Changeset 167579 in webkit

Timestamp:

Apr 20, 2014 9:39:11 PM (10 years ago)

Author:

Darin Adler

Message:

ScriptExecutionContext::stopActiveDOMObjects iterates a hash map that can change during iteration (for multiple reasons, including GC)
​https://bugs.webkit.org/show_bug.cgi?id=52719

Reviewed by Alexey Proskuryakov.

At least two specific ways this can happen:

1) XMLHttpRequest::stop can trigger a JavaScript garbage collection.
2) NotificationCenter::stop can delete the last references to notifications;

those notifications are also active DOM objects.

Besides fixing the iteration in that function, did some other fixes for the
ScriptExecutionContext class, including some coding style changes. Many uses
of nullptr instead of 0, without listing each function separately below.

• Modules/webdatabase/DatabaseContext.cpp:

(WebCore::DatabaseContext::contextDestroyed): Call through to the base class
version of contextDestroyed rather than repeating what it does (with a large
comment that doesn't acknowledge the base class alread does it).

• Modules/webdatabase/DatabaseContext.h: Removed some unneeded includes.

Wrote out "private" explicitly for deriving from ActiveDOMObject. Made the
ActiveDOMObject function overrides private, and marked them override and final.

• dom/ActiveDOMObject.h: Updated comments. Replaced suspendIfNeededCalled with

assertSuspendIfNeededWasCalled, which has an empty inline version in the header.
Renamed m_suspendIfNeededCalled to m_suspendIfNeededWasCalled.

• dom/ActiveDOMObject.cpp:

(WebCore::ActiveDOMObject::ActiveDOMObject): Pass a reference instead of a pointer.
(WebCore::ActiveDOMObject::~ActiveDOMObject): Ditto.
(WebCore::ActiveDOMObject::suspendIfNeeded): Ditto.

• dom/ContextDestructionObserver.cpp:

(WebCore::ContextDestructionObserver::observeContext): Pass a reference instead of a pointer.

• dom/MessagePort.cpp:

(WebCore::MessagePort::MessagePort): Pass a reference instead of a pointer.
(WebCore::MessagePort::~MessagePort): Ditto.
(WebCore::MessagePort::disentangle): Ditto.

• dom/ScriptExecutionContext.cpp:

(WebCore::ScriptExecutionContext::ScriptExecutionContext): Updated flags used
for assertions so they are conditional and updated their names.
(WebCore::takeAny): Added. Helper function that we can consider for HashSet in
the future; makes loop below easier to read.
(WebCore::checkConsistency): Added. Assertions that were done multiple places below,
and should not be written over and over again.
(WebCore::ScriptExecutionContext::~ScriptExecutionContext): Changed to use C++11
for loops and the takeAny function above.
(WebCore::ScriptExecutionContext::dispatchMessagePortEvents): Ditto.
(WebCore::ScriptExecutionContext::createdMessagePort): Changed to take a reference
for clarity and so it doesn't have to do an assert the pointer is non-null.
(WebCore::ScriptExecutionContext::destroyedMessagePort): Ditto.
(WebCore::ScriptExecutionContext::canSuspendActiveDOMObjects): Changed to use
C++11 for loop and reworded comment and redid assertions.
(WebCore::ScriptExecutionContext::suspendActiveDOMObjects): Ditto.
(WebCore::ScriptExecutionContext::resumeActiveDOMObjects): Ditto.
(WebCore::ScriptExecutionContext::stopActiveDOMObjects): Changed to support
removal of an active DOM object during the stop function. Included new comments
to clarify what the rules are.
(WebCore::ScriptExecutionContext::suspendActiveDOMObjectIfNeeded): Changed to take
a reference for clarity and so it doesn't have to assert a pointer is non-null.
(WebCore::ScriptExecutionContext::didCreateActiveDOMObject): Ditto. Also changed to
use RELEASE_ASSERT instead of CRASH.
(WebCore::ScriptExecutionContext::willDestroyActiveDOMObject): Ditto.
(WebCore::ScriptExecutionContext::didCreateDestructionObserver): Ditto.
(WebCore::ScriptExecutionContext::willDestroyDestructionObserver): Ditto.
(WebCore::ScriptExecutionContext::closeMessagePorts): Moved the body of this
function into its one call site, ScriptExecutionContext::stopActiveDOMObjects,
since it's simple enough when written as a C++11 for loop.
(WebCore::ScriptExecutionContext::hasPendingActivity): Added. This function was
already exported for workers, and implementing it outside this class required
exposing the private HashSet members; more sensible to implement it here and
simply make it public in WorkerGlobalScope.

• dom/ScriptExecutionContext.h: Removed unnecessary includes and forward declarations.

Removed a long-ago-fixed FIXME. Changed various functions to take references instead of
pointers. Added a protected hasPendingActivity function, deleted the closeMessagePorts
function, deleted the ActiveDOMObjectsSet typedef, made the assertion flags be
!ASSERT_DISABLED only, and deleted the messagePorts and activeDOMObjects functions.

• workers/WorkerGlobalScope.cpp:

(WebCore::WorkerGlobalScope::hasPendingActivity): Deleted. This is now implemented
in the base class.

• workers/WorkerGlobalScope.h: Make hasPendingActivity function from the base class

