Add many ensureStillAliveHere scopes for good measure

Source/JavaScriptCore/API/APICallbackFunction.h

@@ -124,7 +124,9 @@ EncodedJSValue APICallbackFunction::constructImpl(JSGlobalObject* globalObject,
         return JSValue::encode(newObject);
     }
 
-    return JSValue::encode(toJS(JSObjectMake(ctx, jsCast<JSCallbackConstructor*>(callee)->classRef(), nullptr)));
+    auto* callbackConstructor = jsCast<JSCallbackConstructor*>(callee);
+    JSC::EnsureStillAliveScope ensureCallbackConstructor(callbackConstructor);
+    return JSValue::encode(toJS(JSObjectMake(ctx, callbackConstructor->classRef(), nullptr)));
 }
 
 } // namespace JSC

Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

@@ -147,10 +147,11 @@ bool JSCallbackObject<Parent>::getOwnPropertySlot(JSObject* object, JSGlobalObje
     auto scope = DECLARE_THROW_SCOPE(vm);
 
     JSCallbackObject* thisObject = jsCast<JSCallbackObject*>(object);
+    JSC::EnsureStillAliveScope ensureThisObject(thisObject);
     JSContextRef ctx = toRef(globalObject);
     JSObjectRef thisRef = toRef(jsCast<JSObject*>(thisObject));
     RefPtr<OpaqueJSString> propertyNameRef;
-    
+
     if (StringImpl* name = propertyName.uid()) {
         unsigned attributes = PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum;
         for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) {
@@ -267,6 +268,7 @@ bool JSCallbackObject<Parent>::put(JSCell* cell, JSGlobalObject* globalObject, P
     auto scope = DECLARE_THROW_SCOPE(vm);
 
     JSCallbackObject* thisObject = jsCast<JSCallbackObject*>(cell);
+    JSC::EnsureStillAliveScope ensureThisObject(thisObject);
     JSContextRef ctx = toRef(globalObject);
     JSObjectRef thisRef = toRef(jsCast<JSObject*>(thisObject));
     RefPtr<OpaqueJSString> propertyNameRef;
@@ -397,10 +399,11 @@ bool JSCallbackObject<Parent>::deleteProperty(JSCell* cell, JSGlobalObject* glob
     auto scope = DECLARE_THROW_SCOPE(vm);
 
     JSCallbackObject* thisObject = jsCast<JSCallbackObject*>(cell);
+    JSC::EnsureStillAliveScope ensureThisObject(thisObject);
     JSContextRef ctx = toRef(globalObject);
     JSObjectRef thisRef = toRef(jsCast<JSObject*>(thisObject));
     RefPtr<OpaqueJSString> propertyNameRef;
-    
+
     if (StringImpl* name = propertyName.uid()) {
         for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) {
             if (JSObjectDeletePropertyCallback deleteProperty = jsClass->deleteProperty) {

Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -83,6 +83,7 @@ JSObjectRef JSObjectMake(JSContextRef ctx, JSClassRef jsClass, void* data)
         return nullptr;
     }
     JSGlobalObject* globalObject = toJS(ctx);
+    JSC::EnsureStillAliveScope ensureGlobalObject(globalObject);
     VM& vm = globalObject->vm();
     JSLockHolder locker(vm);
 
@@ -115,6 +116,7 @@ JSObjectRef JSObjectMakeConstructor(JSContextRef ctx, JSClassRef jsClass, JSObje
         return nullptr;
     }
     JSGlobalObject* globalObject = toJS(ctx);
+    JSC::EnsureStillAliveScope ensureGlobalObject(globalObject);
     VM& vm = globalObject->vm();
     JSLockHolder locker(vm);
 

Source/JavaScriptCore/API/JSValueRef.cpp

@@ -285,6 +285,7 @@ bool JSValueIsInstanceOfConstructor(JSContextRef ctx, JSValueRef value, JSObject
     JSValue jsValue = toJS(globalObject, value);
 
     JSObject* jsConstructor = toJS(constructor);
+    JSC::EnsureStillAliveScope ensureJsConstructor(jsConstructor);
     if (!jsConstructor->structure()->typeInfo().implementsHasInstance())
         return false;
     bool result = jsConstructor->hasInstance(globalObject, jsValue); // false if an exception is thrown

