Changeset 208481 in webkit
- Timestamp:
- Nov 9, 2016 1:33:23 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r208478 r208481 1 2016-11-09 Yusuke Suzuki <utatane.tea@gmail.com> 2 3 [DOMJIT] Implement Node::ownerDocument 4 https://bugs.webkit.org/show_bug.cgi?id=164004 5 6 Reviewed by Darin Adler. 7 8 * js/dom/domjit-accessor-owner-document-expected.txt: Added. 9 * js/dom/domjit-accessor-owner-document.html: Added. 10 1 11 2016-11-09 Dave Hyatt <hyatt@apple.com> 2 12 -
trunk/Source/WebCore/ChangeLog
r208480 r208481 1 2016-11-09 Yusuke Suzuki <utatane.tea@gmail.com> 2 3 [DOMJIT] Implement Node::ownerDocument 4 https://bugs.webkit.org/show_bug.cgi?id=164004 5 6 Reviewed by Darin Adler. 7 8 Test: js/dom/domjit-accessor-owner-document.html 9 10 Still I cannot reproduce this crash in x64 environment, according to the crash log, it accesses 0x8 address. 11 This can happen if document() accidentally returns nullptr. In the C++ ownerDocument implementation, 12 if document() returns nullptr, it just returns nullptr. But in the DOMJIT implementation, we assume that 13 document() won't return nullptr and access the member of it. 14 15 This patch aligns the DOMJIT implementation strictly to the C++ one. 16 17 * dom/Node.idl: 18 * domjit/JSNodeDOMJIT.cpp: 19 (WebCore::NodeOwnerDocumentDOMJIT::checkDOM): 20 (WebCore::NodeOwnerDocumentDOMJIT::callDOMGetter): 21 1 22 2016-11-09 Sam Weinig <sam@webkit.org> 2 23 -
trunk/Source/WebCore/dom/Node.idl
r208351 r208481 54 54 [DOMJIT] readonly attribute Node? previousSibling; 55 55 [DOMJIT] readonly attribute Node? nextSibling; 56 readonly attribute Document? ownerDocument;56 [DOMJIT] readonly attribute Document? ownerDocument; 57 57 58 58 [CEReactions, Custom, MayThrowLegacyException] Node insertBefore(Node newChild, Node? refChild); -
trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp
r208351 r208481 158 158 } 159 159 160 Ref<JSC::DOMJIT::Patchpoint> NodeOwnerDocumentDOMJIT::checkDOM() 161 { 162 return DOMJIT::checkDOM<Node>(); 163 } 164 165 Ref<JSC::DOMJIT::CallDOMGetterPatchpoint> NodeOwnerDocumentDOMJIT::callDOMGetter() 166 { 167 Ref<JSC::DOMJIT::CallDOMGetterPatchpoint> patchpoint = JSC::DOMJIT::CallDOMGetterPatchpoint::create(); 168 patchpoint->numGPScratchRegisters = 2; 169 patchpoint->setGenerator([=](CCallHelpers& jit, JSC::DOMJIT::PatchpointParams& params) { 170 JSValueRegs result = params[0].jsValueRegs(); 171 GPRReg node = params[1].gpr(); 172 GPRReg globalObject = params[2].gpr(); 173 JSValue globalObjectValue = params[2].value(); 174 GPRReg wrapped = params.gpScratch(0); 175 GPRReg document = params.gpScratch(1); 176 177 jit.loadPtr(CCallHelpers::Address(node, JSNode::offsetOfWrapped()), wrapped); 178 DOMJIT::loadDocument(jit, wrapped, document); 179 RELEASE_ASSERT(!CAST_OFFSET(EventTarget*, Node*)); 180 RELEASE_ASSERT(!CAST_OFFSET(Node*, Document*)); 181 182 CCallHelpers::JumpList nullCases; 183 // If the |this| is the document itself, ownerDocument will return null. 184 nullCases.append(jit.branchPtr(CCallHelpers::Equal, wrapped, document)); 185 DOMJIT::toWrapper<Document>(jit, params, document, globalObject, result, DOMJIT::toWrapperSlow<Document>, globalObjectValue); 186 auto done = jit.jump(); 187 188 nullCases.link(&jit); 189 jit.moveValue(jsNull(), result); 190 done.link(&jit); 191 return CCallHelpers::JumpList(); 192 }); 193 patchpoint->effect = JSC::DOMJIT::Effect::forDef(DOMJIT::AbstractHeapRepository::Node_ownerDocument); 194 return patchpoint; 195 } 196 160 197 } 161 198
Note: See TracChangeset
for help on using the changeset viewer.