public instead of declaring it in this class.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• Modules/webdatabase/DatabaseContext.cpp (modified) (6 diffs)
• Modules/webdatabase/DatabaseContext.h (modified) (3 diffs)
• dom/ActiveDOMObject.cpp (modified) (5 diffs)
• dom/ActiveDOMObject.h (modified) (4 diffs)
• dom/ContextDestructionObserver.cpp (modified) (5 diffs)
• dom/MessagePort.cpp (modified) (3 diffs)
• dom/ScriptExecutionContext.cpp (modified) (7 diffs)
• dom/ScriptExecutionContext.h (modified) (6 diffs)
• workers/WorkerGlobalScope.cpp (modified) (1 diff)
• workers/WorkerGlobalScope.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-04-20  Darin Adler  <darin@apple.com>
+
+        ScriptExecutionContext::stopActiveDOMObjects iterates a hash map that can change during iteration (for multiple reasons, including GC)
+        https://bugs.webkit.org/show_bug.cgi?id=52719
+
+        Reviewed by Alexey Proskuryakov.
+
+        At least two specific ways this can happen:
+
+        1) XMLHttpRequest::stop can trigger a JavaScript garbage collection.
+        2) NotificationCenter::stop can delete the last references to notifications;
+           those notifications are also active DOM objects.
+
+        Besides fixing the iteration in that function, did some other fixes for the
+        ScriptExecutionContext class, including some coding style changes. Many uses
+        of nullptr instead of 0, without listing each function separately below.
+
+        * Modules/webdatabase/DatabaseContext.cpp:
+        (WebCore::DatabaseContext::contextDestroyed): Call through to the base class
+        version of contextDestroyed rather than repeating what it does (with a large
+        comment that doesn't acknowledge the base class alread does it).
+        * Modules/webdatabase/DatabaseContext.h: Removed some unneeded includes.
+        Wrote out "private" explicitly for deriving from ActiveDOMObject. Made the
+        ActiveDOMObject function overrides private, and marked them override and final.
+
+        * dom/ActiveDOMObject.h: Updated comments. Replaced suspendIfNeededCalled with
+        assertSuspendIfNeededWasCalled, which has an empty inline version in the header.
+        Renamed m_suspendIfNeededCalled to m_suspendIfNeededWasCalled.
+
+        * dom/ActiveDOMObject.cpp:
+        (WebCore::ActiveDOMObject::ActiveDOMObject): Pass a reference instead of a pointer.
+        (WebCore::ActiveDOMObject::~ActiveDOMObject): Ditto.
+        (WebCore::ActiveDOMObject::suspendIfNeeded): Ditto.
+
+        * dom/ContextDestructionObserver.cpp:
+        (WebCore::ContextDestructionObserver::observeContext): Pass a reference instead of a pointer.
+
+        * dom/MessagePort.cpp:
+        (WebCore::MessagePort::MessagePort): Pass a reference instead of a pointer.
+        (WebCore::MessagePort::~MessagePort): Ditto.
+        (WebCore::MessagePort::disentangle): Ditto.
+
+        * dom/ScriptExecutionContext.cpp:
+        (WebCore::ScriptExecutionContext::ScriptExecutionContext): Updated flags used
+        for assertions so they are conditional and updated their names.
+        (WebCore::takeAny): Added. Helper function that we can consider for HashSet in
+        the future; makes loop below easier to read.
+        (WebCore::checkConsistency): Added. Assertions that were done multiple places below,
+        and should not be written over and over again.
+        (WebCore::ScriptExecutionContext::~ScriptExecutionContext): Changed to use C++11
+        for loops and the takeAny function above.
+        (WebCore::ScriptExecutionContext::dispatchMessagePortEvents): Ditto.
+        (WebCore::ScriptExecutionContext::createdMessagePort): Changed to take a reference
+        for clarity and so it doesn't have to do an assert the pointer is non-null.
+        (WebCore::ScriptExecutionContext::destroyedMessagePort): Ditto.
+        (WebCore::ScriptExecutionContext::canSuspendActiveDOMObjects): Changed to use
+        C++11 for loop and reworded comment and redid assertions.
+        (WebCore::ScriptExecutionContext::suspendActiveDOMObjects): Ditto.
+        (WebCore::ScriptExecutionContext::resumeActiveDOMObjects): Ditto.
+        (WebCore::ScriptExecutionContext::stopActiveDOMObjects): Changed to support
+        removal of an active DOM object during the stop function. Included new comments
+        to clarify what the rules are.
+        (WebCore::ScriptExecutionContext::suspendActiveDOMObjectIfNeeded): Changed to take
+        a reference for clarity and so it doesn't have to assert a pointer is non-null.
+        (WebCore::ScriptExecutionContext::didCreateActiveDOMObject): Ditto. Also changed to
+        use RELEASE_ASSERT instead of CRASH.
+        (WebCore::ScriptExecutionContext::willDestroyActiveDOMObject): Ditto.
+        (WebCore::ScriptExecutionContext::didCreateDestructionObserver): Ditto.
+        (WebCore::ScriptExecutionContext::willDestroyDestructionObserver): Ditto.
+        (WebCore::ScriptExecutionContext::closeMessagePorts): Moved the body of this
+        function into its one call site, ScriptExecutionContext::stopActiveDOMObjects,
+        since it's simple enough when written as a C++11 for loop.
+        (WebCore::ScriptExecutionContext::hasPendingActivity): Added. This function was
+        already exported for workers, and implementing it outside this class required
+        exposing the private HashSet members; more sensible to implement it here and
+        simply make it public in WorkerGlobalScope.
+
+        * dom/ScriptExecutionContext.h: Removed unnecessary includes and forward declarations.
+        Removed a long-ago-fixed FIXME. Changed various functions to take references instead of
+        pointers. Added a protected hasPendingActivity function, deleted the closeMessagePorts
+        function, deleted the ActiveDOMObjectsSet typedef, made the assertion flags be
+        !ASSERT_DISABLED only, and deleted the messagePorts and activeDOMObjects functions.
+
+        * workers/WorkerGlobalScope.cpp:
+        (WebCore::WorkerGlobalScope::hasPendingActivity): Deleted. This is now implemented
+        in the base class.
+
+        * workers/WorkerGlobalScope.h: Make hasPendingActivity function from the base class
+        public instead of declaring it in this class.
+
 2014-04-20  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/WebCore/Modules/webdatabase/DatabaseContext.cpp

@@ -105 +105 @@
 #if PLATFORM(IOS)
     , m_paused(false)
-#endif //PLATFORM(IOS)
+#endif
 {
     // ActiveDOMObject expects this to be called to set internal flags.
@@ -129 +129 @@
 }
 