Source/JavaScriptCore/API/glib/JSCWrapperMap.cpp

@@ -80,6 +80,7 @@ JSObject* WrapperMap::createJSWrapper(JSGlobalContextRef jsContext, JSClassRef j
 {
     ASSERT(toJSGlobalObject(jsContext)->wrapperMap() == this);
     JSGlobalObject* globalObject = toJS(jsContext);
+    JSC::EnsureStillAliveScope ensureGlobalObject(globalObject);
     VM& vm = globalObject->vm();
     JSLockHolder locker(vm);
     auto* object = JSC::JSCallbackObject<JSC::JSAPIWrapperObject>::create(globalObject, globalObject->glibWrapperObjectStructure(), jsClass, nullptr);
@@ -99,6 +100,7 @@ JSGlobalContextRef WrapperMap::createContextWithJSWrapper(JSContextGroupRef jsGr
     Ref<VM> vm(*toJS(jsGroup));
     JSLockHolder locker(vm.ptr());
     auto* globalObject = JSCallbackObject<JSAPIWrapperGlobalObject>::create(vm.get(), jsClass, JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure(vm.get(), nullptr, jsNull()));
+    JSC::EnsureStillAliveScope ensureGlobalObject(globalObject);
     if (wrappedObject) {
         globalObject->setWrappedObject(new JSC::JSCGLibWrapperObject(wrappedObject, destroyFunction));
         m_cachedJSWrappers->set(wrappedObject, globalObject);

Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp

@@ -301,6 +301,7 @@ ObjectPropertyConditionSet generateConditions(JSGlobalObject* globalObject, Stru
         }
 
         JSObject* object = jsCast<JSObject*>(value);
+        JSC::EnsureStillAliveScope ensureObject(object);
         structure = object->structure();
 
         if (structure->isDictionary()) {

Source/JavaScriptCore/bytecode/Repatch.cpp

@@ -500,6 +500,7 @@ static InlineCacheAction tryCacheGetBy(JSGlobalObject* globalObject, CodeBlock*
             JSFunction* getter = nullptr;
             if (slot.isCacheableGetter())
                 getter = jsDynamicCast<JSFunction*>(slot.getterSetter()->getter());
+            JSC::EnsureStillAliveScope ensureGetter(getter);
 
             std::optional<DOMAttributeAnnotation> domAttribute;
             if (slot.isCacheableCustom() && slot.domAttribute())

Source/JavaScriptCore/debugger/DebuggerScope.cpp

@@ -74,6 +74,7 @@ bool DebuggerScope::getOwnPropertySlot(JSObject* object, JSGlobalObject* globalO
     if (!scope->isValid())
         return false;
     JSObject* thisObject = JSScope::objectAtScope(scope->jsScope());
+    JSC::EnsureStillAliveScope ensureThisObject(thisObject);
     slot.setThisValue(JSValue(thisObject));
 
     // By default, JSObject::getPropertySlot() will look in the DebuggerScope's prototype
@@ -105,6 +106,7 @@ bool DebuggerScope::put(JSCell* cell, JSGlobalObject* globalObject, PropertyName
     if (!scope->isValid())
         return false;
     JSObject* thisObject = JSScope::objectAtScope(scope->jsScope());
+    JSC::EnsureStillAliveScope ensureThisObject(thisObject);
     slot.setThisValue(JSValue(thisObject));
     return thisObject->methodTable()->put(thisObject, globalObject, propertyName, value, slot);
 }
@@ -116,6 +118,7 @@ bool DebuggerScope::deleteProperty(JSCell* cell, JSGlobalObject* globalObject, P
     if (!scope->isValid())
         return false;
     JSObject* thisObject = JSScope::objectAtScope(scope->jsScope());
+    JSC::EnsureStillAliveScope ensureThisObject(thisObject);
     return thisObject->methodTable()->deleteProperty(thisObject, globalObject, propertyName, slot);
 }
 
@@ -126,6 +129,7 @@ void DebuggerScope::getOwnPropertyNames(JSObject* object, JSGlobalObject* global
     if (!scope->isValid())
         return;
     JSObject* thisObject = JSScope::objectAtScope(scope->jsScope());
+    JSC::EnsureStillAliveScope ensureThisObject(thisObject);
     thisObject->getPropertyNames(globalObject, propertyNames, mode);
 }
 
