[multivm] Re-split fields for V8 and Dart wrappers.

Source/bindings/common/ScriptWrappable.h

 /*
  * Copyright (C) 2014 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 16 matching lines @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #ifndef ScriptWrappable_h
 #define ScriptWrappable_h
 
 #include "bindings/core/v8/WrapperTypeInfo.h"
 #include "platform/ScriptForbiddenScope.h"
 #include "platform/heap/Handle.h"
+#include "wtf/Assertions.h"
 #include <v8.h>
-#include "wtf/Assertions.h"
 
 namespace blink {
 
 // Forward declarations.
 class DartWrapperInfo;
 class DartMultiWrapperInfo;
 struct WrapperTypeInfo;
 
 /**
  * The base class of all wrappable objects.
@@ skipping 48 matching lines @@
     }
 
     void assertWrapperSanity(v8::Local<v8::Object> object)
     {
         RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(object.IsEmpty()
             || object->GetAlignedPointerFromInternalField(v8DOMWrapperObjectIndex) == toScriptWrappableBase());
     }
 };
 
 // An optimization to avoid in the common case the cost of map lookups when
-// finding the V8 or Dart wrapper for a Blink object and to quickly find the
-// most specific V8 or Dart wrapper type for a Blink object.
+// finding the V8 or Dart wrapper for a Blink object.
 class ScriptWrappable : public ScriptWrappableBase {
 public:
     class TaggedPointer {
     private:
         enum {
-            kV8WrapperTag = 0x0,
+            kMultiWrapperTag = 0x0,
             kDartWrapperTag = 0x1,
-            kMultiWrapperTag = 0x3
         };
-        static const intptr_t kWrappableBitMask = 0x3;
+        static const intptr_t kWrappableBitMask = 0x1;
 
         uintptr_t m_ptr;
 
     public:
         TaggedPointer() : m_ptr(0) { }
 
-        explicit TaggedPointer(v8::Object* info) : m_ptr(reinterpret_cast<uintptr_t>(info) | kV8WrapperTag)
-        {
-            // Assert incoming pointer is non-null and 4-byte aligned.
-            ASSERT(info && ((reinterpret_cast<uintptr_t>(info) & kWrappableBitMask) == 0));
-        }
-
         explicit TaggedPointer(DartWrapperInfo* info) : m_ptr(reinterpret_cast<uintptr_t>(info) | kDartWrapperTag)
         {
             // Assert incoming pointer is non-null and 4-byte aligned.
             ASSERT(info && ((reinterpret_cast<uintptr_t>(info) & kWrappableBitMask) == 0));
         }
 
         explicit TaggedPointer(DartMultiWrapperInfo* info) : m_ptr(reinterpret_cast<uintptr_t>(info) | kMultiWrapperTag)
         {
             // Assert incoming pointer is non-null and 4-byte aligned.
             ASSERT(info && ((reinterpret_cast<uintptr_t>(info) & kWrappableBitMask) == 0));
         }
 
         inline bool isEmpty() const
         {
             return !m_ptr;
         }
 
-        inline bool isV8Wrapper() const
-        {
-            return isV8WrapperOrEmpty() && !isEmpty();
-        }
-
-        inline bool isV8WrapperOrEmpty() const
-        {
-            return (m_ptr & 0x1) == 0;
-        }
-
         inline bool isDartWrapperInfo() const
         {
             return (m_ptr & kWrappableBitMask) == kDartWrapperTag;
         }
 
         inline bool isDartMultiWrapperInfo() const
         {
-            return (m_ptr & kWrappableBitMask) == kMultiWrapperTag;
-        }
-
-        inline v8::Object* v8Wrapper() const
-        {
-            return reinterpret_cast<v8::Object*>(m_ptr);
+            return m_ptr && (m_ptr & kWrappableBitMask) == kMultiWrapperTag;
         }
 
         inline DartWrapperInfo* dartWrapperInfo() const
         {
             return reinterpret_cast<DartWrapperInfo*>(m_ptr & ~kWrappableBitMask);
         }
 
         inline DartMultiWrapperInfo* dartMultiWrapperInfo() const
         {
             return reinterpret_cast<DartMultiWrapperInfo*>(m_ptr & ~kWrappableBitMask);
         }
 
         inline void clear()
         {
             m_ptr = 0;
         }
     };
 
     COMPILE_ASSERT(sizeof(TaggedPointer) == sizeof(void*), taggedPointerIsNotOneWord);
 
 public:
-    ScriptWrappable() : m_wrapper() { }
+    ScriptWrappable() : m_v8Wrapper(), m_dartWrapperInfo() { }
 
     inline bool containsV8Wrapper() const;
     inline void setV8Wrapper(v8::Object* wrapper);
     inline v8::Object* getV8Wrapper() const;
     inline void clearV8Wrapper(v8::Local<v8::Object> wrapper, v8::Persistent<v8::Object>* persistent);
 
     inline void setDartWrapper(void* domData, void* wrapper);
     inline void* getDartWrapper(void * domData) const;
     inline void clearDartWrapper(void* wrapper);
 
@@ skipping 23 matching lines @@
     virtual v8::Handle<v8::Object> associateWithWrapper(const WrapperTypeInfo*, v8::Handle<v8::Object> wrapper, v8::Isolate*);
 
     using ScriptWrappableBase::assertWrapperSanity;
 
 #if !ENABLE(OILPAN)
 protected:
     virtual ~ScriptWrappable()
     {
         // We must not get deleted as long as we contain a wrapper. If this happens, we screwed up ref
         // counting somewhere. Crash here instead of crashing during a later gc cycle.
-        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(m_wrapper.isEmpty());
-        m_wrapper.clear(); // Break UAF attempts to wrap.
+        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!containsV8Wrapper());
+        m_v8Wrapper = 0; // Break UAF attempts to wrap.
+
+        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(m_dartWrapperInfo.isEmpty());
     }
 #endif
     // With Oilpan we don't need a ScriptWrappable destructor.
     //
     // - 'RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!containsWrapper())' is not needed
     // because Oilpan is not using reference counting at all. If containsWrapper() is true,
     // it means that ScriptWrappable still has a wrapper. In this case, the destructor
     // must not be called since the wrapper has a persistent handle back to this ScriptWrappable object.
     // Assuming that Oilpan's GC is correct (If we cannot assume this, a lot of more things are
     // already broken), we must not hit the RELEASE_ASSERT.
     //
     // - 'm_wrapper = 0' is not needed because Oilpan's GC zeroes out memory when
     // the memory is collected and added to a free list.
 
 private:
-    // A tagged pointer to this object's V8 or Dart peer. It may contain:
-    // -- nothing, transiently during construction/destruction
-    // -- WrapperTypeInfo, if this object has no peers
-    // -- v8::Object, if this object has a V8 peer in the main world and no Dart
-    //    peer
-    // -- DartWrapperInfo, if this object has one Dart peer and possibly a V8
-    //    peer in the main world
-    // -- DartMultiWrapperInfo, if this object has more than one Dart peer and
-    //    possibly a V8 peer in the main world
-    TaggedPointer m_wrapper;
-
-    inline TaggedPointer getV8WrapperOrEmpty() const;
+    v8::Object* m_v8Wrapper;
+    TaggedPointer m_dartWrapperInfo;
 };
 
 } // namespace blink
 
+#include "bindings/core/v8/V8ScriptWrappable.h"
 #include "bindings/dart/DartScriptWrappable.h"
-#include "bindings/core/v8/V8ScriptWrappable.h"
 
 #endif // ScriptWrappable_h