3 files changed, 49 insertions, 23 deletions
diff --git a/Source/JavaScriptCore/API/APIShims.h b/Source/JavaScriptCore/API/APIShims.h
index 02495110b..ef5f10466 100644
--- a/Source/JavaScriptCore/API/APIShims.h
+++ b/Source/JavaScriptCore/API/APIShims.h
@@ -28,31 +28,40 @@
 
 #include "CallFrame.h"
 #include "GCActivityCallback.h"
+#include "IncrementalSweeper.h"
 #include "JSLock.h"
 #include <wtf/WTFThreadData.h>
 
 namespace JSC {
 
 class APIEntryShimWithoutLock {
+public:
+    enum RefGlobalDataTag { DontRefGlobalData = 0, RefGlobalData };
+
 protected:
-    APIEntryShimWithoutLock(JSGlobalData* globalData, bool registerThread)
-        : m_globalData(globalData)
+    APIEntryShimWithoutLock(JSGlobalData* globalData, bool registerThread, RefGlobalDataTag shouldRefGlobalData)
+        : m_shouldRefGlobalData(shouldRefGlobalData)
+        , m_globalData(globalData)
         , m_entryIdentifierTable(wtfThreadData().setCurrentIdentifierTable(globalData->identifierTable))
     {
+        if (shouldRefGlobalData)
+            m_globalData->ref();
         UNUSED_PARAM(registerThread);
         if (registerThread)
             globalData->heap.machineThreads().addCurrentThread();
         m_globalData->heap.activityCallback()->synchronize();
-        m_globalData->timeoutChecker.start();
+        m_globalData->heap.sweeper()->synchronize();
     }
 
     ~APIEntryShimWithoutLock()
     {
-        m_globalData->timeoutChecker.stop();
         wtfThreadData().setCurrentIdentifierTable(m_entryIdentifierTable);
+        if (m_shouldRefGlobalData)
+            m_globalData->deref();
     }
 
-private:
+protected:
+    RefGlobalDataTag m_shouldRefGlobalData;
     JSGlobalData* m_globalData;
     IdentifierTable* m_entryIdentifierTable;
 };
@@ -61,20 +70,38 @@ class APIEntryShim : public APIEntryShimWithoutLock {
 public:
     // Normal API entry
     APIEntryShim(ExecState* exec, bool registerThread = true)
-        : APIEntryShimWithoutLock(&exec->globalData(), registerThread)
-        , m_lock(exec)
+        : APIEntryShimWithoutLock(&exec->globalData(), registerThread, RefGlobalData)
+    {
+        init();
+    }
+
+    // This constructor is necessary for HeapTimer to prevent it from accidentally resurrecting 
+    // the ref count of a "dead" JSGlobalData.
+    APIEntryShim(JSGlobalData* globalData, RefGlobalDataTag refGlobalData, bool registerThread = true)
+        : APIEntryShimWithoutLock(globalData, registerThread, refGlobalData)
     {
+        init();
     }
 
     // JSPropertyNameAccumulator only has a globalData.
     APIEntryShim(JSGlobalData* globalData, bool registerThread = true)
-        : APIEntryShimWithoutLock(globalData, registerThread)
-        , m_lock(globalData->isSharedInstance() ? LockForReal : SilenceAssertionsOnly)
+        : APIEntryShimWithoutLock(globalData, registerThread, RefGlobalData)
     {
+        init();
+    }
+
+    ~APIEntryShim()
+    {
+        m_globalData->timeoutChecker.stop();
+        m_globalData->apiLock().unlock();
     }
 
 private:
-    JSLock m_lock;
+    void init()
+    {
+        m_globalData->apiLock().lock();
+        m_globalData->timeoutChecker.start();
+    }
 };
 
 class APICallbackShim {
@@ -88,7 +115,6 @@ public:
 