@@ -136,6 +140,7 @@ bool DebuggerScope::defineOwnProperty(JSObject* object, JSGlobalObject* globalOb
     if (!scope->isValid())
         return false;
     JSObject* thisObject = JSScope::objectAtScope(scope->jsScope());
+    JSC::EnsureStillAliveScope ensureThisObject(thisObject);
     return thisObject->methodTable()->defineOwnProperty(thisObject, globalObject, propertyName, descriptor, shouldThrow);
 }
 
@@ -233,6 +238,7 @@ JSValue DebuggerScope::caughtValue(JSGlobalObject* globalObject) const
 {
     ASSERT(isCatchScope());
     JSLexicalEnvironment* catchEnvironment = jsCast<JSLexicalEnvironment*>(m_scope.get());
+    JSC::EnsureStillAliveScope ensureCatchEnvironment(catchEnvironment);
     SymbolTable* catchSymbolTable = catchEnvironment->symbolTable();
     RELEASE_ASSERT(catchSymbolTable->size() == 1);
     PropertyName errorName(catchSymbolTable->begin(catchSymbolTable->m_lock)->key.get());

Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp

@@ -547,14 +547,18 @@ static JSObject* cloneArrayIteratorObject(JSGlobalObject* globalObject, VM& vm,
 
 static JSObject* cloneMapIteratorObject(JSGlobalObject* globalObject, VM& vm, JSMapIterator* iteratorObject)
 {
-    JSMapIterator* clone = JSMapIterator::create(vm, globalObject->mapIteratorStructure(), jsCast<JSMap*>(iteratorObject->iteratedObject()), iteratorObject->kind());
+    JSMap* iteratedMap = jsCast<JSMap*>(iteratorObject->iteratedObject());
+    JSC::EnsureStillAliveScope ensureIteratedMap(iteratedMap);
+    JSMapIterator* clone = JSMapIterator::create(vm, globalObject->mapIteratorStructure(), iteratedMap, iteratorObject->kind());
     clone->internalField(JSMapIterator::Field::MapBucket).set(vm, clone, iteratorObject->internalField(JSMapIterator::Field::MapBucket).get());
     return clone;
 }
 
 static JSObject* cloneSetIteratorObject(JSGlobalObject* globalObject, VM& vm, JSSetIterator* iteratorObject)
 {
-    JSSetIterator* clone = JSSetIterator::create(vm, globalObject->setIteratorStructure(), jsCast<JSSet*>(iteratorObject->iteratedObject()), iteratorObject->kind());
+    JSSet* iteratedSet = jsCast<JSSet*>(iteratorObject->iteratedObject());
+    JSC::EnsureStillAliveScope ensureIteratedSet(iteratedSet);
+    JSSetIterator* clone = JSSetIterator::create(vm, globalObject->setIteratorStructure(), iteratedSet, iteratorObject->kind());
     clone->internalField(JSSetIterator::Field::SetBucket).set(vm, clone, iteratorObject->internalField(JSSetIterator::Field::SetBucket).get());
     return clone;
 }
@@ -584,10 +588,14 @@ JSValue JSInjectedScriptHost::iteratorEntries(JSGlobalObject* globalObject, Call
                     iterator = cloneArrayIteratorObject(globalObject, vm, arrayIterator);
             }
         } else if (auto* mapIterator = jsDynamicCast<JSMapIterator*>(iteratorObject)) {
-            if (jsCast<JSMap*>(mapIterator->iteratedObject())->isIteratorProtocolFastAndNonObservable())
+            JSMap* iteratedMap = jsCast<JSMap*>(mapIterator->iteratedObject());
+            JSC::EnsureStillAliveScope ensureIteratedMap(iteratedMap);
+            if (iteratedMap->isIteratorProtocolFastAndNonObservable())
                 iterator = cloneMapIteratorObject(globalObject, vm, mapIterator);
         } else if (auto* setIterator = jsDynamicCast<JSSetIterator*>(iteratorObject)) {
-            if (jsCast<JSSet*>(setIterator->iteratedObject())->isIteratorProtocolFastAndNonObservable())
+            JSSet* iteratedSet = jsCast<JSSet*>(setIterator->iteratedObject());
+            JSC::EnsureStillAliveScope ensureIteratedSet(iteratedSet);
+            if (iteratedSet->isIteratorProtocolFastAndNonObservable())
                 iterator = cloneSetIteratorObject(globalObject, vm, setIterator);
         }
     }

Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -189,6 +189,7 @@ unsigned sizeOfVarargs(JSGlobalObject* globalObject, JSValue arguments, uint32_t
     }
 
