Changeset 234539 in webkit

Timestamp:

Aug 3, 2018 1:16:48 AM (6 years ago)

Author:

rniwa@webkit.org

Message:

Release assert when throwing exceptions in custom element reactions
​https://bugs.webkit.org/show_bug.cgi?id=187805
<rdar://problem/42432714>

Reviewed by Saam Barati.

LayoutTests/imported/w3c:

Generated the expected result.

• web-platform-tests/custom-elements/reactions/with-exceptions-expected.txt: Added.

Source/WebCore:

The release assertion was hit because we were not catching & re-throwing the exception thrown by DOM API
before trying to execute custom elements reactions in ~CustomElementReactionStack as specified here:
​https://html.spec.whatwg.org/multipage/custom-elements.html#cereactions
Fixed the bug by capturing the exception and re-throwing the exception as specified.

Tests: imported/w3c/web-platform-tests/custom-elements/reactions/with-exceptions.html

• bindings/js/JSMainThreadExecState.h:

(WebCore::JSMainThreadNullState::JSMainThreadNullState): Use the previous JS state.

• bindings/scripts/CodeGeneratorJS.pm:

(GeneratePut): Pass in the exec state to CustomElementReactionStack.
(GeneratePutByIndex): Ditto.
(GenerateDefineOwnProperty): Ditto.
(GenerateDeletePropertyCommon): Ditto.
(GenerateAttributeSetterBodyDefinition): Ditto.
(GenerateOperationBodyDefinition): Ditto.

• bindings/scripts/test/JS/JSTestCEReactions.cpp:

(WebCore::setJSTestCEReactionsAttributeWithCEReactionsSetter):
(WebCore::setJSTestCEReactionsReflectAttributeWithCEReactionsSetter):
(WebCore::jsTestCEReactionsPrototypeFunctionMethodWithCEReactionsBody):

• bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp:

(WebCore::setJSTestCEReactionsStringifierValueSetter):

• dom/CustomElementReactionQueue.cpp:

(WebCore::CustomElementReactionQueue::ElementQueue::processQueue): Added. If there is a script running
in the stack (i.e. ExecState is not null), catch any exception before executing custom element reactions,
then re-throw the exception afterwards. ExecState is null when DOM API is invoked via Objective-C bindings
or when custom element reactions are executed in the backup queue (e.g. for editing operations).
(WebCore::CustomElementReactionStack::processQueue):
(WebCore::CustomElementReactionQueue::processBackupQueue):

• dom/CustomElementReactionQueue.h:

(WebCore::CustomElementReactionStack::CustomElementReactionStack):
(WebCore::CustomElementReactionStack::~CustomElementReactionStack):

LayoutTests:

Unskipped the previously crashing test.

• TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/custom-elements/reactions/with-exceptions-expected.txt (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSMainThreadExecState.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (6 diffs)
• Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp (modified) (3 diffs)
• Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp (modified) (1 diff)
• Source/WebCore/dom/CustomElementReactionQueue.cpp (modified) (4 diffs)
• Source/WebCore/dom/CustomElementReactionQueue.h (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-08-02  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Release assert when throwing exceptions in custom element reactions
+        https://bugs.webkit.org/show_bug.cgi?id=187805
+        <rdar://problem/42432714>
+
+        Reviewed by Saam Barati.
+
+        Unskipped the previously crashing test.
+
+        * TestExpectations:
+
 2018-08-02  Basuke Suzuki  <Basuke.Suzuki@sony.com>
 

trunk/LayoutTests/TestExpectations

@@ -572 +572 @@
 webkit.org/b/187800 imported/w3c/web-platform-tests/custom-elements/Document-createElement-svg.svg [ Skip ]
 webkit.org/b/187802 imported/w3c/web-platform-tests/custom-elements/parser/parser-uses-create-an-element-for-a-token-svg.svg [ Skip ]
-webkit.org/b/187805 imported/w3c/web-platform-tests/custom-elements/reactions/with-exceptions.html [ Skip ]
 
