Changeset 135878 in webkit


Ignore:
Timestamp:
Nov 27, 2012, 10:36:16 AM (12 years ago)
Author:
Lucas Forschler
Message:

Merge 134495 & 134666 for <rdar://problem/12696290> & <rdar://problem/12704510>

Location:
branches/safari-536.28-branch/Source/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • branches/safari-536.28-branch/Source/WebCore/ChangeLog

    r135827 r135878  
     12012-11-27  Lucas Forschler  <lforschler@apple.com>
     2
     3        <rdar://problem/12704510>
     4        Merge r134666
     5
     6    2012-11-14  Mark Lam  <mark.lam@apple.com>
     7
     8            Fixed regressions due to adding JSEventListener::m_wrapper null checks.
     9            https://bugs.webkit.org/show_bug.cgi?id=102183.
     10
     11            Reviewed by Geoffrey Garen.
     12
     13            Fixed JSEventListener::operator==() to work within the contract that
     14            when m_wrapper is 0, m_jsFunction is also expected to be 0. Also fixed
     15            some typos in comments.
     16
     17            No new tests.
     18
     19            * bindings/js/JSEventListener.cpp:
     20            (WebCore::JSEventListener::visitJSFunction):
     21            (WebCore::JSEventListener::operator==):
     22            * bindings/js/JSEventListener.h:
     23            (WebCore::JSEventListener::jsFunction):
     24
     252012-11-27  Lucas Forschler  <lforschler@apple.com>
     26
     27        <rdar://problem/12696290>
     28        Merge r134495
     29
     30    2012-11-13  Mark Lam  <mark.lam@apple.com>
     31
     32            JSEventListener should not access m_jsFunction when its wrapper is gone.
     33            https://bugs.webkit.org/show_bug.cgi?id=101985.
     34
     35            Reviewed by Geoffrey Garen.
     36
     37            Added a few null checks for m_wrapper before we do anything with m_jsFunction.
     38
     39            No new tests.
     40
     41            * bindings/js/JSEventListener.cpp:
     42            (WebCore::JSEventListener::initializeJSFunction):
     43            - Removed a now invalid assertion. m_wrapper is expected to have a
     44              valid non-zero value when jsFunction is valid. However, in the case
     45              of JSLazyEventListener (which extends JSEventListener), m_wrapper is
     46              initially 0 when m_jsFunction has not been realized yet. When
     47              JSLazyEventListener::initializeJSFunction() realizes m_jsFunction,
     48              it will set m_wrapper to an appropriate wrapper object.
     49
     50              For this reason, JSEventListener::jsFunction() cannot do the null
     51              check on m_wrapper until after the call to initializeJSFunction.
     52
     53              This, in turns, means that in the case of the non-lazy
     54              JSEventListener, initializeJSFunction() will also be called, and
     55              if the GC has collected the m_wrapper but the JSEventListener has
     56              not been removed yet, it is possible to see a null m_wrapper while
     57              m_jsFunction contains a non-zero stale value.
     58
     59              Hence, this assertion of (m_wrapper || !m_jsFunction) in
     60              JSEventListener::initializeJSFunction() is not always true and
     61              should be removed.
     62
     63            (WebCore::JSEventListener::visitJSFunction):
     64            (WebCore::JSEventListener::operator==):
     65            * bindings/js/JSEventListener.h:
     66            (WebCore::JSEventListener::jsFunction):
     67
    1682012-11-26  Simon Fraser  <simon.fraser@apple.com>
    269

  • branches/safari-536.28-branch/Source/WebCore/bindings/js/JSEventListener.cpp

    r125144 r135878  
    6060JSObject* JSEventListener::initializeJSFunction(ScriptExecutionContext*) const
    6161{
    62     ASSERT_NOT_REACHED();
    6362    return 0;
    6463}
     
    6665void JSEventListener::visitJSFunction(SlotVisitor& visitor)
    6766{
     67    // If m_wrapper is 0, then m_jsFunction is zombied, and should never be accessed.
     68    if (!m_wrapper)
     69        return;
     70
    6871    if (m_jsFunction)
    6972        visitor.append(&m_jsFunction);
     
    167170bool JSEventListener::operator==(const EventListener& listener)
    168171{
    169     if (const JSEventListener* jsEventListener = JSEventListener::cast(&listener))
    170         return m_jsFunction == jsEventListener->m_jsFunction && m_isAttribute == jsEventListener->m_isAttribute;
     172    if (const JSEventListener* jsEventListener = JSEventListener::cast(&listener)) {
     173        // If m_wrapper is 0, then m_jsFunction is zombied, and should never be
     174        // accessed. m_jsFunction should effectively be 0 in that case.
     175        JSC::JSObject* jsFunction = m_wrapper ? m_jsFunction.get() : 0;
     176        JSC::JSObject* otherJSFunction = jsEventListener->m_wrapper ?
     177            jsEventListener->m_jsFunction.get() : 0;
     178        return jsFunction == otherJSFunction && m_isAttribute == jsEventListener->m_isAttribute;
     179    }
    171180    return false;
    172181}

  • branches/safari-536.28-branch/Source/WebCore/bindings/js/JSEventListener.h

    r116194 r135878  
    8686        }
    8787
     88        // If m_wrapper is 0, then m_jsFunction is zombied, and should never be accessed.
     89        if (!m_wrapper)
     90            return 0;
     91
    8892        // Verify that we have a valid wrapper protecting our function from
    8993        // garbage collection.
    9094        ASSERT(m_wrapper || !m_jsFunction);
    91         if (!m_wrapper)
    92             return 0;
    9395
    9496        // Try to verify that m_jsFunction wasn't recycled. (Not exact, since an
Note: See TracChangeset for help on using the changeset viewer.