     ~APICallbackShim()
     {
-        m_globalData->heap.activityCallback()->synchronize();
         wtfThreadData().setCurrentIdentifierTable(m_globalData->identifierTable);
     }
 
diff --git a/Source/JavaScriptCore/API/JSContextRef.cpp b/Source/JavaScriptCore/API/JSContextRef.cpp
index 92e03a671..7a57287de 100644
--- a/Source/JavaScriptCore/API/JSContextRef.cpp
+++ b/Source/JavaScriptCore/API/JSContextRef.cpp
@@ -78,7 +78,6 @@ JSGlobalContextRef JSGlobalContextCreate(JSClassRef globalObjectClass)
     // If the application was linked before JSGlobalContextCreate was changed to use a unique JSGlobalData,
     // we use a shared one for backwards compatibility.
     if (NSVersionOfLinkTimeLibrary("JavaScriptCore") <= webkitFirstVersionWithConcurrentGlobalContexts) {
-        JSLock lock(LockForReal);
         return JSGlobalContextCreateInGroup(toRef(&JSGlobalData::sharedInstance()), globalObjectClass);
     }
 #endif // OS(DARWIN)
@@ -90,11 +89,9 @@ JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClass
 {
     initializeThreading();
 
-    JSLock lock(LockForReal);
     RefPtr<JSGlobalData> globalData = group ? PassRefPtr<JSGlobalData>(toJS(group)) : JSGlobalData::createContextGroup(ThreadStackTypeSmall);
 
     APIEntryShim entryShim(globalData.get(), false);
-
     globalData->makeUsableFromMultipleThreads();
 
     if (!globalObjectClass) {
@@ -124,18 +121,19 @@ JSGlobalContextRef JSGlobalContextRetain(JSGlobalContextRef ctx)
 
 void JSGlobalContextRelease(JSGlobalContextRef ctx)
 {
+    IdentifierTable* savedIdentifierTable;
     ExecState* exec = toJS(ctx);
-    JSLock lock(exec);
+    {
+        JSLockHolder lock(exec);
 
-    JSGlobalData& globalData = exec->globalData();
-    IdentifierTable* savedIdentifierTable = wtfThreadData().setCurrentIdentifierTable(globalData.identifierTable);
+        JSGlobalData& globalData = exec->globalData();
+        savedIdentifierTable = wtfThreadData().setCurrentIdentifierTable(globalData.identifierTable);
 
-    bool protectCountIsZero = Heap::heap(exec->dynamicGlobalObject())->unprotect(exec->dynamicGlobalObject());
-    if (protectCountIsZero) {
-        globalData.heap.activityCallback()->synchronize();
-        globalData.heap.reportAbandonedObjectGraph();
+        bool protectCountIsZero = Heap::heap(exec->dynamicGlobalObject())->unprotect(exec->dynamicGlobalObject());
+        if (protectCountIsZero)
+            globalData.heap.reportAbandonedObjectGraph();
+        globalData.deref();
     }
-    globalData.deref();
 
     wtfThreadData().setCurrentIdentifierTable(savedIdentifierTable);
 }
@@ -166,7 +164,7 @@ JSGlobalContextRef JSContextGetGlobalContext(JSContextRef ctx)
 JSStringRef JSContextCreateBacktrace(JSContextRef ctx, unsigned maxStackSize)
 {
     ExecState* exec = toJS(ctx);
-    JSLock lock(exec);
+    JSLockHolder lock(exec);
 
     unsigned count = 0;
     UStringBuilder builder;
diff --git a/Source/JavaScriptCore/API/JSObjectRef.cpp b/Source/JavaScriptCore/API/JSObjectRef.cpp
index 91aa3c6bd..e6c0c528a 100644
--- a/Source/JavaScriptCore/API/JSObjectRef.cpp
+++ b/Source/JavaScriptCore/API/JSObjectRef.cpp
@@ -428,6 +428,8 @@ JSValueRef JSObjectCallAsFunction(JSContextRef ctx, JSObjectRef object, JSObject
     if (!jsThisObject)
         jsThisObject = exec->globalThisValue();
 
+    jsThisObject = jsThisObject->methodTable()->toThisObject(jsThisObject, exec);
+    
     MarkedArgumentBuffer argList;
     for (size_t i = 0; i < argumentCount; i++)
         argList.append(toJS(exec, arguments[i]));