 # selectors

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2018-08-02  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Release assert when throwing exceptions in custom element reactions
+        https://bugs.webkit.org/show_bug.cgi?id=187805
+        <rdar://problem/42432714>
+
+        Reviewed by Saam Barati.
+
+        Generated the expected result.
+
+        * web-platform-tests/custom-elements/reactions/with-exceptions-expected.txt: Added.
+
 2018-08-01  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-08-02  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Release assert when throwing exceptions in custom element reactions
+        https://bugs.webkit.org/show_bug.cgi?id=187805
+        <rdar://problem/42432714>
+
+        Reviewed by Saam Barati.
+
+        The release assertion was hit because we were not catching & re-throwing the exception thrown by DOM API
+        before trying to execute custom elements reactions in ~CustomElementReactionStack as specified here:
+        https://html.spec.whatwg.org/multipage/custom-elements.html#cereactions
+        Fixed the bug by capturing the exception and re-throwing the exception as specified.
+
+        Tests: imported/w3c/web-platform-tests/custom-elements/reactions/with-exceptions.html
+
+        * bindings/js/JSMainThreadExecState.h:
+        (WebCore::JSMainThreadNullState::JSMainThreadNullState): Use the previous JS state.
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GeneratePut): Pass in the exec state to CustomElementReactionStack.
+        (GeneratePutByIndex): Ditto.
+        (GenerateDefineOwnProperty): Ditto.
+        (GenerateDeletePropertyCommon): Ditto.
+        (GenerateAttributeSetterBodyDefinition): Ditto.
+        (GenerateOperationBodyDefinition): Ditto.
+        * bindings/scripts/test/JS/JSTestCEReactions.cpp:
+        (WebCore::setJSTestCEReactionsAttributeWithCEReactionsSetter):
+        (WebCore::setJSTestCEReactionsReflectAttributeWithCEReactionsSetter):
+        (WebCore::jsTestCEReactionsPrototypeFunctionMethodWithCEReactionsBody):
+        * bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp:
+        (WebCore::setJSTestCEReactionsStringifierValueSetter):
+        * dom/CustomElementReactionQueue.cpp:
+        (WebCore::CustomElementReactionQueue::ElementQueue::processQueue): Added. If there is a script running
+        in the stack (i.e. ExecState is not null), catch any exception before executing custom element reactions,
+        then re-throw the exception afterwards. ExecState is null when DOM API is invoked via Objective-C bindings
+        or when custom element reactions are executed in the backup queue (e.g. for editing operations).
+        (WebCore::CustomElementReactionStack::processQueue):
+        (WebCore::CustomElementReactionQueue::processBackupQueue):
+        * dom/CustomElementReactionQueue.h:
+        (WebCore::CustomElementReactionStack::CustomElementReactionStack):
+        (WebCore::CustomElementReactionStack::~CustomElementReactionStack):
+
 2018-08-02  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebCore/bindings/js/JSMainThreadExecState.h

@@ -162 +162 @@
     explicit JSMainThreadNullState()
         : m_previousState(JSMainThreadExecState::s_mainThreadState)
+        , m_customElementReactionStack(m_previousState)
     {
         ASSERT(isMainThread());

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -933 +933 @@
     
     if (($namedSetterOperation && $namedSetterOperation->extendedAttributes->{CEReactions}) || ($indexedSetterOperation && $indexedSetterOperation->extendedAttributes->{CEReactions})) {
-        push(@$outputArray, "    CustomElementReactionStack customElementReactionStack;\n\n");
+        push(@$outputArray, "    CustomElementReactionStack customElementReactionStack(*state);\n\n");
         AddToImplIncludes("CustomElementReactionQueue.h");
     }
@@ -1005 +1005 @@
     
     if (($namedSetterOperation && $namedSetterOperation->extendedAttributes->{CEReactions}) || ($indexedSetterOperation && $indexedSetterOperation->extendedAttributes->{CEReactions})) {
-        push(@$outputArray, "    CustomElementReactionStack customElementReactionStack;\n\n");
+        push(@$outputArray, "    CustomElementReactionStack customElementReactionStack(*state);\n\n");
         AddToImplIncludes("CustomElementReactionQueue.h");
     }
@@ -1101 +1101 @@
     
     if (($namedSetterOperation && $namedSetterOperation->extendedAttributes->{CEReactions}) || ($indexedSetterOperation && $indexedSetterOperation->extendedAttributes->{CEReactions})) {
-        push(@$outputArray, "    CustomElementReactionStack customElementReactionStack;\n\n");
+        push(@$outputArray, "    CustomElementReactionStack customElementReactionStack(*state);\n\n");
         AddToImplIncludes("CustomElementReactionQueue.h");
     }
@@ -1225 +1225 @@
 
     if ($operation->extendedAttributes->{CEReactions}) {
-        push(@$outputArray, "        CustomElementReactionStack customElementReactionStack;\n");
+        push(@$outputArray, "        CustomElementReactionStack customElementReactionStack(*state);\n");
         AddToImplIncludes("CustomElementReactionQueue.h", $conditional);
     }
@@ -4845 +4845 @@
     
     if ($attribute->extendedAttributes->{CEReactions}) {
-        push(@$outputArray, "    CustomElementReactionStack customElementReactionStack;\n");
+        push(@$outputArray, "    CustomElementReactionStack customElementReactionStack(state);\n");
         AddToImplIncludes("CustomElementReactionQueue.h", $conditional);
     }
@@ -5071 +5071 @@
         if ($operation->extendedAttributes->{CEReactions}) {
             AddToImplIncludes("CustomElementReactionQueue.h", $conditional);
-            push(@$outputArray, "    CustomElementReactionStack customElementReactionStack;\n");
+            push(@$outputArray, "    CustomElementReactionStack customElementReactionStack(*state);\n");
         }
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp

@@ -204 +204 @@
 {
     UNUSED_PARAM(throwScope);
-    CustomElementReactionStack customElementReactionStack;
+    CustomElementReactionStack customElementReactionStack(state);
     auto& impl = thisObject.wrapped();
     auto nativeValue = convert<IDLDOMString>(state, value);
@@ -236 +236 @@
 {
     UNUSED_PARAM(throwScope);
-    CustomElementReactionStack customElementReactionStack;
+    CustomElementReactionStack customElementReactionStack(state);
     auto& impl = thisObject.wrapped();
     auto nativeValue = convert<IDLDOMString>(state, value);
@@ -291 +291 @@
     UNUSED_PARAM(state);
     UNUSED_PARAM(throwScope);
-    CustomElementReactionStack customElementReactionStack;
+    CustomElementReactionStack customElementReactionStack(*state);
     auto& impl = castedThis->wrapped();
     impl.methodWithCEReactions();

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp

@@ -194 +194 @@
 {
     UNUSED_PARAM(throwScope);
-    CustomElementReactionStack customElementReactionStack;
+    CustomElementReactionStack customElementReactionStack(state);
     auto& impl = thisObject.wrapped();
     auto nativeValue = convert<IDLDOMString>(state, value);

trunk/Source/WebCore/dom/CustomElementReactionQueue.cpp

@@ -35 +35 @@
 #include "JSDOMBinding.h"
 #include "Microtasks.h"
+#include <JavaScriptCore/CatchScope.h>
 #include <JavaScriptCore/Heap.h>
 #include <wtf/NeverDestroyed.h>
@@ -232 +233 @@
 }
 
+inline void CustomElementReactionQueue::ElementQueue::processQueue(JSC::ExecState* state)
+{
+    if (!state) {
+        invokeAll();
+        return;
+    }
+
+    auto& vm = state->vm();
+    JSC::JSLockHolder lock(vm);
+
+    JSC::Exception* previousException = nullptr;
+    {
+        auto catchScope = DECLARE_CATCH_SCOPE(vm);
+        previousException = catchScope.exception();
+        if (previousException)
+            catchScope.clearException();
+    }
+
+    invokeAll();
+
+    if (previousException) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwException(state, throwScope, previousException);
+    }
+}
+
 CustomElementReactionQueue& CustomElementReactionQueue::ensureCurrentQueue(Element& element)
 {
@@ -250 +277 @@
 CustomElementReactionStack* CustomElementReactionStack::s_currentProcessingStack = nullptr;
 
-void CustomElementReactionStack::processQueue()
+void CustomElementReactionStack::processQueue(JSC::ExecState* state)
 {
     ASSERT(m_queue);
-    m_queue->invokeAll();
+    m_queue->processQueue(state);
     delete m_queue;
     m_queue = nullptr;
@@ -281 +308 @@
 void CustomElementReactionQueue::processBackupQueue()
 {
-    backupElementQueue().invokeAll();
+    backupElementQueue().processQueue(nullptr);
     s_processingBackupElementQueue = false;
 }

trunk/Source/WebCore/dom/CustomElementReactionQueue.h

@@ -29 +29 @@
 #include <wtf/Noncopyable.h>
 #include <wtf/Vector.h>
+
+namespace JSC {
+
+class ExecState;
+
+}
 
 namespace WebCore {
@@ -61 +67 @@
     public:
         void add(Element&);
+        void processQueue(JSC::ExecState*);
+
+    private:
         void invokeAll();
-        
-    private:
+
         Vector<Ref<Element>> m_elements;
         bool m_invoking { false };
@@ -79 +87 @@
 class CustomElementReactionStack {
 public:
-    CustomElementReactionStack()
+    ALWAYS_INLINE CustomElementReactionStack(JSC::ExecState* state)
         : m_previousProcessingStack(s_currentProcessingStack)
+        , m_state(state)
     {
         s_currentProcessingStack = this;
     }
 
-    ~CustomElementReactionStack()
+    ALWAYS_INLINE CustomElementReactionStack(JSC::ExecState& state)
+        : CustomElementReactionStack(&state)
+    { }
+
+    ALWAYS_INLINE ~CustomElementReactionStack()
     {
         if (UNLIKELY(m_queue))
-            processQueue();
+            processQueue(m_state);
         s_currentProcessingStack = m_previousProcessingStack;
     }
 
 private:
-    WEBCORE_EXPORT void processQueue();
+    WEBCORE_EXPORT void processQueue(JSC::ExecState*);
 
     CustomElementReactionQueue::ElementQueue* m_queue { nullptr }; // Use raw pointer to avoid generating delete in the destructor.
     CustomElementReactionStack* m_previousProcessingStack;
+    JSC::ExecState* m_state;
 
     WEBCORE_EXPORT static CustomElementReactionStack* s_currentProcessingStack;