Changeset 214713 in webkit

Timestamp:

Apr 1, 2017 12:47:17 AM (7 years ago)

Author:

ap@apple.com

Message:

Rolling back ​http://trac.webkit.org/r214663 - memory corruption

Source/WebCore:

• Modules/streams/ReadableByteStreamInternals.js:

(cloneArrayBuffer):

• bindings/js/JSDOMGlobalObject.cpp:

(WebCore::JSDOMGlobalObject::addBuiltinGlobals):

• bindings/js/StructuredClone.cpp:

(WebCore::structuredCloneArrayBuffer):
(WebCore::cloneArrayBufferImpl): Deleted.
(WebCore::cloneArrayBuffer): Deleted.

• bindings/js/StructuredClone.h:
• bindings/js/WebCoreBuiltinNames.h:
• testing/Internals.cpp:

(WebCore::markerTypeFrom):
(WebCore::Internals::resetToConsistentState):
(WebCore::Internals::isLoadingFromMemoryCache):
(WebCore::Internals::setImageFrameDecodingDuration):
(WebCore::deferredStyleRulesCountForList):
(WebCore::deferredGroupRulesCountForList):
(WebCore::deferredKeyframesRulesCountForList):
(WebCore::Internals::eventThrottlingBehaviorOverride):
(WebCore::Internals::enableMockSpeechSynthesizer):
(WebCore::Internals::rangeForDictionaryLookupAtLocation):
(WebCore::Internals::nodesFromRect):
(WebCore::Internals::layerIDForElement):
(WebCore::Internals::setElementUsesDisplayListDrawing):
(WebCore::Internals::setElementTracksDisplayListReplay):
(WebCore::Internals::styleRecalcCount):
(WebCore::Internals::compositingUpdateCount):
(WebCore::Internals::setCaptionDisplayMode):
(WebCore::Internals::endMediaSessionInterruption):
(WebCore::Internals::postRemoteControlCommand):
(WebCore::appendOffsets):
(WebCore::Internals::scrollSnapOffsets):
(WebCore::Internals::setShowAllPlugins):
(WebCore::Internals::cloneArrayBuffer): Deleted.

• testing/Internals.h:
• testing/Internals.idl:

LayoutTests:

• streams/readable-stream-byob-request-expected.txt:
• streams/readable-stream-byob-request.js:

(self.importScripts.test): Deleted.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/streams/readable-stream-byob-request-expected.txt (modified) (1 diff)
• LayoutTests/streams/readable-stream-byob-request.js (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/streams/ReadableByteStreamInternals.js (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMGlobalObject.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/StructuredClone.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/StructuredClone.h (modified) (1 diff)
• Source/WebCore/bindings/js/WebCoreBuiltinNames.h (modified) (1 diff)
• Source/WebCore/testing/Internals.cpp (modified) (32 diffs)
• Source/WebCore/testing/Internals.h (modified) (4 diffs)
• Source/WebCore/testing/Internals.idl (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-04-01  Alexey Proskuryakov  <ap@apple.com>
+
+        Rolling back http://trac.webkit.org/r214663 - memory corruption
+
+        * streams/readable-stream-byob-request-expected.txt:
+        * streams/readable-stream-byob-request.js:
+        (self.importScripts.test): Deleted.
+
 2017-03-31  Zalan Bujtas  <zalan@apple.com>
 

trunk/LayoutTests/streams/readable-stream-byob-request-expected.txt

@@ -11 +11 @@
 PASS Calling respond() with a bytesWritten value greater than autoAllocateChunkSize should fail 
 PASS Calling respond() with a bytesWritten value lower than autoAllocateChunkSize should succeed 
-PASS Test cloneArrayBuffer implementation 
 PASS ReadableStreamBYOBRequest instances should have the correct list of properties 
 PASS By default, byobRequest should be undefined 

trunk/LayoutTests/streams/readable-stream-byob-request.js

@@ -242 +242 @@
 // so that more code can be covered.
 