     JSCell* cell = arguments.asCell();
+    JSC::EnsureStillAliveScope ensureCell(cell);
     unsigned length;
     switch (cell->type()) {
     case DirectArgumentsType:
@@ -260,6 +261,7 @@ void loadVarargs(JSGlobalObject* globalObject, JSValue* firstElementDest, JSValu
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSCell* cell = arguments.asCell();
+    JSC::EnsureStillAliveScope ensureCell(cell);
 
     switch (cell->type()) {
     case DirectArgumentsType:

Source/JavaScriptCore/jit/JITOperations.cpp

@@ -734,11 +734,12 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdStrict, void, (JSGlobalObject* globalOb
     stubInfo->tookSlowPath = true;
 
     JSValue baseValue = JSValue::decode(encodedBase);
+    JSC::EnsureStillAliveScope ensureBase(baseValue);
     CacheableIdentifier identifier = CacheableIdentifier::createFromRawBits(rawCacheableIdentifier);
     Identifier ident = Identifier::fromUid(vm, identifier.uid());
     PutPropertySlot slot(baseValue, true, callFrame->codeBlock()->putByIdContext());
     baseValue.putInline(globalObject, ident, JSValue::decode(encodedValue), slot);
-    
+
     LOG_IC((ICEvent::OperationPutByIdStrict, baseValue.classInfoOrNull(), ident, slot.base() == baseValue));
 }
 
@@ -753,6 +754,7 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdNonStrict, void, (JSGlobalObject* globa
     stubInfo->tookSlowPath = true;
 
     JSValue baseValue = JSValue::decode(encodedBase);
+    JSC::EnsureStillAliveScope ensureBase(baseValue);
     CacheableIdentifier identifier = CacheableIdentifier::createFromRawBits(rawCacheableIdentifier);
     Identifier ident = Identifier::fromUid(vm, identifier.uid());
     PutPropertySlot slot(baseValue, false, callFrame->codeBlock()->putByIdContext());
@@ -772,10 +774,12 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdDirectStrict, void, (JSGlobalObject* gl
     stubInfo->tookSlowPath = true;
 
     JSValue baseValue = JSValue::decode(encodedBase);
+    JSObject* baseObject = asObject(baseValue);
+    JSC::EnsureStillAliveScope ensureBase(baseObject);
     CacheableIdentifier identifier = CacheableIdentifier::createFromRawBits(rawCacheableIdentifier);
     Identifier ident = Identifier::fromUid(vm, identifier.uid());
     PutPropertySlot slot(baseValue, true, callFrame->codeBlock()->putByIdContext());
-    CommonSlowPaths::putDirectWithReify(vm, globalObject, asObject(baseValue), ident, JSValue::decode(encodedValue), slot);
+    CommonSlowPaths::putDirectWithReify(vm, globalObject, baseObject, ident, JSValue::decode(encodedValue), slot);
 
     LOG_IC((ICEvent::OperationPutByIdDirectStrict, baseValue.classInfoOrNull(), ident, slot.base() == baseValue));
 }
@@ -791,10 +795,12 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdDirectNonStrict, void, (JSGlobalObject*
     stubInfo->tookSlowPath = true;
 
     JSValue baseValue = JSValue::decode(encodedBase);
+    JSObject* baseObject = asObject(baseValue);
+    JSC::EnsureStillAliveScope ensureBase(baseObject);
     CacheableIdentifier identifier = CacheableIdentifier::createFromRawBits(rawCacheableIdentifier);
     Identifier ident = Identifier::fromUid(vm, identifier.uid());
     PutPropertySlot slot(baseValue, false, callFrame->codeBlock()->putByIdContext());
-    CommonSlowPaths::putDirectWithReify(vm, globalObject, asObject(baseValue), ident, JSValue::decode(encodedValue), slot);
+    CommonSlowPaths::putDirectWithReify(vm, globalObject, baseObject, ident, JSValue::decode(encodedValue), slot);
 
     LOG_IC((ICEvent::OperationPutByIdDirectNonStrict, baseValue.classInfoOrNull(), ident, slot.base() == baseValue));
 }
@@ -814,6 +820,7 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdStrictOptimize, void, (JSGlobalObject*
 
