Changeset 259009 in webkit
- Timestamp:
- Mar 25, 2020 2:16:13 PM (4 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 15 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r259007 r259009 1 2020-03-25 Chris Dumez <cdumez@apple.com> 2 3 Event listeners registered with 'once' option may get garbage collected too soon 4 https://bugs.webkit.org/show_bug.cgi?id=209504 5 <rdar://problem/60541567> 6 7 Reviewed by Yusuke Suzuki. 8 9 Add layout test coverage. 10 11 * http/tests/inspector/network/har/har-page-aggressive-gc-expected.txt: Added. 12 * http/tests/inspector/network/har/har-page-aggressive-gc.html: Added. 13 * platform/gtk/TestExpectations: 14 * platform/mac-wk1/TestExpectations: 15 * platform/mac-wk2/TestExpectations: 16 * platform/win/TestExpectations: 17 1 18 2020-03-25 Jason Lawrence <lawrence.j@apple.com> 2 19 -
trunk/LayoutTests/platform/gtk/TestExpectations
r258979 r259009 2069 2069 webkit.org/b/191497 http/tests/inspector/network/getSerializedCertificate.html [ Skip ] 2070 2070 webkit.org/b/179173 [ Release ] http/tests/inspector/network/har/har-page.html [ Failure Pass ] 2071 webkit.org/b/179173 [ Release ] http/tests/inspector/network/har/har-page-aggressive-gc.html [ Failure Pass ] 2071 2072 2072 2073 webkit.org/b/186851 imported/w3c/web-platform-tests/xhr/formdata.htm [ Pass Failure ] -
trunk/LayoutTests/platform/mac-wk1/TestExpectations
r259007 r259009 563 563 http/tests/inspector/network/resource-sizes-memory-cache.html [ Failure ] 564 564 http/tests/inspector/network/har/har-page.html [ Failure ] 565 http/tests/inspector/network/har/har-page-aggressive-gc.html [ Failure ] 565 566 566 567 # Local Overrides not available in WebKit1 -
trunk/LayoutTests/platform/mac-wk2/TestExpectations
r258942 r259009 1014 1014 1015 1015 webkit.org/b/207954 http/tests/inspector/network/har/har-page.html [ Pass Failure ] 1016 webkit.org/b/207954 http/tests/inspector/network/har/har-page-aggressive-gc.html [ Pass Failure ] 1016 1017 1017 1018 webkit.org/b/207962 accessibility/mac/aria-menu-item-selected-notification.html [ Slow ] -
trunk/LayoutTests/platform/win/TestExpectations
r258990 r259009 3657 3657 http/tests/inspector/network/resource-request-headers.html [ Skip ] 3658 3658 http/tests/inspector/network/har/har-page.html [ Skip ] 3659 http/tests/inspector/network/har/har-page-aggressive-gc.html [ Skip ] 3659 3660 http/tests/local/blob/send-hybrid-blob-using-open-panel.html [ Skip ] 3660 3661 http/tests/security/contentSecurityPolicy/cross-origin-plugin-document-allowed-in-child-window.html [ Skip ] -
trunk/Source/JavaScriptCore/ChangeLog
r258976 r259009 1 2020-03-25 Chris Dumez <cdumez@apple.com> 2 3 Event listeners registered with 'once' option may get garbage collected too soon 4 https://bugs.webkit.org/show_bug.cgi?id=209504 5 <rdar://problem/60541567> 6 7 Reviewed by Yusuke Suzuki. 8 9 Add EnsureStillAliveScope RAII object for ensureStillAliveHere(). 10 11 * runtime/JSCJSValue.h: 12 (JSC::EnsureStillAliveScope::EnsureStillAliveScope): 13 (JSC::EnsureStillAliveScope::~EnsureStillAliveScope): 14 1 15 2020-03-25 Alexey Shvayka <shvaikalesh@gmail.com> 2 16 -
trunk/Source/JavaScriptCore/runtime/JSCJSValue.h
r258825 r259009 35 35 #include <wtf/MathExtras.h> 36 36 #include <wtf/MediaTime.h> 37 #include <wtf/Nonmovable.h> 37 38 #include <wtf/StdLibExtras.h> 38 39 #include <wtf/TriState.h> … … 651 652 #endif 652 653 654 // Use EnsureStillAliveScope when you have a data structure that includes GC pointers, and you need 655 // to remove it from the DOM and then use it in the same scope. For example, a 'once' event listener 656 // needs to be removed from the DOM and then fired. 657 class EnsureStillAliveScope { 658 WTF_FORBID_HEAP_ALLOCATION; 659 WTF_MAKE_NONCOPYABLE(EnsureStillAliveScope); 660 WTF_MAKE_NONMOVABLE(EnsureStillAliveScope); 661 public: 662 EnsureStillAliveScope(JSValue value) 663 : m_value(value) 664 { 665 } 666 667 ~EnsureStillAliveScope() 668 { 669 ensureStillAliveHere(m_value); 670 } 671 672 private: 673 JSValue m_value; 674 }; 675 653 676 } // namespace JSC -
trunk/Source/WebCore/ChangeLog