-if (!self.importScripts) {
-    // Test only if not Worker.
-    const CloneArrayBuffer = internals.cloneArrayBuffer.bind(internals);
-
-    test(function() {
-        const typedArray = new Uint8Array([3, 5, 7]);
-        const clonedBuffer = CloneArrayBuffer(typedArray.buffer, 1, 1);
-        const otherArray = new Uint8Array(clonedBuffer);
-        assert_equals(otherArray.byteLength, 1);
-        assert_equals(otherArray.byteOffset, 0);
-        assert_equals(otherArray.buffer.byteLength, 1);
-        assert_equals(otherArray[0], 5);
-        // Check that when typedArray is modified, otherArray is not modified.
-        typedArray[1] = 0;
-        assert_equals(otherArray[0], 5);
-    }, "Test cloneArrayBuffer implementation");
-}
-
 done();

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-04-01  Alexey Proskuryakov  <ap@apple.com>
+
+        Rolling back http://trac.webkit.org/r214663 - memory corruption
+
+        * Modules/streams/ReadableByteStreamInternals.js:
+        (cloneArrayBuffer):
+        * bindings/js/JSDOMGlobalObject.cpp:
+        (WebCore::JSDOMGlobalObject::addBuiltinGlobals):
+        * bindings/js/StructuredClone.cpp:
+        (WebCore::structuredCloneArrayBuffer):
+        (WebCore::cloneArrayBufferImpl): Deleted.
+        (WebCore::cloneArrayBuffer): Deleted.
+        * bindings/js/StructuredClone.h:
+        * bindings/js/WebCoreBuiltinNames.h:
+        * testing/Internals.cpp:
+        (WebCore::markerTypeFrom):
+        (WebCore::Internals::resetToConsistentState):
+        (WebCore::Internals::isLoadingFromMemoryCache):
+        (WebCore::Internals::setImageFrameDecodingDuration):
+        (WebCore::deferredStyleRulesCountForList):
+        (WebCore::deferredGroupRulesCountForList):
+        (WebCore::deferredKeyframesRulesCountForList):
+        (WebCore::Internals::eventThrottlingBehaviorOverride):
+        (WebCore::Internals::enableMockSpeechSynthesizer):
+        (WebCore::Internals::rangeForDictionaryLookupAtLocation):
+        (WebCore::Internals::nodesFromRect):
+        (WebCore::Internals::layerIDForElement):
+        (WebCore::Internals::setElementUsesDisplayListDrawing):
+        (WebCore::Internals::setElementTracksDisplayListReplay):
+        (WebCore::Internals::styleRecalcCount):
+        (WebCore::Internals::compositingUpdateCount):
+        (WebCore::Internals::setCaptionDisplayMode):
+        (WebCore::Internals::endMediaSessionInterruption):
+        (WebCore::Internals::postRemoteControlCommand):
+        (WebCore::appendOffsets):
+        (WebCore::Internals::scrollSnapOffsets):
+        (WebCore::Internals::setShowAllPlugins):
+        (WebCore::Internals::cloneArrayBuffer): Deleted.
+        * testing/Internals.h:
+        * testing/Internals.idl:
+
 2017-03-31  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebCore/Modules/streams/ReadableByteStreamInternals.js

@@ -379 +379 @@
 }
 
+function cloneArrayBuffer(srcBuffer, srcByteOffset, srcLength)
+{
+    "use strict";
+
+    // FIXME: Below implementation returns the appropriate data but does not perform
+    // exactly what is described by ECMAScript CloneArrayBuffer operation. This should
+    // be fixed in a follow up patch implementing cloneArrayBuffer in JSC (similarly to
+    // structuredCloneArrayBuffer implementation).
+    return srcBuffer.slice(srcByteOffset, srcByteOffset + srcLength);
+}
+
 function readableByteStreamControllerRespondInReadableState(controller, bytesWritten, pullIntoDescriptor)
 {

trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp

@@ -143 +143 @@
         JSDOMGlobalObject::GlobalPropertyInfo(clientData.builtinNames().makeGetterTypeErrorPrivateName(),
             JSFunction::create(vm, this, 2, String(), makeGetterTypeErrorForBuiltins), DontDelete | ReadOnly),
-        JSDOMGlobalObject::GlobalPropertyInfo(clientData.builtinNames().cloneArrayBufferPrivateName(),
-            JSFunction::create(vm, this, 3, String(), cloneArrayBuffer), DontDelete | ReadOnly),
         JSDOMGlobalObject::GlobalPropertyInfo(clientData.builtinNames().structuredCloneArrayBufferPrivateName(),
             JSFunction::create(vm, this, 1, String(), structuredCloneArrayBuffer), DontDelete | ReadOnly),

