Changeset 100307 in webkit

Timestamp:

Nov 15, 2011 12:13:53 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

Source/WebCore: Event listener for active DOM object that is also DOM node can be garbage collected prematurely.
​https://bugs.webkit.org/show_bug.cgi?id=70421

Patch by Eugene Nalimov <​enal@google.com> on 2011-11-15
Reviewed by Adam Barth.

Problem demonstrated itself when HTMLAudioElement was changed to become active DOM object.
Before that there were no DOM objects that simultaneously were nodes and active objects.
DOM object could be held in one of 3 maps -- node map, active objects map, and all other
objects map, and HTMLAudioElement should be in 2 maps simultaneously. When it was in the
active DOM objects map only, its event listener could be garbage collected, because special
code that groups listeners with wrappers could handle only wrappers for objects in the node
map. If we put HTMLAudioElement into nodes map, it would not be active DOM node, and can be
garbage collected prematurely itself (see ​https://bugs.webkit.org/show_bug.cgi?id=66878).
Fix is to introduce 4th map -- active nodes map, and change the code accordingly.

Test: media/audio-garbage-collect.html

• bindings/scripts/CodeGeneratorV8.pm:

(GenerateNamedConstructorCallback):
(GetDomMapFunction):

• bindings/v8/DOMDataStore.cpp:

(WebCore::DOMDataStore::DOMDataStore):
(WebCore::DOMDataStore::getDOMWrapperMap):
(WebCore::DOMDataStore::weakNodeCallback):

• bindings/v8/DOMDataStore.h:

(WebCore::DOMDataStore::activeDomNodeMap):

• bindings/v8/ScopedDOMDataStore.cpp:

(WebCore::ScopedDOMDataStore::ScopedDOMDataStore):
(WebCore::ScopedDOMDataStore::~ScopedDOMDataStore):

• bindings/v8/StaticDOMDataStore.cpp:

(WebCore::StaticDOMDataStore::StaticDOMDataStore):

• bindings/v8/StaticDOMDataStore.h:
• bindings/v8/V8DOMMap.cpp:

(WebCore::getActiveDOMNodeMap):
(WebCore::removeAllDOMObjects):
(WebCore::visitActiveDOMNodes):

• bindings/v8/V8DOMMap.h:
• bindings/v8/V8DOMWrapper.cpp:

(WebCore::V8DOMWrapper::setJSWrapperForDOMNode):
(WebCore::V8DOMWrapper::getWrapperSlow):

• bindings/v8/V8GCController.cpp:

(WebCore::GCPrologueSpecialCase):
(WebCore::void):
(WebCore::Node):
(WebCore::GCPrologueVisitor::visitDOMWrapper):
(WebCore::V8GCController::gcPrologue):
(WebCore::GCEpilogueHelper::GCEpilogueSpecialCase):
(WebCore::GCEpilogueVisitor::visitDOMWrapper):
(WebCore::V8GCController::gcEpilogue):

• dom/Node.h:

(WebCore::Node::isActiveNode):

• html/HTMLAudioElement.h:

(WebCore::HTMLAudioElement::isActiveNode):

LayoutTests: Event listener for active DOM object that is also DOM node can be garbage collected prematurely.
​https://bugs.webkit.org/show_bug.cgi?id=70421 and ​https://bugs.webkit.org/show_bug.cgi?id=66878

Patch by Eugene Nalimov <​enal@google.com> on 2011-11-15
Reviewed by Adam Barth.

