Changeset 205410 in webkit


Ignore:
Timestamp:
Sep 3, 2016 4:25:47 PM (8 years ago)
Author:
rniwa@webkit.org
Message:

Unbreak customElements.whenDefined after r205383 with a crash fix
https://bugs.webkit.org/show_bug.cgi?id=161562

Reviewed by Darin Adler.

Source/WebCore:

The crash was caused by DeferredWrapper::contextDestroyed not calling ContextDestructionObserver::contextDestroyed.

This caused m_scriptExecutionContext to not being set to nullptr when the Document was destroyed before DOMWindow
during a single GC sweeping, and resulted in a use-after-free in ContextDestructionObserver's destructor.

Fixed the crash and reverted r205383.

Tests: fast/custom-elements/CustomElementRegistry.html

  • bindings/js/JSCustomElementRegistryCustom.cpp:

(WebCore::whenDefinedPromise):

  • bindings/js/JSDOMPromise.cpp:

(WebCore::DeferredWrapper::contextDestroyed): Fixed the crash.

  • dom/CustomElementRegistry.cpp:

(WebCore::CustomElementRegistry::addElementDefinition):

  • dom/CustomElementRegistry.h:

(WebCore::CustomElementRegistry::promiseMap):

LayoutTests:

Revert r205383 now that all test cases pass.

  • fast/custom-elements/CustomElementRegistry-expected.txt:
Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r205409 r205410  
     12016-09-03  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Unbreak customElements.whenDefined after r205383 with a crash fix
     4        https://bugs.webkit.org/show_bug.cgi?id=161562
     5
     6        Reviewed by Darin Adler.
     7
     8        Revert r205383 now that all test cases pass.
     9
     10        * fast/custom-elements/CustomElementRegistry-expected.txt:
     11
    1122016-09-03  Chris Dumez  <cdumez@apple.com>
    213
  • trunk/LayoutTests/fast/custom-elements/CustomElementRegistry-expected.txt

    r205383 r205410  
    3030PASS customElements.get must return undefined when the registry does not contain an entry with the given name even if the name was not a valid custom element name
    3131PASS customElements.get return the constructor of the entry with the given name when there is a matching entry.
    32 FAIL customElements.whenDefined must return a promise for a valid custom element name assert_true: expected true got false
     32PASS customElements.whenDefined must return a promise for a valid custom element name
    3333PASS customElements.whenDefined must return the same promise each time invoked for a valid custom element name which has not been defined
    34 FAIL customElements.whenDefined must return an unresolved promise when the registry does not contain the entry with the given name undefined is not an object (evaluating 'customElements.whenDefined('a-b').then')
     34PASS customElements.whenDefined must return an unresolved promise when the registry does not contain the entry with the given name
    3535PASS customElements.whenDefined must return a rejected promise when the given name is not a valid custom element name
    3636PASS customElements.whenDefined must return a resolved promise when the registry contains the entry with the given name
    3737PASS customElements.whenDefined must return a new resolved promise each time invoked when the registry contains the entry with the given name
    38 FAIL A promise returned by customElements.whenDefined must be resolved by "define" undefined is not an object (evaluating 'promise.then')
     38PASS A promise returned by customElements.whenDefined must be resolved by "define"
    3939
  • trunk/Source/WebCore/ChangeLog

    r205409 r205410  
     12016-09-03  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Unbreak customElements.whenDefined after r205383 with a crash fix
     4        https://bugs.webkit.org/show_bug.cgi?id=161562
     5
     6        Reviewed by Darin Adler.
     7
     8        The crash was caused by DeferredWrapper::contextDestroyed not calling ContextDestructionObserver::contextDestroyed.
     9
     10        This caused m_scriptExecutionContext to not being set to nullptr when the Document was destroyed before DOMWindow
     11        during a single GC sweeping, and resulted in a use-after-free in ContextDestructionObserver's destructor.
     12
     13        Fixed the crash and reverted r205383.
     14
     15        Tests: fast/custom-elements/CustomElementRegistry.html
     16
     17        * bindings/js/JSCustomElementRegistryCustom.cpp:
     18        (WebCore::whenDefinedPromise):
     19        * bindings/js/JSDOMPromise.cpp:
     20        (WebCore::DeferredWrapper::contextDestroyed): Fixed the crash.
     21        * dom/CustomElementRegistry.cpp:
     22        (WebCore::CustomElementRegistry::addElementDefinition):
     23        * dom/CustomElementRegistry.h:
     24        (WebCore::CustomElementRegistry::promiseMap):
     25
    1262016-09-03  Chris Dumez  <cdumez@apple.com>
    227
  • trunk/Source/WebCore/bindings/js/JSCustomElementRegistryCustom.cpp

    r205383 r205410  
    183183    }
    184184
    185     return jsUndefined();
     185    auto result = registry.promiseMap().ensure(localName, [&] {
     186        return DeferredWrapper::create(&state, &globalObject, JSPromiseDeferred::create(&state, &globalObject));
     187    });
     188
     189    return result.iterator->value->promise();
    186190}
    187191
  • trunk/Source/WebCore/bindings/js/JSDOMPromise.cpp

    r205257 r205410  
    6060void DeferredWrapper::contextDestroyed()
    6161{
     62    ActiveDOMCallback::contextDestroyed();
    6263    clear();
    6364}
  • trunk/Source/WebCore/dom/CustomElementRegistry.cpp

    r205383 r205410  
    7979    if (auto* document = m_window.document())
    8080        enqueueUpgradeInShadowIncludingTreeOrder(*document, elementInterface.get());
     81
     82    if (auto promise = m_promiseMap.take(localName))
     83        promise.value()->resolve(nullptr);
    8184}
    8285
  • trunk/Source/WebCore/dom/CustomElementRegistry.h

    r205383 r205410  
    6767    JSC::JSValue get(const AtomicString&);
    6868
     69    HashMap<AtomicString, Ref<DeferredWrapper>>& promiseMap() { return m_promiseMap; }
     70
    6971private:
    7072    CustomElementRegistry(DOMWindow&);
     
    7375    HashMap<AtomicString, Ref<JSCustomElementInterface>> m_nameMap;
    7476    HashMap<const JSC::JSObject*, JSCustomElementInterface*> m_constructorMap;
     77    HashMap<AtomicString, Ref<DeferredWrapper>> m_promiseMap;
    7578
    7679    bool m_elementDefinitionIsRunning { false };
Note: See TracChangeset for help on using the changeset viewer.