| Index: Source/bindings/common/ScriptWrappable.h
|
| diff --git a/Source/bindings/common/ScriptWrappable.h b/Source/bindings/common/ScriptWrappable.h
|
| index 414a6cd0cbdc928ede6298050fe37b8b2fd50910..b207dfaa98479bd35f2aaac75e7a3dfe7e20244f 100644
|
| --- a/Source/bindings/common/ScriptWrappable.h
|
| +++ b/Source/bindings/common/ScriptWrappable.h
|
| @@ -34,8 +34,8 @@
|
| #include "bindings/core/v8/WrapperTypeInfo.h"
|
| #include "platform/ScriptForbiddenScope.h"
|
| #include "platform/heap/Handle.h"
|
| -#include <v8.h>
|
| #include "wtf/Assertions.h"
|
| +#include <v8.h>
|
|
|
| namespace blink {
|
|
|
| @@ -104,30 +104,22 @@ public:
|
| };
|
|
|
| // An optimization to avoid in the common case the cost of map lookups when
|
| -// finding the V8 or Dart wrapper for a Blink object and to quickly find the
|
| -// most specific V8 or Dart wrapper type for a Blink object.
|
| +// finding the V8 or Dart wrapper for a Blink object.
|
| class ScriptWrappable : public ScriptWrappableBase {
|
| public:
|
| class TaggedPointer {
|
| private:
|
| enum {
|
| - kV8WrapperTag = 0x0,
|
| + kMultiWrapperTag = 0x0,
|
| kDartWrapperTag = 0x1,
|
| - kMultiWrapperTag = 0x3
|
| };
|
| - static const intptr_t kWrappableBitMask = 0x3;
|
| + static const intptr_t kWrappableBitMask = 0x1;
|
|
|
| uintptr_t m_ptr;
|
|
|
| public:
|
| TaggedPointer() : m_ptr(0) { }
|
|
|
| - explicit TaggedPointer(v8::Object* info) : m_ptr(reinterpret_cast<uintptr_t>(info) | kV8WrapperTag)
|
| - {
|
| - // Assert incoming pointer is non-null and 4-byte aligned.
|
| - ASSERT(info && ((reinterpret_cast<uintptr_t>(info) & kWrappableBitMask) == 0));
|
| - }
|
| -
|
| explicit TaggedPointer(DartWrapperInfo* info) : m_ptr(reinterpret_cast<uintptr_t>(info) | kDartWrapperTag)
|
| {
|
| // Assert incoming pointer is non-null and 4-byte aligned.
|
| @@ -145,16 +137,6 @@ public:
|
| return !m_ptr;
|
| }
|
|
|
| - inline bool isV8Wrapper() const
|
| - {
|
| - return isV8WrapperOrEmpty() && !isEmpty();
|
| - }
|
| -
|
| - inline bool isV8WrapperOrEmpty() const
|
| - {
|
| - return (m_ptr & 0x1) == 0;
|
| - }
|
| -
|
| inline bool isDartWrapperInfo() const
|
| {
|
| return (m_ptr & kWrappableBitMask) == kDartWrapperTag;
|
| @@ -162,12 +144,7 @@ public:
|
|
|
| inline bool isDartMultiWrapperInfo() const
|
| {
|
| - return (m_ptr & kWrappableBitMask) == kMultiWrapperTag;
|
| - }
|
| -
|
| - inline v8::Object* v8Wrapper() const
|
| - {
|
| - return reinterpret_cast<v8::Object*>(m_ptr);
|
| + return m_ptr && (m_ptr & kWrappableBitMask) == kMultiWrapperTag;
|
| }
|
|
|
| inline DartWrapperInfo* dartWrapperInfo() const
|
| @@ -189,7 +166,7 @@ public:
|
| COMPILE_ASSERT(sizeof(TaggedPointer) == sizeof(void*), taggedPointerIsNotOneWord);
|
|
|
| public:
|
| - ScriptWrappable() : m_wrapper() { }
|
| + ScriptWrappable() : m_v8Wrapper(), m_dartWrapperInfo() { }
|
|
|
| inline bool containsV8Wrapper() const;
|
| inline void setV8Wrapper(v8::Object* wrapper);
|
| @@ -233,8 +210,10 @@ protected:
|
| {
|
| // We must not get deleted as long as we contain a wrapper. If this happens, we screwed up ref
|
| // counting somewhere. Crash here instead of crashing during a later gc cycle.
|
| - RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(m_wrapper.isEmpty());
|
| - m_wrapper.clear(); // Break UAF attempts to wrap.
|
| + RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!containsV8Wrapper());
|
| + m_v8Wrapper = 0; // Break UAF attempts to wrap.
|
| +
|
| + RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(m_dartWrapperInfo.isEmpty());
|
| }
|
| #endif
|
| // With Oilpan we don't need a ScriptWrappable destructor.
|
| @@ -250,23 +229,13 @@ protected:
|
| // the memory is collected and added to a free list.
|
|
|
| private:
|
| - // A tagged pointer to this object's V8 or Dart peer. It may contain:
|
| - // -- nothing, transiently during construction/destruction
|
| - // -- WrapperTypeInfo, if this object has no peers
|
| - // -- v8::Object, if this object has a V8 peer in the main world and no Dart
|
| - // peer
|
| - // -- DartWrapperInfo, if this object has one Dart peer and possibly a V8
|
| - // peer in the main world
|
| - // -- DartMultiWrapperInfo, if this object has more than one Dart peer and
|
| - // possibly a V8 peer in the main world
|
| - TaggedPointer m_wrapper;
|
| -
|
| - inline TaggedPointer getV8WrapperOrEmpty() const;
|
| + v8::Object* m_v8Wrapper;
|
| + TaggedPointer m_dartWrapperInfo;
|
| };
|
|
|
| } // namespace blink
|
|
|
| -#include "bindings/dart/DartScriptWrappable.h"
|
| #include "bindings/core/v8/V8ScriptWrappable.h"
|
| +#include "bindings/dart/DartScriptWrappable.h"
|
|
|
| #endif // ScriptWrappable_h
|
|
|
Chromium Code Reviews
Issue 611833004:
[multivm] Re-split fields for V8 and Dart wrappers. (Closed)
Base URL: svn://svn.chromium.org/blink/branches/dart/multivm