-// This is called if the associated ScriptExecutionContext is destructing while
+// This is called if the associated ScriptExecutionContext is destroyed while
 // we're still associated with it. That's our cue to disassociate and shutdown.
-// To do this, we stop the database and let everything shutdown naturally
-// because the database closing process may still make use of this context.
+// To do this, we stop the database and let everything shut down naturally
+// because the database closing process might still make use of this context.
 // It is not safe to just delete the context here.
 void DatabaseContext::contextDestroyed()
 {
     stopDatabases();
-
-    // Normally, willDestroyActiveDOMObject() is called in ~ActiveDOMObject().
-    // However, we're here because the destructor hasn't been called, and the
-    // ScriptExecutionContext we're associated with is about to be destructed.
-    // So, go ahead an unregister self from the ActiveDOMObject list, and
-    // set m_scriptExecutionContext to 0 so that ~ActiveDOMObject() doesn't
-    // try to do so again.
-    m_scriptExecutionContext->willDestroyActiveDOMObject(this);
-    m_scriptExecutionContext = 0;
+    ActiveDOMObject::contextDestroyed();
 }
 
@@ -167 +159 @@
 #if PLATFORM(IOS)
         MutexLocker lock(m_databaseThreadMutex);
-#endif //PLATFORM(IOS)
+#endif
         // It's OK to ask for the m_databaseThread after we've requested
         // termination because we're still using it to execute the closing
@@ -178 +170 @@
         m_databaseThread = DatabaseThread::create();
         if (!m_databaseThread->start())
-            m_databaseThread = 0;
+            m_databaseThread = nullptr;
+
 #if PLATFORM(IOS)
         if (m_databaseThread)
             m_databaseThread->setPaused(m_paused);
-#endif //PLATFORM(IOS)
+#endif
     }
 
@@ -199 +192 @@
 #endif // PLATFORM(IOS)
 
-bool DatabaseContext::stopDatabases(DatabaseTaskSynchronizer* cleanupSync)
+bool DatabaseContext::stopDatabases(DatabaseTaskSynchronizer* synchronizer)
 {
     if (m_isRegistered) {
@@ -217 +210 @@
 
     if (m_databaseThread && !m_hasRequestedTermination) {
-        m_databaseThread->requestTermination(cleanupSync);
+        m_databaseThread->requestTermination(synchronizer);
         m_hasRequestedTermination = true;
         return true;

trunk/Source/WebCore/Modules/webdatabase/DatabaseContext.h

@@ -32 +32 @@
 
 #include "ActiveDOMObject.h"
-#include "DatabaseDetails.h"
-#include <wtf/Assertions.h>
+#include <wtf/RefPtr.h>
 #include <wtf/ThreadSafeRefCounted.h>
 
 #if PLATFORM(IOS)
 #include <wtf/Threading.h>
-#endif // PLATFORM(IOS)
+#endif
 
 namespace WebCore {
 
 class Database;
+class DatabaseDetails;
 class DatabaseBackendContext;
 class DatabaseTaskSynchronizer;
 class DatabaseThread;
-class ScriptExecutionContext;
 
-class DatabaseContext : public ThreadSafeRefCounted<DatabaseContext>, ActiveDOMObject {
+class DatabaseContext : public ThreadSafeRefCounted<DatabaseContext>, private ActiveDOMObject {
 public:
     virtual ~DatabaseContext();
 
-    // For life-cycle management (inherited from ActiveDOMObject):
-    virtual void contextDestroyed();
-    virtual void stop();
-
     PassRefPtr<DatabaseBackendContext> backend();
     DatabaseThread* databaseThread();
+
 #if PLATFORM(IOS)
     void setPaused(bool);
-#endif // PLATFORM(IOS)
+#endif
 
     void setHasOpenDatabases() { m_hasOpenDatabases = true; }
     bool hasOpenDatabases() { return m_hasOpenDatabases; }
 
-    // When the database cleanup is done, cleanupSync will be signalled.
+    // When the database cleanup is done, the sychronizer will be signalled.
     bool stopDatabases(DatabaseTaskSynchronizer*);
 
@@ -74 +70 @@
     explicit DatabaseContext(ScriptExecutionContext*);
 
-    void stopDatabases() { stopDatabases(0); }
+    void stopDatabases() { stopDatabases(nullptr); }
+
+    virtual void contextDestroyed() override final;
+    virtual void stop() override final;
 
     RefPtr<DatabaseThread> m_databaseThread;
@@ -87 +86 @@
     Mutex m_databaseThreadMutex;
     bool m_paused;
-#endif // PLATFORM(IOS)
+#endif
 };
 

trunk/Source/WebCore/dom/ActiveDOMObject.cpp

@@ -38 +38 @@
     , m_pendingActivityCount(0)
 #if !ASSERT_DISABLED
-    , m_suspendIfNeededCalled(false)
+    , m_suspendIfNeededWasCalled(false)
 #endif
 {
@@ -45 +45 @@
 
     ASSERT(m_scriptExecutionContext->isContextThread());
-    m_scriptExecutionContext->didCreateActiveDOMObject(this);
+    m_scriptExecutionContext->didCreateActiveDOMObject(*this);
 }
 
@@ -53 +53 @@
         return;
 
-    ASSERT(m_suspendIfNeededCalled);
+    ASSERT(m_suspendIfNeededWasCalled);
 
     // ActiveDOMObject may be inherited by a sub-class whose life-cycle
@@ -63 +63 @@
     if (m_scriptExecutionContext) {
         ASSERT(m_scriptExecutionContext->isContextThread());
-        m_scriptExecutionContext->willDestroyActiveDOMObject(this);
+        m_scriptExecutionContext->willDestroyActiveDOMObject(*this);
     }
 }
@@ -70 +70 @@
 {
 #if !ASSERT_DISABLED
-    ASSERT(!m_suspendIfNeededCalled);
-    m_suspendIfNeededCalled = true;
+    ASSERT(!m_suspendIfNeededWasCalled);
+    m_suspendIfNeededWasCalled = true;
 #endif
     if (!m_scriptExecutionContext)
         return;
 
-    m_scriptExecutionContext->suspendActiveDOMObjectIfNeeded(this);
+    m_scriptExecutionContext->suspendActiveDOMObjectIfNeeded(*this);
 }
+
+#if !ASSERT_DISABLED
+
+void ActiveDOMObject::assertSuspendIfNeededWasCalled() const
+{
+    ASSERT(m_suspendIfNeededWasCalled);
+}
+
+#endif
 
 bool ActiveDOMObject::hasPendingActivity() const

trunk/Source/WebCore/dom/ActiveDOMObject.h

@@ -38 +38 @@
     explicit ActiveDOMObject(ScriptExecutionContext*);
 