     JSValue value = JSValue::decode(encodedValue);
     JSValue baseValue = JSValue::decode(encodedBase);
+    JSC::EnsureStillAliveScope ensureBase(baseValue);
     CodeBlock* codeBlock = callFrame->codeBlock();
     PutPropertySlot slot(baseValue, true, codeBlock->putByIdContext());
 
@@ -846,6 +853,7 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdNonStrictOptimize, void, (JSGlobalObjec
 
     JSValue value = JSValue::decode(encodedValue);
     JSValue baseValue = JSValue::decode(encodedBase);
+    JSC::EnsureStillAliveScope ensureBase(baseValue);
     CodeBlock* codeBlock = callFrame->codeBlock();
     PutPropertySlot slot(baseValue, false, codeBlock->putByIdContext());
 
@@ -878,6 +886,7 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdDirectStrictOptimize, void, (JSGlobalOb
 
     JSValue value = JSValue::decode(encodedValue);
     JSObject* baseObject = asObject(JSValue::decode(encodedBase));
+    JSC::EnsureStillAliveScope ensureBase(baseObject);
     CodeBlock* codeBlock = callFrame->codeBlock();
     PutPropertySlot slot(baseObject, true, codeBlock->putByIdContext());
     Structure* structure = nullptr;
@@ -909,6 +918,7 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdDirectNonStrictOptimize, void, (JSGloba
 
     JSValue value = JSValue::decode(encodedValue);
     JSObject* baseObject = asObject(JSValue::decode(encodedBase));
+    JSC::EnsureStillAliveScope ensureBase(baseObject);
     CodeBlock* codeBlock = callFrame->codeBlock();
     PutPropertySlot slot(baseObject, false, codeBlock->putByIdContext());
     Structure* structure = nullptr;
@@ -1073,6 +1083,7 @@ static void putByVal(JSGlobalObject* globalObject, JSValue baseValue, JSValue su
 
     scope.release();
     PutPropertySlot slot(baseValue, ecmaMode.isStrict());
+    JSC::EnsureStillAliveScope ensureBase(baseValue);
     baseValue.putInline(globalObject, property, value, slot);
 }
 
@@ -1201,6 +1212,7 @@ static ALWAYS_INLINE void directPutByValOptimize(JSGlobalObject* globalObject, C
 
     RELEASE_ASSERT(baseValue.isObject());
     JSObject* baseObject = asObject(baseValue);
+    JSC::EnsureStillAliveScope ensureBase(baseObject);
 
     if (!isCopyOnWrite(baseObject->indexingMode()) && subscript.isInt32()) {
         Structure* structure = baseObject->structure();
@@ -1302,13 +1314,15 @@ JSC_DEFINE_JIT_OPERATION(operationDirectPutByValStrictGeneric, void, (JSGlobalOb
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
 
     JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSObject* baseObject = asObject(baseValue);
+    JSC::EnsureStillAliveScope ensureBase(baseObject);
     JSValue subscript = JSValue::decode(encodedSubscript);
     JSValue value = JSValue::decode(encodedValue);
     RELEASE_ASSERT(baseValue.isObject());
 
     stubInfo->tookSlowPath = true;
 
-    directPutByVal(globalObject, asObject(baseValue), subscript, value, profile, ECMAMode::strict());
+    directPutByVal(globalObject, baseObject, subscript, value, profile, ECMAMode::strict());
 }
 
 JSC_DEFINE_JIT_OPERATION(operationDirectPutByValNonStrictGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile* profile))
@@ -1318,13 +1332,15 @@ JSC_DEFINE_JIT_OPERATION(operationDirectPutByValNonStrictGeneric, void, (JSGloba
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
 
     JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSObject* baseObject = asObject(baseValue);
+    JSC::EnsureStillAliveScope ensureBase(baseObject);
     JSValue subscript = JSValue::decode(encodedSubscript);
     JSValue value = JSValue::decode(encodedValue);
     RELEASE_ASSERT(baseValue.isObject());
 
     stubInfo->tookSlowPath = true;
 
-    directPutByVal(globalObject, asObject(baseValue), subscript, value, profile, ECMAMode::sloppy());
+    directPutByVal(globalObject, baseObject, subscript, value, profile, ECMAMode::sloppy());
 }
 
 JSC_DEFINE_JIT_OPERATION(operationSetPrivateBrandOptimize, void, (JSGlobalObject* globalObject, StructureStubInfo* stubInfo, EncodedJSValue encodedBaseValue, EncodedJSValue encodedBrand))