Changeset 134495 in webkit
- Timestamp:
- Nov 13, 2012 3:21:38 PM (11 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r134489 r134495 1 2012-11-13 Mark Lam <mark.lam@apple.com> 2 3 JSEventListener should not access m_jsFunction when its wrapper is gone. 4 https://bugs.webkit.org/show_bug.cgi?id=101985. 5 6 Reviewed by Geoffrey Garen. 7 8 Added a few null checks for m_wrapper before we do anything with m_jsFunction. 9 10 No new tests. 11 12 * bindings/js/JSEventListener.cpp: 13 (WebCore::JSEventListener::initializeJSFunction): 14 - Removed a now invalid assertion. m_wrapper is expected to have a 15 valid non-zero value when jsFunction is valid. However, in the case 16 of JSLazyEventListener (which extends JSEventListener), m_wrapper is 17 initially 0 when m_jsFunction has not been realized yet. When 18 JSLazyEventListener::initializeJSFunction() realizes m_jsFunction, 19 it will set m_wrapper to an appropriate wrapper object. 20 21 For this reason, JSEventListener::jsFunction() cannot do the null 22 check on m_wrapper until after the call to initializeJSFunction. 23 24 This, in turns, means that in the case of the non-lazy 25 JSEventListener, initializeJSFunction() will also be called, and 26 if the GC has collected the m_wrapper but the JSEventListener has 27 not been removed yet, it is possible to see a null m_wrapper while 28 m_jsFunction contains a non-zero stale value. 29 30 Hence, this assertion of (m_wrapper || !m_jsFunction) in 31 JSEventListener::initializeJSFunction() is not always true and 32 should be removed. 33 34 (WebCore::JSEventListener::visitJSFunction): 35 (WebCore::JSEventListener::operator==): 36 * bindings/js/JSEventListener.h: 37 (WebCore::JSEventListener::jsFunction): 38 1 39 2012-11-13 Adam Barth <abarth@webkit.org> 2 40 -
trunk/Source/WebCore/bindings/js/JSEventListener.cpp
r127191 r134495 60 60 JSObject* JSEventListener::initializeJSFunction(ScriptExecutionContext*) const 61 61 { 62 ASSERT_NOT_REACHED();63 62 return 0; 64 63 } … … 66 65 void JSEventListener::visitJSFunction(SlotVisitor& visitor) 67 66 { 67 // If m_wrapper is 0, then jsFunction is zombied, and should never be accessed. 68 if (!m_wrapper) 69 return; 70 68 71 if (m_jsFunction) 69 72 visitor.append(&m_jsFunction); … … 161 164 bool JSEventListener::operator==(const EventListener& listener) 162 165 { 166 // If m_wrapper is 0, then jsFunction is zombied, and should never be accessed. 167 if (!m_wrapper) 168 return false; 169 163 170 if (const JSEventListener* jsEventListener = JSEventListener::cast(&listener)) 164 171 return m_jsFunction == jsEventListener->m_jsFunction && m_isAttribute == jsEventListener->m_isAttribute; -
trunk/Source/WebCore/bindings/js/JSEventListener.h
r116194 r134495 86 86 } 87 87 88 // If m_wrapper is 0, then jsFunction is zombied, and should never be accessed. 89 if (!m_wrapper) 90 return 0; 91 88 92 // Verify that we have a valid wrapper protecting our function from 89 93 // garbage collection. 90 94 ASSERT(m_wrapper || !m_jsFunction); 91 if (!m_wrapper)92 return 0;93 95 94 96 // Try to verify that m_jsFunction wasn't recycled. (Not exact, since an
Note: See TracChangeset
for help on using the changeset viewer.