-    // suspendIfNeeded() should be called exactly once after object construction to synchronize
-    // the suspend state with that in ScriptExecutionContext.
+    // The suspendIfNeeded must be called exactly once after object construction to update
+    // the suspended state to match that of the ScriptExecutionContext.
     void suspendIfNeeded();
-#if !ASSERT_DISABLED
-    bool suspendIfNeededCalled() const { return m_suspendIfNeededCalled; }
-#endif
+    void assertSuspendIfNeededWasCalled() const;
 
     virtual bool hasPendingActivity() const;
 
-    // canSuspend() is used by the caller if there is a choice between suspending and stopping.
-    // For example, a page won't be suspended and placed in the back/forward cache if it has
-    // the objects that can not be suspended.
-    // However, 'suspend' can be called even if canSuspend() would return 'false'. That
-    // happens in step-by-step JS debugging for example - in this case it would be incorrect
-    // to stop the object. Exact semantics of suspend is up to the object then.
+    // The canSuspend function is used by the caller if there is a choice between suspending
+    // and stopping. For example, a page won't be suspended and placed in the back/forward
+    // cache if it contains any objects that cannot be suspended.
+
+    // However, the suspend function will sometimes be called even if canSuspend returns false.
+    // That happens in step-by-step JS debugging for example - in this case it would be incorrect
+    // to stop the object. Exact semantics of suspend is up to the object in cases like that.
+
     enum ReasonForSuspension {
         JavaScriptDebuggerPaused,
@@ -60 +60 @@
         DocumentWillBePaused
     };
+
+    // These three functions must not have a side effect of creating or destroying
+    // any ActiveDOMObject. That means they must not result in calls to arbitrary JavaScript.
     virtual bool canSuspend() const;
     virtual void suspend(ReasonForSuspension);
     virtual void resume();
+
+    // This function must not have a side effect of creating an ActiveDOMObject.
+    // That means it must not result in calls to arbitrary JavaScript.
+    // It can, however, have a side effect of deleting an ActiveDOMObject.
     virtual void stop();
 
@@ -69 +76 @@
         ASSERT(thisObject == this);
         thisObject->ref();
-        m_pendingActivityCount++;
+        ++m_pendingActivityCount;
     }
 
@@ -85 +92 @@
     unsigned m_pendingActivityCount;
 #if !ASSERT_DISABLED
-    bool m_suspendIfNeededCalled;
+    bool m_suspendIfNeededWasCalled;
 #endif
 };
+
+#if ASSERT_DISABLED
+
+inline void ActiveDOMObject::assertSuspendIfNeededWasCalled() const
+{
+}
+
+#endif
 
 } // namespace WebCore

trunk/Source/WebCore/dom/ContextDestructionObserver.cpp

@@ -33 +33 @@
 
 ContextDestructionObserver::ContextDestructionObserver(ScriptExecutionContext* scriptExecutionContext)
-    : m_scriptExecutionContext(0)
+    : m_scriptExecutionContext(nullptr)
 {
     observeContext(scriptExecutionContext);
@@ -40 +40 @@
 ContextDestructionObserver::~ContextDestructionObserver()
 {
-    observeContext(0);
+    observeContext(nullptr);
 }
 
@@ -47 +47 @@
     if (m_scriptExecutionContext) {
         ASSERT(m_scriptExecutionContext->isContextThread());
-        m_scriptExecutionContext->willDestroyDestructionObserver(this);
+        m_scriptExecutionContext->willDestroyDestructionObserver(*this);
     }
 
@@ -54 +54 @@
     if (m_scriptExecutionContext) {
         ASSERT(m_scriptExecutionContext->isContextThread());
-        m_scriptExecutionContext->didCreateDestructionObserver(this);
+        m_scriptExecutionContext->didCreateDestructionObserver(*this);
     }
 }
@@ -60 +60 @@
 void ContextDestructionObserver::contextDestroyed()
 {
-    m_scriptExecutionContext = 0;
+    m_scriptExecutionContext = nullptr;
 }
 

trunk/Source/WebCore/dom/MessagePort.cpp

@@ -41 +41 @@
     , m_scriptExecutionContext(&scriptExecutionContext)
 {
-    m_scriptExecutionContext->createdMessagePort(this);
+    m_scriptExecutionContext->createdMessagePort(*this);
 
     // Don't need to call processMessagePortMessagesSoon() here, because the port will not be opened until start() is invoked.
@@ -50 +50 @@
     close();
     if (m_scriptExecutionContext)
-        m_scriptExecutionContext->destroyedMessagePort(this);
+        m_scriptExecutionContext->destroyedMessagePort(*this);
 }
 
@@ -90 +90 @@
     m_entangledChannel->disentangle();
 
-    // We can't receive any messages or generate any events, so remove ourselves from the list of active ports.
-    ASSERT(m_scriptExecutionContext);
-    m_scriptExecutionContext->destroyedMessagePort(this);
-    m_scriptExecutionContext = 0;
+    // We can't receive any messages or generate any events after this, so remove ourselves from the list of active ports.
+    ASSERT(m_scriptExecutionContext);
+    m_scriptExecutionContext->destroyedMessagePort(*this);
+    m_scriptExecutionContext = nullptr;
 
     return std::move(m_entangledChannel);