• media/audio-garbage-collect-expected.txt: Added.
• media/audio-garbage-collect.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/media/audio-garbage-collect-expected.txt (added)
• LayoutTests/media/audio-garbage-collect.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorV8.pm (modified) (2 diffs)
• Source/WebCore/bindings/v8/DOMDataStore.cpp (modified) (3 diffs)
• Source/WebCore/bindings/v8/DOMDataStore.h (modified) (4 diffs)
• Source/WebCore/bindings/v8/ScopedDOMDataStore.cpp (modified) (2 diffs)
• Source/WebCore/bindings/v8/StaticDOMDataStore.cpp (modified) (2 diffs)
• Source/WebCore/bindings/v8/StaticDOMDataStore.h (modified) (1 diff)
• Source/WebCore/bindings/v8/V8DOMMap.cpp (modified) (3 diffs)
• Source/WebCore/bindings/v8/V8DOMMap.h (modified) (1 diff)
• Source/WebCore/bindings/v8/V8DOMWrapper.cpp (modified) (2 diffs)
• Source/WebCore/bindings/v8/V8GCController.cpp (modified) (7 diffs)
• Source/WebCore/dom/Node.h (modified) (1 diff)
• Source/WebCore/html/HTMLAudioElement.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-11-15  Eugene Nalimov  <enal@google.com>
+
+        Event listener for active DOM object that is also DOM node can be garbage collected prematurely.
+        https://bugs.webkit.org/show_bug.cgi?id=70421 and https://bugs.webkit.org/show_bug.cgi?id=66878
+
+        Reviewed by Adam Barth.
+
+        * media/audio-garbage-collect-expected.txt: Added.
+        * media/audio-garbage-collect.html: Added.
+
 2011-11-15  Robert Hogan  <robert@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-11-15  Eugene Nalimov  <enal@google.com>
+
+        Event listener for active DOM object that is also DOM node can be garbage collected prematurely.
+        https://bugs.webkit.org/show_bug.cgi?id=70421 
+
+        Reviewed by Adam Barth.
+
+        Problem demonstrated itself when HTMLAudioElement was changed to become active DOM object.
+        Before that there were no DOM objects that simultaneously were nodes and active objects.
+        DOM object could be held in one of 3 maps -- node map, active objects map, and all other
+        objects map, and HTMLAudioElement should be in 2 maps simultaneously. When it was in the
+        active DOM objects map only, its event listener could be garbage collected, because special
+        code that groups listeners with wrappers could handle only wrappers for objects in the node
+        map. If we put HTMLAudioElement into nodes map, it would not be active DOM node, and can be
+        garbage collected prematurely itself (see https://bugs.webkit.org/show_bug.cgi?id=66878).
+        Fix is to introduce 4th map -- active nodes map, and change the code accordingly.
+
+        Test: media/audio-garbage-collect.html
+
+        * bindings/scripts/CodeGeneratorV8.pm:
+        (GenerateNamedConstructorCallback):
+        (GetDomMapFunction):
+        * bindings/v8/DOMDataStore.cpp:
+        (WebCore::DOMDataStore::DOMDataStore):
+        (WebCore::DOMDataStore::getDOMWrapperMap):
+        (WebCore::DOMDataStore::weakNodeCallback):
+        * bindings/v8/DOMDataStore.h:
+        (WebCore::DOMDataStore::activeDomNodeMap):
+        * bindings/v8/ScopedDOMDataStore.cpp:
+        (WebCore::ScopedDOMDataStore::ScopedDOMDataStore):
+        (WebCore::ScopedDOMDataStore::~ScopedDOMDataStore):
+        * bindings/v8/StaticDOMDataStore.cpp:
+        (WebCore::StaticDOMDataStore::StaticDOMDataStore):
+        * bindings/v8/StaticDOMDataStore.h:
+        * bindings/v8/V8DOMMap.cpp:
+        (WebCore::getActiveDOMNodeMap):
+        (WebCore::removeAllDOMObjects):
+        (WebCore::visitActiveDOMNodes):
+        * bindings/v8/V8DOMMap.h:
+        * bindings/v8/V8DOMWrapper.cpp:
+        (WebCore::V8DOMWrapper::setJSWrapperForDOMNode):
+        (WebCore::V8DOMWrapper::getWrapperSlow):
+        * bindings/v8/V8GCController.cpp:
+        (WebCore::GCPrologueSpecialCase):
+        (WebCore::void):
+        (WebCore::Node):
+        (WebCore::GCPrologueVisitor::visitDOMWrapper):
+        (WebCore::V8GCController::gcPrologue):
+        (WebCore::GCEpilogueHelper::GCEpilogueSpecialCase):
+        (WebCore::GCEpilogueVisitor::visitDOMWrapper):
+        (WebCore::V8GCController::gcEpilogue):
+        * dom/Node.h:
+        (WebCore::Node::isActiveNode):
+        * html/HTMLAudioElement.h:
+        (WebCore::HTMLAudioElement::isActiveNode):
+
 2011-11-15  David Kilzer  <ddkilzer@apple.com>
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm

@@ -1778 +1778 @@
 
     my $DOMObject = "DOMObject";
-    # A DOMObject that is an ActiveDOMObject and also a DOMNode should be treated as an ActiveDOMObject.
-    if ($dataNode->extendedAttributes->{"ActiveDOMObject"}) {
+    # A DOMObject that is an ActiveDOMObject and also a DOMNode should be treated as an DOMNode here.
+    # setJSWrapperForDOMNode() will look if node is active and choose correct map to add node to.
+    if (IsNodeSubType($dataNode)) {
+        $DOMObject = "DOMNode";
+    } elsif ($dataNode->extendedAttributes->{"ActiveDOMObject"}) {
         $DOMObject = "ActiveDOMObject";
-    } elsif (IsNodeSubType($dataNode)) {
-        $DOMObject = "DOMNode";
     }
     push(@implContent, <<END);
@@ -3106 +3107 @@
     my $type = shift;
     return "getDOMSVGElementInstanceMap()" if $type eq "SVGElementInstance";
+    return "getActiveDOMNodeMap()" if (IsNodeSubType($dataNode) && $dataNode->extendedAttributes->{"ActiveDOMObject"});
     return "getDOMNodeMap()" if (IsNodeSubType($dataNode));
     return "getActiveDOMObjectMap()" if $dataNode->extendedAttributes->{"ActiveDOMObject"};

trunk/Source/WebCore/bindings/v8/DOMDataStore.cpp

@@ -87 +87 @@
 DOMDataStore::DOMDataStore()
     : m_domNodeMap(0)
+    , m_activeDomNodeMap(0)
     , m_domObjectMap(0)
     , m_activeDomObjectMap(0)
@@ -109 +110 @@
     case DOMNodeMap:
         return m_domNodeMap;
+    case ActiveDOMNodeMap:
+        return m_activeDomNodeMap;
     case DOMObjectMap:
         return m_domObjectMap;
@@ -150 +153 @@
     for (size_t i = 0; i < list.size(); ++i) {
         DOMDataStore* store = list[i];
-        if (store->domNodeMap().removeIfPresent(node, v8Object)) {
+        DOMNodeMapping& nodeMap = node->isActiveNode() ? store->activeDomNodeMap() : store->domNodeMap();
+        if (nodeMap.removeIfPresent(node, v8Object)) {
             node->deref(); // Nobody overrides Node::deref so it's safe
             return; // There might be at most one wrapper for the node in world's maps

trunk/Source/WebCore/bindings/v8/DOMDataStore.h

@@ -66 +66 @@
         enum DOMWrapperMapType {
             DOMNodeMap,
+            ActiveDOMNodeMap,
             DOMObjectMap,
             ActiveDOMObjectMap,
@@ -82 +83 @@
 
         DOMNodeMapping& domNodeMap() { return *m_domNodeMap; }
+        DOMNodeMapping& activeDomNodeMap() { return *m_activeDomNodeMap; }
         DOMWrapperMap<void>& domObjectMap() { return *m_domObjectMap; }
         DOMWrapperMap<void>& activeDomObjectMap() { return *m_activeDomObjectMap; }
@@ -90 +92 @@
         // Need by V8GCController.
         static void weakActiveDOMObjectCallback(v8::Persistent<v8::Value> v8Object, void* domObject);
+        static void weakNodeCallback(v8::Persistent<v8::Value> v8Object, void* domObject);
 
     protected:
-        static void weakNodeCallback(v8::Persistent<v8::Value> v8Object, void* domObject);
         static void weakDOMObjectCallback(v8::Persistent<v8::Value> v8Object, void* domObject);
 #if ENABLE(SVG)
@@ -99 +101 @@
         