r259008 r259009 1 2020-03-25 Chris Dumez <cdumez@apple.com> 2 3 Event listeners registered with 'once' option may get garbage collected too soon 4 https://bugs.webkit.org/show_bug.cgi?id=209504 5 <rdar://problem/60541567> 6 7 Reviewed by Yusuke Suzuki. 8 9 In EventTarget::innerInvokeEventListeners, if the listener we're about to call is a one-time 10 listener (has 'once' flag set), we would first unregister the event listener and then call 11 it, as per the DOM specification. However, once unregistered, the event listener is no longer 12 visited for GC purposes and its internal JS Function may get garbage collected before we get 13 a chance to call it. 14 15 To address the issue, we now make sure the JS Function (and its wrapper) stay alive for the 16 duration of the scope using ensureStillAliveHere(). 17 18 Test: http/tests/inspector/network/har/har-page-aggressive-gc.html 19 20 * bindings/js/JSEventListener.h: 21 * dom/EventListener.h: 22 (WebCore::EventListener::jsFunction const): 23 (WebCore::EventListener::wrapper const): 24 * dom/EventTarget.cpp: 25 (WebCore::EventTarget::innerInvokeEventListeners): 26 1 27 2020-03-25 Wenson Hsieh <wenson_hsieh@apple.com> 2 28 -
trunk/Source/WebCore/bindings/js/JSErrorHandler.cpp
r251425 r259009 68 68 JSLockHolder lock(vm); 69 69 70 JSObject* jsFunction = this-> jsFunction(scriptExecutionContext);70 JSObject* jsFunction = this->ensureJSFunction(scriptExecutionContext); 71 71 if (!jsFunction) 72 72 return; -
trunk/Source/WebCore/bindings/js/JSEventListener.cpp
r258959 r259009 111 111 // exception. 112 112 113 JSObject* jsFunction = this->jsFunction(scriptExecutionContext);113 JSObject* jsFunction = ensureJSFunction(scriptExecutionContext); 114 114 if (!jsFunction) 115 115 return; … … 243 243 return jsNull(); 244 244 245 auto* function = downcast<JSEventListener>(*abstractListener). jsFunction(context);245 auto* function = downcast<JSEventListener>(*abstractListener).ensureJSFunction(context); 246 246 if (!function) 247 247 return jsNull(); -
trunk/Source/WebCore/bindings/js/JSEventListener.h
r258189 r259009 49 49 bool isAttribute() const final { return m_isAttribute; } 50 50 51 JSC::JSObject* jsFunction(ScriptExecutionContext&) const;51 JSC::JSObject* ensureJSFunction(ScriptExecutionContext&) const; 52 52 DOMWrapperWorld& isolatedWorld() const { return m_isolatedWorld; } 53 53 54 JSC::JSObject* wrapper() const { return m_wrapper.get(); } 54 55 JSC::JSObject* jsFunction() const final { return m_jsFunction.get(); } 56 JSC::JSObject* wrapper() const final { return m_wrapper.get(); } 55 57 56 58 virtual String sourceURL() const { return String(); } … … 93 95 void setDocumentEventHandlerAttribute(JSC::JSGlobalObject&, JSC::JSObject&, Document&, const AtomString& eventType, JSC::JSValue); 94 96 95 inline JSC::JSObject* JSEventListener:: jsFunction(ScriptExecutionContext& scriptExecutionContext) const97 inline JSC::JSObject* JSEventListener::ensureJSFunction(ScriptExecutionContext& scriptExecutionContext) const 96 98 { 97 99 // initializeJSFunction can trigger code that deletes this event listener -
trunk/Source/WebCore/dom/EventListener.h
r254087 r259009 61 61 #endif 62 62 63 virtual JSC::JSObject* jsFunction() const { return nullptr; } 64 virtual JSC::JSObject* wrapper() const { return nullptr; } 65 63 66 protected: 64 67 explicit EventListener(Type type) -
trunk/Source/WebCore/dom/EventTarget.cpp
r258159 r259009 305 305 break; 306 306 307 // Make sure the JS wrapper and function stay alive until the end of this scope. Otherwise, 308 // event listeners with 'once' flag may get collected as soon as they get unregistered below, 309 // before we call the js function. 310 JSC::EnsureStillAliveScope wrapperProtector(registeredListener->callback().wrapper()); 311 JSC::EnsureStillAliveScope jsFunctionProtector(registeredListener->callback().jsFunction()); 312 307 313 // Do this before invocation to avoid reentrancy issues. 308 314 if (registeredListener->isOnce()) -
trunk/Source/WebCore/inspector/CommandLineAPIHost.cpp
r251425 r259009 114 114 continue; 115 115 116 auto* function = jsListener. jsFunction(*scriptExecutionContext);116 auto* function = jsListener.ensureJSFunction(*scriptExecutionContext); 117 117 if (!function) 118 118 continue; -
trunk/Source/WebCore/inspector/agents/InspectorDOMAgent.cpp
r257188 r259009 1771 1771 1772 1772 if (document) { 1773 handlerObject = scriptListener. jsFunction(*document);1773 handlerObject = scriptListener.ensureJSFunction(*document); 1774 1774 exec = execStateFromNode(scriptListener.isolatedWorld(), document); 1775 1775 }
Note: See TracChangeset
for help on using the changeset viewer.