trunk/Source/WebCore/dom/ScriptExecutionContext.cpp

@@ -93 +93 @@
 
 ScriptExecutionContext::ScriptExecutionContext()
-    : m_iteratingActiveDOMObjects(false)
-    , m_inDestructor(false)
-    , m_circularSequentialID(0)
+    : m_circularSequentialID(0)
     , m_inDispatchErrorEvent(false)
     , m_activeDOMObjectsAreSuspended(false)
     , m_reasonForSuspendingActiveDOMObjects(static_cast<ActiveDOMObject::ReasonForSuspension>(-1))
     , m_activeDOMObjectsAreStopped(false)
-{
-}
+    , m_activeDOMObjectAdditionForbidden(false)
+#if !ASSERT_DISABLED
+    , m_inScriptExecutionContextDestructor(false)
+    , m_activeDOMObjectRemovalForbidden(false)
+#endif
+{
+}
+
+// FIXME: We should make this a member function of HashSet.
+template<typename T> inline T takeAny(HashSet<T>& set)
+{
+    ASSERT(!set.isEmpty());
+    auto iterator = set.begin();
+    T result = std::move(*iterator);
+    set.remove(iterator);
+    return result;
+}
+
+#if ASSERT_DISABLED
+
+inline void ScriptExecutionContext::checkConsistency() const
+{
+}
+
+#else
+
+void ScriptExecutionContext::checkConsistency() const
+{
+    for (auto* messagePort : m_messagePorts)
+        ASSERT(messagePort->scriptExecutionContext() == this);
+
+    for (auto* destructionObserver : m_destructionObservers)
+        ASSERT(destructionObserver->scriptExecutionContext() == this);
+
+    for (auto* activeDOMObject : m_activeDOMObjects) {
+        ASSERT(activeDOMObject->scriptExecutionContext() == this);
+        activeDOMObject->assertSuspendIfNeededWasCalled();
+    }
+}
+
+#endif
 
 ScriptExecutionContext::~ScriptExecutionContext()
 {
-    m_inDestructor = true;
-    for (HashSet<ContextDestructionObserver*>::iterator iter = m_destructionObservers.begin(); iter != m_destructionObservers.end(); iter = m_destructionObservers.begin()) {
-        ContextDestructionObserver* observer = *iter;
-        m_destructionObservers.remove(observer);
-        ASSERT(observer->scriptExecutionContext() == this);
-        observer->contextDestroyed();
-    }
-
-    HashSet<MessagePort*>::iterator messagePortsEnd = m_messagePorts.end();
-    for (HashSet<MessagePort*>::iterator iter = m_messagePorts.begin(); iter != messagePortsEnd; ++iter) {
-        ASSERT((*iter)->scriptExecutionContext() == this);
-        (*iter)->contextDestroyed();
-    }
+    checkConsistency();
+
+#if !ASSERT_DISABLED
+    m_inScriptExecutionContextDestructor = true;
+#endif
+
+    while (!m_destructionObservers.isEmpty())
+        takeAny(m_destructionObservers)->contextDestroyed();
+
+    for (auto* messagePort : m_messagePorts)
+        messagePort->contextDestroyed();
+
+#if !ASSERT_DISABLED
+    m_inScriptExecutionContextDestructor = false;
+#endif
 }
 
@@ -127 +166 @@
 void ScriptExecutionContext::dispatchMessagePortEvents()
 {
+    checkConsistency();
+
     Ref<ScriptExecutionContext> protect(*this);
 
-    // Make a frozen copy.
-    Vector<MessagePort*> ports;
-    copyToVector(m_messagePorts, ports);
-
-    unsigned portCount = ports.size();
-    for (unsigned i = 0; i < portCount; ++i) {
-        MessagePort* port = ports[i];
-        // The port may be destroyed, and another one created at the same address, but this is safe, as the worst that can happen
-        // as a result is that dispatchMessages() will be called needlessly.
-        if (m_messagePorts.contains(port) && port->started())
-            port->dispatchMessages();
-    }
-}
-
-void ScriptExecutionContext::createdMessagePort(MessagePort* port)
-{
-    ASSERT(port);
+    // Make a frozen copy of the ports so we can iterate while new ones might be added or destroyed.
+    Vector<MessagePort*> possibleMessagePorts;
+    copyToVector(m_messagePorts, possibleMessagePorts);
+    for (auto* messagePort : possibleMessagePorts) {
+        // The port may be destroyed, and another one created at the same address,
+        // but this is harmless. The worst that can happen as a result is that
+        // dispatchMessages() will be called needlessly.
+        if (m_messagePorts.contains(messagePort) && messagePort->started())
+            messagePort->dispatchMessages();
+    }
+}
+
+void ScriptExecutionContext::createdMessagePort(MessagePort& messagePort)
+{
     ASSERT((isDocument() && isMainThread())
         || (isWorkerGlobalScope() && currentThread() == toWorkerGlobalScope(this)->thread().threadID()));
 
-    m_messagePorts.add(port);
-}
-
-void ScriptExecutionContext::destroyedMessagePort(MessagePort* port)
-{
-    ASSERT(port);
+    m_messagePorts.add(&messagePort);
+}
+
+void ScriptExecutionContext::destroyedMessagePort(MessagePort& messagePort)
+{
     ASSERT((isDocument() && isMainThread())
         || (isWorkerGlobalScope() && currentThread() == toWorkerGlobalScope(this)->thread().threadID()));
 
-    m_messagePorts.remove(port);
+    m_messagePorts.remove(&messagePort);
 }
 
 bool ScriptExecutionContext::canSuspendActiveDOMObjects()
 {
-    // No protection against m_activeDOMObjects changing during iteration: canSuspend() shouldn't execute arbitrary JS.
-    m_iteratingActiveDOMObjects = true;
-    ActiveDOMObjectsSet::iterator activeObjectsEnd = m_activeDOMObjects.end();
-    for (ActiveDOMObjectsSet::iterator iter = m_activeDOMObjects.begin(); iter != activeObjectsEnd; ++iter) {
-        ASSERT((*iter)->scriptExecutionContext() == this);
-        ASSERT((*iter)->suspendIfNeededCalled());
-        if (!(*iter)->canSuspend()) {
-            m_iteratingActiveDOMObjects = false;
-            return false;
+    checkConsistency();
+
+    bool canSuspend = true;
+
+    m_activeDOMObjectAdditionForbidden = true;
+#if !ASSERT_DISABLED
+    m_activeDOMObjectRemovalForbidden = true;
+#endif
+
+    // We assume that m_activeDOMObjects will not change during iteration: canSuspend
+    // functions should not add new active DOM objects, nor execute arbitrary JavaScript.
+    // An ASSERT or RELEASE_ASSERT will fire if this happens, but it's important to code
+    // canSuspend functions so it will not happen!
+    for (auto* activeDOMObject : m_activeDOMObjects) {
+        if (!activeDOMObject->canSuspend()) {
+            canSuspend = false;
+            break;
         }
     }
-    m_iteratingActiveDOMObjects = false;
-    return true;
+
+    m_activeDOMObjectAdditionForbidden = false;
+#if !ASSERT_DISABLED
+    m_activeDOMObjectRemovalForbidden = false;
+#endif
+
+    return canSuspend;
 }
 
 void ScriptExecutionContext::suspendActiveDOMObjects(ActiveDOMObject::ReasonForSuspension why)
 {
+    checkConsistency();
+
 #if PLATFORM(IOS)
     if (m_activeDOMObjectsAreSuspended) {
@@ -187 +239 @@
 #endif
 