trunk/Source/WebCore/bindings/js/StructuredClone.cpp

@@ -36 +36 @@
 namespace WebCore {
 
-EncodedJSValue JSC_HOST_CALL cloneArrayBufferImpl(ExecState*, bool);
-
-EncodedJSValue JSC_HOST_CALL cloneArrayBufferImpl(ExecState* state, bool isPartialClone)
+EncodedJSValue JSC_HOST_CALL structuredCloneArrayBuffer(ExecState* state)
 {
     ASSERT(state);
@@ -51 +49 @@
         return { };
     }
-    if (isPartialClone) {
-        ASSERT(state->argumentCount() == 3);
-        int srcByteOffset = static_cast<int>(state->uncheckedArgument(1).toNumber(state));
-        int srcLength = static_cast<int>(state->uncheckedArgument(2).toNumber(state));
-        buffer = buffer->slice(srcByteOffset, srcByteOffset + srcLength).get();
-    }
     return JSValue::encode(JSArrayBuffer::create(state->vm(), state->lexicalGlobalObject()->arrayBufferStructure(ArrayBufferSharingMode::Default), ArrayBuffer::tryCreate(buffer->data(), buffer->byteLength())));
-}
-
-EncodedJSValue JSC_HOST_CALL cloneArrayBuffer(ExecState* state)
-{
-    return cloneArrayBufferImpl(state, true);
-}
-
-EncodedJSValue JSC_HOST_CALL structuredCloneArrayBuffer(ExecState* state)
-{
-    return cloneArrayBufferImpl(state, false);
 }
 

trunk/Source/WebCore/bindings/js/StructuredClone.h

@@ -32 +32 @@
 namespace WebCore {
 
-JSC::EncodedJSValue JSC_HOST_CALL cloneArrayBuffer(JSC::ExecState*);
 JSC::EncodedJSValue JSC_HOST_CALL structuredCloneArrayBuffer(JSC::ExecState*);
 JSC::EncodedJSValue JSC_HOST_CALL structuredCloneArrayBufferView(JSC::ExecState*);

trunk/Source/WebCore/bindings/js/WebCoreBuiltinNames.h

@@ -40 +40 @@
     macro(byobRequest) \
     macro(cancel) \
-    macro(cloneArrayBuffer) \
     macro(cloneForJS) \
     macro(closeRequested) \

trunk/Source/WebCore/testing/Internals.cpp

@@ -352 +352 @@
     else
         return false;
-
+    
     return true;
 }
@@ -392 +392 @@
 
     page.setDefersLoading(false);
-
+    
     page.mainFrame().setTextZoomFactor(1.0f);
-
+    
     FrameView* mainFrameView = page.mainFrame().view();
     if (mainFrameView) {
@@ -597 +597 @@
     ResourceRequest request(contextDocument()->completeURL(url));
     request.setDomainForCachePartition(contextDocument()->topOrigin().domainForCachePartition());
-
+    
     CachedResource* resource = MemoryCache::singleton().resourceForRequest(request, contextDocument()->page()->sessionID());
     return resource && resource->status() == CachedResource::Cached;
@@ -725 +725 @@
     if (!cachedImage)
         return;
-
+    
     auto* image = cachedImage->image();
     if (!is<BitmapImage>(image))
         return;
-
+    
     downcast<BitmapImage>(*image).setFrameDecodingDurationForTesting(duration);
 }
@@ -989 +989 @@
             continue;
         }
-
+        
         StyleRuleGroup* groupRule = nullptr;
         if (is<StyleRuleMedia>(rule.get()))
@@ -997 +997 @@
         if (!groupRule)
             continue;
-
+        
         auto* groupChildRules = groupRule->childRulesWithoutDeferredParsing();
         if (!groupChildRules)
             continue;
-
+        
         count += deferredStyleRulesCountForList(*groupChildRules);
     }
@@ -1024 +1024 @@
         if (!groupRule)
             continue;
-
+        
         auto* groupChildRules = groupRule->childRulesWithoutDeferredParsing();
         if (!groupChildRules)
@@ -1049 +1049 @@
             continue;
         }
-
+        
         StyleRuleGroup* groupRule = nullptr;
         if (is<StyleRuleMedia>(rule.get()))
@@ -1057 +1057 @@
         if (!groupRule)
             continue;
-
+        
         auto* groupChildRules = groupRule->childRulesWithoutDeferredParsing();
         if (!groupChildRules)
             continue;
-
+        
         count += deferredKeyframesRulesCountForList(*groupChildRules);
     }
-
+    
     return count;
 }
@@ -1137 +1137 @@
     if (!behavior)
         return std::nullopt;
-
+    
     switch (behavior.value()) {
     case WebCore::EventThrottlingBehavior::Responsive:
@@ -1202 +1202 @@
     if (!synthesis)
         return;
-
+    
     synthesis->setPlatformSynthesizer(std::make_unique<PlatformSpeechSynthesizerMock>(synthesis));
 }
@@ -1634 +1634 @@
 
