Changeset 259009 in webkit

Timestamp:

Mar 25, 2020 2:16:13 PM (4 years ago)

Author:

Chris Dumez

Message:

Event listeners registered with 'once' option may get garbage collected too soon
​https://bugs.webkit.org/show_bug.cgi?id=209504
<rdar://problem/60541567>

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

Add EnsureStillAliveScope RAII object for ensureStillAliveHere().

• runtime/JSCJSValue.h:

(JSC::EnsureStillAliveScope::EnsureStillAliveScope):
(JSC::EnsureStillAliveScope::~EnsureStillAliveScope):

Source/WebCore:

In EventTarget::innerInvokeEventListeners, if the listener we're about to call is a one-time
listener (has 'once' flag set), we would first unregister the event listener and then call
it, as per the DOM specification. However, once unregistered, the event listener is no longer
visited for GC purposes and its internal JS Function may get garbage collected before we get
a chance to call it.

To address the issue, we now make sure the JS Function (and its wrapper) stay alive for the
duration of the scope using ensureStillAliveHere().

Test: http/tests/inspector/network/har/har-page-aggressive-gc.html

• bindings/js/JSEventListener.h:
• dom/EventListener.h:

(WebCore::EventListener::jsFunction const):
(WebCore::EventListener::wrapper const):

• dom/EventTarget.cpp:

(WebCore::EventTarget::innerInvokeEventListeners):

LayoutTests:

Add layout test coverage.

• http/tests/inspector/network/har/har-page-aggressive-gc-expected.txt: Added.
• http/tests/inspector/network/har/har-page-aggressive-gc.html: Added.
• platform/gtk/TestExpectations:
• platform/mac-wk1/TestExpectations:
• platform/mac-wk2/TestExpectations:
• platform/win/TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/inspector/network/har/har-page-aggressive-gc-expected.txt (added)
• LayoutTests/http/tests/inspector/network/har/har-page-aggressive-gc.html (added)
• LayoutTests/platform/gtk/TestExpectations (modified) (1 diff)
• LayoutTests/platform/mac-wk1/TestExpectations (modified) (1 diff)
• LayoutTests/platform/mac-wk2/TestExpectations (modified) (1 diff)
• LayoutTests/platform/win/TestExpectations (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCJSValue.h (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSErrorHandler.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSEventListener.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/JSEventListener.h (modified) (2 diffs)
• Source/WebCore/dom/EventListener.h (modified) (1 diff)
• Source/WebCore/dom/EventTarget.cpp (modified) (1 diff)
• Source/WebCore/inspector/CommandLineAPIHost.cpp (modified) (1 diff)
• Source/WebCore/inspector/agents/InspectorDOMAgent.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-03-25  Chris Dumez  <cdumez@apple.com>
+
+        Event listeners registered with 'once' option may get garbage collected too soon
+        https://bugs.webkit.org/show_bug.cgi?id=209504
+        <rdar://problem/60541567>
+
+        Reviewed by Yusuke Suzuki.
+
+        Add layout test coverage.
+
+        * http/tests/inspector/network/har/har-page-aggressive-gc-expected.txt: Added.
+        * http/tests/inspector/network/har/har-page-aggressive-gc.html: Added.
+        * platform/gtk/TestExpectations:
+        * platform/mac-wk1/TestExpectations:
+        * platform/mac-wk2/TestExpectations:
+        * platform/win/TestExpectations:
+
 2020-03-25  Jason Lawrence  <lawrence.j@apple.com>
 

trunk/LayoutTests/platform/gtk/TestExpectations

@@ -2069 +2069 @@
 webkit.org/b/191497 http/tests/inspector/network/getSerializedCertificate.html [ Skip ]
 webkit.org/b/179173 [ Release ] http/tests/inspector/network/har/har-page.html [ Failure Pass ]
+webkit.org/b/179173 [ Release ] http/tests/inspector/network/har/har-page-aggressive-gc.html [ Failure Pass ]
 
 webkit.org/b/186851 imported/w3c/web-platform-tests/xhr/formdata.htm [ Pass Failure ]

trunk/LayoutTests/platform/mac-wk1/TestExpectations

@@ -563 +563 @@
 http/tests/inspector/network/resource-sizes-memory-cache.html [ Failure ]
 http/tests/inspector/network/har/har-page.html [ Failure ]
+http/tests/inspector/network/har/har-page-aggressive-gc.html [ Failure ]
 