-    // No protection against m_activeDOMObjects changing during iteration: suspend() shouldn't execute arbitrary JS.
-    m_iteratingActiveDOMObjects = true;
-    ActiveDOMObjectsSet::iterator activeObjectsEnd = m_activeDOMObjects.end();
-    for (ActiveDOMObjectsSet::iterator iter = m_activeDOMObjects.begin(); iter != activeObjectsEnd; ++iter) {
-        ASSERT((*iter)->scriptExecutionContext() == this);
-        ASSERT((*iter)->suspendIfNeededCalled());
-        (*iter)->suspend(why);
-    }
-    m_iteratingActiveDOMObjects = false;
+    m_activeDOMObjectAdditionForbidden = true;
+#if !ASSERT_DISABLED
+    m_activeDOMObjectRemovalForbidden = true;
+#endif
+
+    // We assume that m_activeDOMObjects will not change during iteration: suspend
+    // functions should not add new active DOM objects, nor execute arbitrary JavaScript.
+    // An ASSERT or RELEASE_ASSERT will fire if this happens, but it's important to code
+    // suspend functions so it will not happen!
+    for (auto* activeDOMObject : m_activeDOMObjects)
+        activeDOMObject->suspend(why);
+
+    m_activeDOMObjectAdditionForbidden = false;
+#if !ASSERT_DISABLED
+    m_activeDOMObjectRemovalForbidden = false;
+#endif
+
     m_activeDOMObjectsAreSuspended = true;
     m_reasonForSuspendingActiveDOMObjects = why;
@@ -202 +262 @@
 void ScriptExecutionContext::resumeActiveDOMObjects(ActiveDOMObject::ReasonForSuspension why)
 {
+    checkConsistency();
+
     if (m_reasonForSuspendingActiveDOMObjects != why)
         return;
-
     m_activeDOMObjectsAreSuspended = false;
-    // No protection against m_activeDOMObjects changing during iteration: resume() shouldn't execute arbitrary JS.
-    m_iteratingActiveDOMObjects = true;
-    ActiveDOMObjectsSet::iterator activeObjectsEnd = m_activeDOMObjects.end();
-    for (ActiveDOMObjectsSet::iterator iter = m_activeDOMObjects.begin(); iter != activeObjectsEnd; ++iter) {
-        ASSERT((*iter)->scriptExecutionContext() == this);
-        ASSERT((*iter)->suspendIfNeededCalled());
-        (*iter)->resume();
-    }
-    m_iteratingActiveDOMObjects = false;
+
+    m_activeDOMObjectAdditionForbidden = true;
+#if !ASSERT_DISABLED
+    m_activeDOMObjectRemovalForbidden = true;
+#endif
+
+    // We assume that m_activeDOMObjects will not change during iteration: resume
+    // functions should not add new active DOM objects, nor execute arbitrary JavaScript.
+    // An ASSERT or RELEASE_ASSERT will fire if this happens, but it's important to code
+    // resume functions so it will not happen!
+    for (auto* activeDOMObject : m_activeDOMObjects)
+        activeDOMObject->resume();
+
+    m_activeDOMObjectAdditionForbidden = false;
+#if !ASSERT_DISABLED
+    m_activeDOMObjectRemovalForbidden = false;
+#endif
 }
 