     document->updateLayoutIgnorePendingStylesheets();
-
+    
     HitTestResult result = document->frame()->mainFrame().eventHandler().hitTestResultAtPoint(IntPoint(x, y));
     NSDictionary *options = nullptr;
@@ -1790 +1790 @@
         HitTestResult result(point, topPadding, rightPadding, bottomPadding, leftPadding);
         renderView->hitTest(request, result);
-
+        
         const HitTestResult::NodeSet& nodeSet = result.rectBasedTestResult();
         matches.reserveInitialCapacity(nodeSet.size());
@@ -1911 +1911 @@
     return document->frame()->editor().selectionStartHasMarkerFor(DocumentMarker::Spelling, from, length);
 }
-
+    
 bool Internals::hasAutocorrectedMarker(int from, int length)
 {
@@ -2164 +2164 @@
     return count;
 }
-
+    
 ExceptionOr<bool> Internals::isPageBoxVisible(int pageNumber)
 {
@@ -2217 +2217 @@
     if (!layerModelObject.layer()->isComposited())
         return Exception { NOT_FOUND_ERR };
-
+    
     auto* backing = layerModelObject.layer()->backing();
     return backing->graphicsLayer()->primaryLayerID();
@@ -2286 +2286 @@
     if (!element.renderer()->hasLayer())
         return Exception { INVALID_ACCESS_ERR };
-
+    
     RenderLayer* layer = downcast<RenderLayerModelObject>(element.renderer())->layer();
     if (!layer->isComposited())
         return Exception { INVALID_ACCESS_ERR };
-
+    
     layer->backing()->setUsesDisplayListDrawing(usesDisplayListDrawing);
     return { };
@@ -2315 +2315 @@
     if (!layer->isComposited())
         return Exception { INVALID_ACCESS_ERR };
-
+    
     layer->backing()->setIsTrackingDisplayListReplay(isTrackingReplay);
     return { };
@@ -2555 +2555 @@
     document->view()->setFooterHeight(height);
 }
-
+    
 void Internals::setTopContentInset(float contentInset)
 {
@@ -2699 +2699 @@
     if (!document)
         return Exception { INVALID_ACCESS_ERR };
-
+    
     return document->styleRecalcCount();
 }
@@ -2726 +2726 @@
     if (!document || !document->renderView())
         return Exception { INVALID_ACCESS_ERR };
-
+    
     return document->renderView()->compositor().compositingUpdateCount();
 }
@@ -3018 +3018 @@
     if (!document || !document->page())
         return Exception { INVALID_ACCESS_ERR };
-
+    
 #if ENABLE(VIDEO_TRACK)
     auto& captionPreferences = document->page()->group().captionPreferences();
-
+    
     if (equalLettersIgnoringASCIICase(mode, "automatic"))
         captionPreferences.setCaptionDisplayMode(CaptionUserPreferences::Automatic);
@@ -3086 +3086 @@
     return downcast<RenderEmbeddedObject>(*renderer).isReplacementObscured();
 }
-
+    
 bool Internals::isPluginSnapshotted(Element& element)
 {
     return is<HTMLPlugInElement>(element) && downcast<HTMLPlugInElement>(element).displayState() <= HTMLPlugInElement::DisplayingSnapshot;
 }
-
+    
 #if ENABLE(MEDIA_SOURCE)
 