         DOMNodeMapping* m_domNodeMap;
+        DOMNodeMapping* m_activeDomNodeMap;
         DOMWrapperMap<void>* m_domObjectMap;
         DOMWrapperMap<void>* m_activeDomObjectMap;

trunk/Source/WebCore/bindings/v8/ScopedDOMDataStore.cpp

@@ -38 +38 @@
 {
     m_domNodeMap = new DOMWrapperMap<Node>(&DOMDataStore::weakNodeCallback);
+    m_activeDomNodeMap = new DOMWrapperMap<Node>(&DOMDataStore::weakNodeCallback);
     m_domObjectMap = new DOMWrapperMap<void>(&DOMDataStore::weakDOMObjectCallback);
     m_activeDomObjectMap = new DOMWrapperMap<void>(&DOMDataStore::weakActiveDOMObjectCallback);
@@ -48 +49 @@
 {
     delete m_domNodeMap;
+    delete m_activeDomNodeMap;
     delete m_domObjectMap;
     delete m_activeDomObjectMap;

trunk/Source/WebCore/bindings/v8/StaticDOMDataStore.cpp

@@ -38 +38 @@
     : DOMDataStore()
     , m_staticDomNodeMap(&DOMDataStore::weakNodeCallback)
+    , m_staticActiveDomNodeMap(&DOMDataStore::weakNodeCallback)
     , m_staticDomObjectMap(&DOMDataStore::weakDOMObjectCallback)
     , m_staticActiveDomObjectMap(&DOMDataStore::weakActiveDOMObjectCallback)
@@ -45 +46 @@
 {
     m_domNodeMap = &m_staticDomNodeMap;
+    m_activeDomNodeMap = &m_staticActiveDomNodeMap;
     m_domObjectMap = &m_staticDomObjectMap;
     m_activeDomObjectMap = &m_staticActiveDomObjectMap;

trunk/Source/WebCore/bindings/v8/StaticDOMDataStore.h

@@ -52 +52 @@
 private:
     IntrusiveDOMWrapperMap m_staticDomNodeMap;
+    IntrusiveDOMWrapperMap m_staticActiveDomNodeMap;
     DOMWrapperMap<void> m_staticDomObjectMap;
     DOMWrapperMap<void> m_staticActiveDomObjectMap;

trunk/Source/WebCore/bindings/v8/V8DOMMap.cpp

@@ -65 +65 @@
 }
 
+DOMNodeMapping& getActiveDOMNodeMap()
+{
+    return getDOMDataStore().activeDomNodeMap();
+}
+
 DOMWrapperMap<void>& getDOMObjectMap()
 {
@@ -95 +100 @@
         DOMData::removeObjectsFromWrapperMap<Node>(&store, store.domNodeMap());
 
+        // Remove all active DOM nodes.
+        DOMData::removeObjectsFromWrapperMap<Node>(&store, store.activeDomNodeMap());
+
 #if ENABLE(SVG)
         // Remove all SVG element instances in the wrapper map.
@@ -117 +125 @@
 
         store->domNodeMap().visit(store, visitor);
+    }
+}
+
+void visitActiveDOMNodes(DOMWrapperMap<Node>::Visitor* visitor)
+{
+    v8::HandleScope scope;
+
+    DOMDataList& list = DOMDataStore::allStores();
+    for (size_t i = 0; i < list.size(); ++i) {
+        DOMDataStore* store = list[i];
+
+        store->activeDomNodeMap().visit(store, visitor);
     }
 }

trunk/Source/WebCore/bindings/v8/V8DOMMap.h

@@ -159 +159 @@
     // A map from DOM node to its JS wrapper.
     DOMNodeMapping& getDOMNodeMap();
+    DOMNodeMapping& getActiveDOMNodeMap();
     void visitDOMNodes(DOMWrapperMap<Node>::Visitor*);
+    void visitActiveDOMNodes(DOMWrapperMap<Node>::Visitor*);
 