 void ScriptExecutionContext::stopActiveDOMObjects()
 {
+    checkConsistency();
+
     if (m_activeDOMObjectsAreStopped)
         return;
     m_activeDOMObjectsAreStopped = true;
-    // No protection against m_activeDOMObjects changing during iteration: stop() shouldn't execute arbitrary JS.
-    m_iteratingActiveDOMObjects = true;
-    ActiveDOMObjectsSet::iterator activeObjectsEnd = m_activeDOMObjects.end();
-    for (ActiveDOMObjectsSet::iterator iter = m_activeDOMObjects.begin(); iter != activeObjectsEnd; ++iter) {
-        ASSERT((*iter)->scriptExecutionContext() == this);
-        ASSERT((*iter)->suspendIfNeededCalled());
-        (*iter)->stop();
-    }
-    m_iteratingActiveDOMObjects = false;
-
-    // Also close MessagePorts. If they were ActiveDOMObjects (they could be) then they could be stopped instead.
-    closeMessagePorts();
-}
-
-void ScriptExecutionContext::suspendActiveDOMObjectIfNeeded(ActiveDOMObject* object)
-{
-    ASSERT(m_activeDOMObjects.contains(object));
-    // Ensure all ActiveDOMObjects are suspended also newly created ones.
+
+    // Make a frozen copy of the objects so we can iterate while new ones might be destroyed.
+    Vector<ActiveDOMObject*> possibleActiveDOMObjects;
+    copyToVector(m_activeDOMObjects, possibleActiveDOMObjects);
+
+    m_activeDOMObjectAdditionForbidden = true;
+
+    // We assume that new objects will not be added to m_activeDOMObjects during iteration:
+    // stop functions should not add new active DOM objects, nor execute arbitrary JavaScript.
+    // A RELEASE_ASSERT will fire if this happens, but it's important to code stop functions
+    // so it will not happen!
+    for (auto* activeDOMObject : possibleActiveDOMObjects) {
+        // Check if this object was deleted already. If so, just skip it.
+        // Calling contains on a possibly-already-deleted object is OK because we guarantee
+        // no new object can be added, so even if a new object ends up allocated with the
+        // same address, that will be *after* this function exits.
+        if (!m_activeDOMObjects.contains(activeDOMObject))
+            continue;
+        activeDOMObject->stop();
+    }
+
+    m_activeDOMObjectAdditionForbidden = false;
+
+    // FIXME: Make message ports be active DOM objects and let them implement stop instead
+    // of having this separate mechanism just for them.
+    for (auto* messagePort : m_messagePorts)
+        messagePort->close();
+}
+
+void ScriptExecutionContext::suspendActiveDOMObjectIfNeeded(ActiveDOMObject& activeDOMObject)
+{
+    ASSERT(m_activeDOMObjects.contains(&activeDOMObject));
     if (m_activeDOMObjectsAreSuspended)
-        object->suspend(m_reasonForSuspendingActiveDOMObjects);
+        activeDOMObject.suspend(m_reasonForSuspendingActiveDOMObjects);
     if (m_activeDOMObjectsAreStopped)
-        object->stop();
-}
-
-void ScriptExecutionContext::didCreateActiveDOMObject(ActiveDOMObject* object)
-{
-    ASSERT(object);
-    ASSERT(!m_inDestructor);
-    if (m_iteratingActiveDOMObjects)
-        CRASH();
-    m_activeDOMObjects.add(object);
-}
-
-void ScriptExecutionContext::willDestroyActiveDOMObject(ActiveDOMObject* object)
-{
-    ASSERT(object);
-    if (m_iteratingActiveDOMObjects)
-        CRASH();
-    m_activeDOMObjects.remove(object);
-}
-
-void ScriptExecutionContext::didCreateDestructionObserver(ContextDestructionObserver* observer)
-{
-    ASSERT(observer);
-    ASSERT(!m_inDestructor);
-    m_destructionObservers.add(observer);
-}
-
-void ScriptExecutionContext::willDestroyDestructionObserver(ContextDestructionObserver* observer)
-{
-    ASSERT(observer);
-    m_destructionObservers.remove(observer);
-}
-
-void ScriptExecutionContext::closeMessagePorts() {
-    HashSet<MessagePort*>::iterator messagePortsEnd = m_messagePorts.end();
-    for (HashSet<MessagePort*>::iterator iter = m_messagePorts.begin(); iter != messagePortsEnd; ++iter) {
-        ASSERT((*iter)->scriptExecutionContext() == this);
-        (*iter)->close();
-    }
+        activeDOMObject.stop();
+}
+
+void ScriptExecutionContext::didCreateActiveDOMObject(ActiveDOMObject& activeDOMObject)
+{
+    // The m_activeDOMObjectAdditionForbidden check is a RELEASE_ASSERT because of the
+    // consequences of having an ActiveDOMObject that is not correctly reflected in the set.
+    // If we do have one of those, it can possibly be a security vulnerability. So we'd
+    // rather have a crash than continue running with the set possibly compromised.
+    ASSERT(!m_inScriptExecutionContextDestructor);
+    RELEASE_ASSERT(!m_activeDOMObjectAdditionForbidden);
+    m_activeDOMObjects.add(&activeDOMObject);
+}
+
+void ScriptExecutionContext::willDestroyActiveDOMObject(ActiveDOMObject& activeDOMObject)
+{
+    ASSERT(!m_activeDOMObjectRemovalForbidden);
+    m_activeDOMObjects.remove(&activeDOMObject);
+}
+
+void ScriptExecutionContext::didCreateDestructionObserver(ContextDestructionObserver& observer)
+{
+    ASSERT(!m_inScriptExecutionContextDestructor);
+    m_destructionObservers.add(&observer);
+}
+
+void ScriptExecutionContext::willDestroyDestructionObserver(ContextDestructionObserver& observer)
+{
+    m_destructionObservers.remove(&observer);
 }
 
@@ -370 +445 @@
 {
     if (minimumTimerInterval() != oldMinimumTimerInterval) {
-        for (TimeoutMap::iterator iter = m_timeouts.begin(); iter != m_timeouts.end(); ++iter) {
-            DOMTimer* timer = iter->value;
+        for (auto* timer : m_timeouts.values())
             timer->adjustMinimumTimerInterval(oldMinimumTimerInterval);
-        }
     }
 }
@@ -389 +462 @@
 void ScriptExecutionContext::didChangeTimerAlignmentInterval()
 {
-    for (TimeoutMap::iterator iter = m_timeouts.begin(); iter != m_timeouts.end(); ++iter) {
-        DOMTimer* timer = iter->value;
+    for (auto* timer : m_timeouts.values())
         timer->didChangeAlignmentInterval();
-    }
 }
 
@@ -420 +491 @@
 #endif
 
+bool ScriptExecutionContext::hasPendingActivity() const
+{
+    checkConsistency();
+
+    for (auto* activeDOMObject : m_activeDOMObjects) {
+        if (activeDOMObject->hasPendingActivity())
+            return true;
+    }
+
+    for (auto* messagePort : m_messagePorts) {
+        if (messagePort->hasPendingActivity())
+            return true;
+    }
+
+    return false;
+}
+
 } // namespace WebCore

trunk/Source/WebCore/dom/ScriptExecutionContext.h

@@ -32 +32 @@
 #include "SecurityContext.h"
 #include "Supplementable.h"
-#include "URL.h"
 #include <runtime/ConsoleTypes.h>
 #include <wtf/HashSet.h>
@@ -50 +49 @@
 class DatabaseContext;
 class DOMTimer;
-class EventListener;
 class EventQueue;
 class EventTarget;
 class MessagePort;
-
-#if ENABLE(BLOB)
 class PublicURLManager;
-#endif
+class URL;
 
 class ScriptExecutionContext : public SecurityContext, public Supplementable<ScriptExecutionContext> {
@@ -77 +73 @@
     virtual void disableEval(const String& errorMessage) = 0;
 