@@ -3109 +3109 @@
     return buffer.bufferedSamplesForTrackID(trackID);
 }
-
+    
 Vector<String> Internals::enqueuedSamplesForTrackID(SourceBuffer& buffer, const AtomicString& trackID)
 {
@@ -3149 +3149 @@
     if (equalLettersIgnoringASCIICase(flagsString, "mayresumeplaying"))
         flags = PlatformMediaSession::MayResumePlaying;
-
+    
     PlatformMediaSessionManager::sharedManager().endInterruption(flags);
 }
@@ -3302 +3302 @@
     else
         return Exception { INVALID_ACCESS_ERR };
-
+    
     PlatformMediaSessionManager::sharedManager().didReceiveRemoteControlCommand(command, &parameter);
     return { };
@@ -3573 +3573 @@
         else
             justStarting = false;
-
+        
         builder.append(String::number(coordinate.toUnsigned()));
     }
     builder.appendLiteral(" }");
 }
-
+    
 void Internals::setPlatformMomentumScrollingPredictionEnabled(bool enabled)
 {
@@ -3593 +3593 @@
     RenderBox& box = *element.renderBox();
     ScrollableArea* scrollableArea;
-
+    
     if (box.isBody()) {
         FrameView* frameView = box.frame().mainFrame().view();
@@ -3599 +3599 @@
             return Exception { INVALID_ACCESS_ERR };
         scrollableArea = frameView;
-
+        
     } else {
         if (!box.canBeScrolledAndHasScrollableArea())
@@ -3608 +3608 @@
     if (!scrollableArea)
         return String();
-
+    
     StringBuilder result;
 
@@ -3697 +3697 @@
     if (!document)
         return;
-
+    
     Page* page = document->page();
     if (!page)
@@ -3730 +3730 @@
 }
 
-#if ENABLE(READABLE_BYTE_STREAM_API)
-
-JSValue Internals::cloneArrayBuffer(JSC::ExecState& state, JSValue buffer, JSValue srcByteOffset, JSValue srcLength)
-{
-    JSGlobalObject* globalObject = state.vmEntryGlobalObject();
-    JSVMClientData* clientData = static_cast<JSVMClientData*>(state.vm().clientData);
-    const Identifier& privateName = clientData->builtinNames().cloneArrayBufferPrivateName();
-    JSValue value;
-    PropertySlot propertySlot(value, PropertySlot::InternalMethodType::Get);
-    globalObject->methodTable()->getOwnPropertySlot(globalObject, &state, privateName, propertySlot);
-    value = propertySlot.getValue(&state, privateName);
-    ASSERT(value.isFunction());
-
-    JSObject* function = value.getObject();
-    CallData callData;
-    CallType callType = JSC::getCallData(function, callData);
-    ASSERT(callType != JSC::CallType::None);
-    MarkedArgumentBuffer arguments;
-    arguments.append(buffer);
-    arguments.append(srcByteOffset);
-    arguments.append(srcLength);
-
-    return JSC::call(&state, function, callType, callData, JSC::jsUndefined(), arguments);
-}
-
-#endif
 #endif
 

trunk/Source/WebCore/testing/Internals.h

@@ -189 +189 @@
     void invalidateFontCache();
     void setFontSmoothingEnabled(bool);
-
+    
     ExceptionOr<void> setLowPowerModeEnabled(bool);
 
     ExceptionOr<void> setScrollViewPosition(int x, int y);
-
+    
     ExceptionOr<Ref<ClientRect>> layoutViewportRect();
     ExceptionOr<Ref<ClientRect>> visualViewportRect();
-
+    
     ExceptionOr<void> setViewBaseBackgroundColor(const String& colorValue);
 
@@ -369 +369 @@
     ExceptionOr<void> startTrackingLayerFlushes();
     ExceptionOr<unsigned> layerFlushCount();
-
+    
     ExceptionOr<void> startTrackingStyleRecalcs();
     ExceptionOr<unsigned> styleRecalcCount();
@@ -524 +524 @@
 #if ENABLE(READABLE_STREAM_API)
     bool isReadableStreamDisturbed(JSC::ExecState&, JSC::JSValue);
-#if ENABLE(READABLE_BYTE_STREAM_API)
-    JSC::JSValue cloneArrayBuffer(JSC::ExecState&, JSC::JSValue, JSC::JSValue, JSC::JSValue);
-#endif
 #endif
 
     String composedTreeAsText(Node&);
-
+    
     bool isProcessingUserGesture();
 
@@ -539 +536 @@
 
     bool userPrefersReducedMotion() const;
-
+    
     void reportBacktrace();
 

trunk/Source/WebCore/testing/Internals.idl

@@ -491 +491 @@
     void setShowAllPlugins(boolean showAll);
 
-    [Conditional=READABLE_STREAM_API&READABLE_BYTE_STREAM_API, CallWith=ScriptState] any cloneArrayBuffer(any buffer, any srcByteOffset, any byteLength);
     [Conditional=READABLE_STREAM_API, CallWith=ScriptState] boolean isReadableStreamDisturbed(any stream);