     // A map from a DOM object (non-node) to its JS wrapper. This map does not contain the DOM objects which can have pending activity (active dom objects).

trunk/Source/WebCore/bindings/v8/V8DOMWrapper.cpp

@@ -93 +93 @@
 {
     ASSERT(V8DOMWrapper::maybeDOMWrapper(wrapper));
-    getDOMNodeMap().set(node, wrapper);
+    if (node->isActiveNode())
+        getActiveDOMNodeMap().set(node, wrapper);
+    else
+        getDOMNodeMap().set(node, wrapper);
 }
 
@@ -296 +299 @@
         return *wrapper;
     }
-    DOMNodeMapping& domNodeMap = context->world()->domDataStore()->domNodeMap();
+    DOMDataStore* store = context->world()->domDataStore();
+    DOMNodeMapping& domNodeMap = node->isActiveNode() ? store->activeDomNodeMap() : store->domNodeMap();
     return domNodeMap.get(node);
 }

trunk/Source/WebCore/bindings/v8/V8GCController.cpp

@@ -144 +144 @@
 #endif // NDEBUG
 
-class GCPrologueVisitor : public DOMWrapperMap<void>::Visitor {
-public:
-    void visitDOMWrapper(DOMDataStore* store, void* object, v8::Persistent<v8::Object> wrapper)
-    {
-        WrapperTypeInfo* typeInfo = V8DOMWrapper::domWrapperType(wrapper);  
-
+class SpecialCasePrologueObjectHandler {
+public:
+    static bool process(void* object, v8::Persistent<v8::Object> wrapper, WrapperTypeInfo* typeInfo)
+    {
         // Additional handling of message port ensuring that entangled ports also
         // have their wrappers entangled. This should ideally be handled when the
@@ -162 +160 @@
             if (port1->isEntangled() || port1->hasPendingActivity())
                 wrapper.ClearWeak();
-        } else {
+            return true;
+        }
+        return false;
+    }
+};
+
+class SpecialCasePrologueNodeHandler {
+public:
+    static bool process(Node* object, v8::Persistent<v8::Object> wrapper, WrapperTypeInfo* typeInfo)
+    {
+        UNUSED_PARAM(object);
+        UNUSED_PARAM(wrapper);
+        UNUSED_PARAM(typeInfo);
+        return false;
+    }
+};
+
+template<typename T, typename S>
+class GCPrologueVisitor : public DOMWrapperMap<T>::Visitor {
+public:
+    void visitDOMWrapper(DOMDataStore* store, T* object, v8::Persistent<v8::Object> wrapper)
+    {
+        WrapperTypeInfo* typeInfo = V8DOMWrapper::domWrapperType(wrapper);  
+
+        if (!S::process(object, wrapper, typeInfo)) {
             ActiveDOMObject* activeDOMObject = typeInfo->toActiveDOMObject(wrapper);
             if (activeDOMObject && activeDOMObject->hasPendingActivity())
@@ -374 +396 @@
     // Run through all objects with possible pending activity making their
     // wrappers non weak if there is pending activity.
-    GCPrologueVisitor prologueVisitor;
-    visitActiveDOMObjects(&prologueVisitor);
+    GCPrologueVisitor<void, SpecialCasePrologueObjectHandler> prologueObjectVisitor;
+    visitActiveDOMObjects(&prologueObjectVisitor);
+    GCPrologueVisitor<Node, SpecialCasePrologueNodeHandler> prologueNodeVisitor;
+    visitActiveDOMNodes(&prologueNodeVisitor);
 