-    bool sanitizeScriptError(String& errorMessage, int& lineNumber, int& columnNumber, String& sourceURL, CachedScript* = 0);
-    // FIXME: <http://webkit.org/b/114315> ScriptExecutionContext log exception should include a column number
-    void reportException(const String& errorMessage, int lineNumber, int columnNumber, const String& sourceURL, PassRefPtr<Inspector::ScriptCallStack>, CachedScript* = 0);
-
-    void addConsoleMessage(MessageSource, MessageLevel, const String& message, const String& sourceURL, unsigned lineNumber, unsigned columnNumber, JSC::ExecState* = 0, unsigned long requestIdentifier = 0);
+    bool sanitizeScriptError(String& errorMessage, int& lineNumber, int& columnNumber, String& sourceURL, CachedScript* = nullptr);
+    void reportException(const String& errorMessage, int lineNumber, int columnNumber, const String& sourceURL, PassRefPtr<Inspector::ScriptCallStack>, CachedScript* = nullptr);
+
+    void addConsoleMessage(MessageSource, MessageLevel, const String& message, const String& sourceURL, unsigned lineNumber, unsigned columnNumber, JSC::ExecState* = nullptr, unsigned long requestIdentifier = 0);
     virtual void addConsoleMessage(MessageSource, MessageLevel, const String& message, unsigned long requestIdentifier = 0) = 0;
 
@@ -102 +97 @@
 
     // Called from the constructor and destructors of ActiveDOMObject.
-    void didCreateActiveDOMObject(ActiveDOMObject*);
-    void willDestroyActiveDOMObject(ActiveDOMObject*);
+    void didCreateActiveDOMObject(ActiveDOMObject&);
+    void willDestroyActiveDOMObject(ActiveDOMObject&);
 
     // Called after the construction of an ActiveDOMObject to synchronize suspend state.
-    void suspendActiveDOMObjectIfNeeded(ActiveDOMObject*);
-
-    typedef HashSet<ActiveDOMObject*> ActiveDOMObjectsSet;
-    const ActiveDOMObjectsSet& activeDOMObjects() const { return m_activeDOMObjects; }
-
-    void didCreateDestructionObserver(ContextDestructionObserver*);
-    void willDestroyDestructionObserver(ContextDestructionObserver*);
+    void suspendActiveDOMObjectIfNeeded(ActiveDOMObject&);
+
+    void didCreateDestructionObserver(ContextDestructionObserver&);
+    void willDestroyDestructionObserver(ContextDestructionObserver&);
 
     // MessagePort is conceptually a kind of ActiveDOMObject, but it needs to be tracked separately for message dispatch.
     void processMessagePortMessagesSoon();
     void dispatchMessagePortEvents();
-    void createdMessagePort(MessagePort*);
-    void destroyedMessagePort(MessagePort*);
-    const HashSet<MessagePort*>& messagePorts() const { return m_messagePorts; }
+    void createdMessagePort(MessagePort&);
+    void destroyedMessagePort(MessagePort&);
 
     void ref() { refScriptExecutionContext(); }
@@ -186 +177 @@
     ActiveDOMObject::ReasonForSuspension reasonForSuspendingActiveDOMObjects() const { return m_reasonForSuspendingActiveDOMObjects; }
 
+    bool hasPendingActivity() const;
+
 private:
-    virtual void addMessage(MessageSource, MessageLevel, const String& message, const String& sourceURL, unsigned lineNumber, unsigned columnNumber, PassRefPtr<Inspector::ScriptCallStack>, JSC::ExecState* = 0, unsigned long requestIdentifier = 0) = 0;
+    virtual void addMessage(MessageSource, MessageLevel, const String& message, const String& sourceURL, unsigned lineNumber, unsigned columnNumber, PassRefPtr<Inspector::ScriptCallStack>, JSC::ExecState* = nullptr, unsigned long requestIdentifier = 0) = 0;
     virtual EventTarget* errorEventTarget() = 0;
     virtual void logExceptionToConsole(const String& errorMessage, const String& sourceURL, int lineNumber, int columnNumber, PassRefPtr<Inspector::ScriptCallStack>) = 0;
     bool dispatchErrorEvent(const String& errorMessage, int lineNumber, int columnNumber, const String& sourceURL, CachedScript*);
 
-    void closeMessagePorts();
-
     virtual void refScriptExecutionContext() = 0;
     virtual void derefScriptExecutionContext() = 0;
 
+    void checkConsistency() const;
+
     HashSet<MessagePort*> m_messagePorts;
     HashSet<ContextDestructionObserver*> m_destructionObservers;
-    ActiveDOMObjectsSet m_activeDOMObjects;
-    bool m_iteratingActiveDOMObjects;
-    bool m_inDestructor;
+    HashSet<ActiveDOMObject*> m_activeDOMObjects;
 
     int m_circularSequentialID;
-    typedef HashMap<int, DOMTimer*> TimeoutMap;
-    TimeoutMap m_timeouts;
+    HashMap<int, DOMTimer*> m_timeouts;
 
     bool m_inDispatchErrorEvent;
@@ -222 +212 @@
     RefPtr<DatabaseContext> m_databaseContext;
 #endif
+
+    bool m_activeDOMObjectAdditionForbidden;
+
+#if !ASSERT_DISABLED
+    bool m_inScriptExecutionContextDestructor;
+    bool m_activeDOMObjectRemovalForbidden;
+#endif
 };
 

trunk/Source/WebCore/workers/WorkerGlobalScope.cpp

@@ -160 +160 @@
 }
 
-bool WorkerGlobalScope::hasPendingActivity() const
-{
-    ActiveDOMObjectsSet::const_iterator activeObjectsEnd = activeDOMObjects().end();
-    for (ActiveDOMObjectsSet::const_iterator iter = activeDOMObjects().begin(); iter != activeObjectsEnd; ++iter) {
-        if ((*iter)->hasPendingActivity())
-            return true;
-    }
-
-    HashSet<MessagePort*>::const_iterator messagePortsEnd = messagePorts().end();
-    for (HashSet<MessagePort*>::const_iterator iter = messagePorts().begin(); iter != messagePortsEnd; ++iter) {
-        if ((*iter)->hasPendingActivity())
-            return true;
-    }
-
-    return false;
-}
-
 void WorkerGlobalScope::postTask(PassOwnPtr<Task> task)
 {

trunk/Source/WebCore/workers/WorkerGlobalScope.h

@@ -77 +77 @@
         WorkerThread& thread() const { return m_thread; }
 
-        bool hasPendingActivity() const;
+        using ScriptExecutionContext::hasPendingActivity;
 
         virtual void postTask(PassOwnPtr<Task>) override; // Executes the task on context's thread asynchronously.