABLE(JSArrayBufferViewPrototype) };

JavaScriptCore/runtime/TypedArrays/TypedArrayHashTableMap.cpp

@@ -0,0 +1,41 @@
+/*
+ *  Copyright (C) 1999-2001 Harri Porten ([email protected])
+ *  Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007 Samuel Weinig <[email protected]>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#include "config.h"
+#include "TypedArrayHashTableMap.h"
+#include "Lookup.h"
+
+namespace WebCore{
+
+TypedArrayHashTableMap::~TypedArrayHashTableMap()
+{
+	for (HashMap<const JSC::HashTable*, JSC::HashTable>::iterator iter = m_map.begin(); iter != m_map.end(); ++iter)
+		iter->second.deleteTable();
+}
+
+const JSC::HashTable* TypedArrayHashTableMap::get(const JSC::HashTable* staticTable)
+{
+	HashMap<const JSC::HashTable*, JSC::HashTable>::iterator iter = m_map.find(staticTable);
+	if (iter != m_map.end())
+		return &iter->second;
+	return &m_map.set(staticTable, JSC::HashTable(*staticTable)).iterator->second;
+}
+
+} // namespace WebCore

JavaScriptCore/runtime/TypedArrays/TypedArrayHashTableMap.h

@@ -0,0 +1,46 @@
+/*
+ *  Copyright (C) 1999-2001 Harri Porten ([email protected])
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2008, 2009 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007 Samuel Weinig <[email protected]>
+ *  Copyright (C) 2009 Google, Inc. All rights reserved.
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef TypedArrayHashTableMap_h
+#define TypedArrayHashTableMap_h
+
+#include <wtf/HashMap.h>
+
+
+namespace JSC {
+class JSGlobalData;
+struct HashTable;
+}
+
+namespace WebCore {
+
+// Map from static HashTable instances to per-GlobalData ones.
+class TypedArrayHashTableMap {
+public:
+    ~TypedArrayHashTableMap();
+    const JSC::HashTable* get(const JSC::HashTable* staticTable);
+private:
+    HashMap<const JSC::HashTable*, JSC::HashTable> m_map;
+};
+
+} // namespace JSC
+
+#endif // TypedArrayHashTableMap_h