     // Create object groups.
     GrouperVisitor grouperVisitor;
     visitDOMNodes(&grouperVisitor);
+    visitActiveDOMNodes(&grouperVisitor);
     visitDOMObjects(&grouperVisitor);
     grouperVisitor.applyGrouping();
@@ -388 +413 @@
 }
 
-class GCEpilogueVisitor : public DOMWrapperMap<void>::Visitor {
-public:
-    void visitDOMWrapper(DOMDataStore* store, void* object, v8::Persistent<v8::Object> wrapper)
-    {
-        WrapperTypeInfo* typeInfo = V8DOMWrapper::domWrapperType(wrapper);
+class SpecialCaseEpilogueObjectHandler {
+public:
+    static bool process(void* object, v8::Persistent<v8::Object> wrapper, WrapperTypeInfo* typeInfo)
+    {
         if (V8MessagePort::info.equals(typeInfo)) {
             MessagePort* port1 = static_cast<MessagePort*>(object);
@@ -400 +424 @@
             if ((!wrapper.IsWeak() && !wrapper.IsNearDeath()) || port1->hasPendingActivity())
                 wrapper.MakeWeak(port1, &DOMDataStore::weakActiveDOMObjectCallback);
-        } else {
+            return true;
+        }
+        return false;
+    }
+};
+
+class SpecialCaseEpilogueNodeHandler {
+public:
+    static bool process(Node* object, v8::Persistent<v8::Object> wrapper, WrapperTypeInfo* typeInfo)
+    {
+        UNUSED_PARAM(object);
+        UNUSED_PARAM(wrapper);
+        UNUSED_PARAM(typeInfo);
+        return false;
+    }
+};
+
+template<typename T, typename S, v8::WeakReferenceCallback callback>
+class GCEpilogueVisitor : public DOMWrapperMap<T>::Visitor {
+public:
+    void visitDOMWrapper(DOMDataStore* store, T* object, v8::Persistent<v8::Object> wrapper)
+    {
+        WrapperTypeInfo* typeInfo = V8DOMWrapper::domWrapperType(wrapper);
+        if (!S::process(object, wrapper, typeInfo)) {
             ActiveDOMObject* activeDOMObject = typeInfo->toActiveDOMObject(wrapper);
             if (activeDOMObject && activeDOMObject->hasPendingActivity()) {
@@ -409 +456 @@
                 // the main base class of the object's class) and pointer
                 // identity is required by DOM map functions.
-                wrapper.MakeWeak(object, &DOMDataStore::weakActiveDOMObjectCallback);
+                wrapper.MakeWeak(object, callback);
             }
         }
@@ -445 +492 @@
     // Run through all objects with pending activity making their wrappers weak
     // again.
-    GCEpilogueVisitor epilogueVisitor;
-    visitActiveDOMObjects(&epilogueVisitor);
+    GCEpilogueVisitor<void, SpecialCaseEpilogueObjectHandler, &DOMDataStore::weakActiveDOMObjectCallback> epilogueObjectVisitor;
+    visitActiveDOMObjects(&epilogueObjectVisitor);
+    GCEpilogueVisitor<Node, SpecialCaseEpilogueNodeHandler, &DOMDataStore::weakNodeCallback> epilogueNodeVisitor;
+    visitActiveDOMNodes(&epilogueNodeVisitor);
 
     workingSetEstimateMB = getActualMemoryUsageInMB();

trunk/Source/WebCore/dom/Node.h

@@ -191 +191 @@
     Node* lastDescendant() const;
     Node* firstDescendant() const;
+
+    virtual bool isActiveNode() const { return false; }
     
     // Other methods (not part of DOM)

trunk/Source/WebCore/html/HTMLAudioElement.h

@@ -43 +43 @@
     virtual bool hasPendingActivity() const { return isPlaying() || HTMLMediaElement::hasPendingActivity(); }
 
+    virtual bool isActiveNode() const { return true; }
+
 private:
     HTMLAudioElement(const QualifiedName&, Document*);