 # Local Overrides not available in WebKit1

trunk/LayoutTests/platform/mac-wk2/TestExpectations

@@ -1014 +1014 @@
 
 webkit.org/b/207954 http/tests/inspector/network/har/har-page.html [ Pass Failure ]
+webkit.org/b/207954 http/tests/inspector/network/har/har-page-aggressive-gc.html [ Pass Failure ]
 
 webkit.org/b/207962 accessibility/mac/aria-menu-item-selected-notification.html [ Slow ]

trunk/LayoutTests/platform/win/TestExpectations

@@ -3657 +3657 @@
 http/tests/inspector/network/resource-request-headers.html [ Skip ]
 http/tests/inspector/network/har/har-page.html [ Skip ]
+http/tests/inspector/network/har/har-page-aggressive-gc.html [ Skip ]
 http/tests/local/blob/send-hybrid-blob-using-open-panel.html [ Skip ]
 http/tests/security/contentSecurityPolicy/cross-origin-plugin-document-allowed-in-child-window.html [ Skip ]

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-03-25  Chris Dumez  <cdumez@apple.com>
+
+        Event listeners registered with 'once' option may get garbage collected too soon
+        https://bugs.webkit.org/show_bug.cgi?id=209504
+        <rdar://problem/60541567>
+
+        Reviewed by Yusuke Suzuki.
+
+        Add EnsureStillAliveScope RAII object for ensureStillAliveHere().
+
+        * runtime/JSCJSValue.h:
+        (JSC::EnsureStillAliveScope::EnsureStillAliveScope):
+        (JSC::EnsureStillAliveScope::~EnsureStillAliveScope):
+
 2020-03-25  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/Source/JavaScriptCore/runtime/JSCJSValue.h

@@ -35 +35 @@
 #include <wtf/MathExtras.h>
 #include <wtf/MediaTime.h>
+#include <wtf/Nonmovable.h>
 #include <wtf/StdLibExtras.h>
 #include <wtf/TriState.h>
@@ -651 +652 @@
 #endif
 
+// Use EnsureStillAliveScope when you have a data structure that includes GC pointers, and you need
+// to remove it from the DOM and then use it in the same scope. For example, a 'once' event listener
+// needs to be removed from the DOM and then fired.
+class EnsureStillAliveScope {
+    WTF_FORBID_HEAP_ALLOCATION;
+    WTF_MAKE_NONCOPYABLE(EnsureStillAliveScope);
+    WTF_MAKE_NONMOVABLE(EnsureStillAliveScope);
+public:
+    EnsureStillAliveScope(JSValue value)
+        : m_value(value)
+    {
+    }
+
+    ~EnsureStillAliveScope()
+    {
+        ensureStillAliveHere(m_value);
+    }
+
+private:
+    JSValue m_value;
+};
+
 } // namespace JSC

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-03-25  Chris Dumez  <cdumez@apple.com>
+
+        Event listeners registered with 'once' option may get garbage collected too soon
+        https://bugs.webkit.org/show_bug.cgi?id=209504
+        <rdar://problem/60541567>
+
+        Reviewed by Yusuke Suzuki.
+
+        In EventTarget::innerInvokeEventListeners, if the listener we're about to call is a one-time
+        listener (has 'once' flag set), we would first unregister the event listener and then call
+        it, as per the DOM specification. However, once unregistered, the event listener is no longer
+        visited for GC purposes and its internal JS Function may get garbage collected before we get
+        a chance to call it.
+
+        To address the issue, we now make sure the JS Function (and its wrapper) stay alive for the
+        duration of the scope using ensureStillAliveHere().
+
+        Test: http/tests/inspector/network/har/har-page-aggressive-gc.html
+
+        * bindings/js/JSEventListener.h:
+        * dom/EventListener.h:
+        (WebCore::EventListener::jsFunction const):
+        (WebCore::EventListener::wrapper const):
+        * dom/EventTarget.cpp:
+        (WebCore::EventTarget::innerInvokeEventListeners):
+
 2020-03-25  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebCore/bindings/js/JSErrorHandler.cpp

@@ -68 +68 @@
     JSLockHolder lock(vm);
 
-    JSObject* jsFunction = this->jsFunction(scriptExecutionContext);
+    JSObject* jsFunction = this->ensureJSFunction(scriptExecutionContext);
     if (!jsFunction)
         return;

trunk/Source/WebCore/bindings/js/JSEventListener.cpp

@@ -111 +111 @@
     // exception.
 
-    JSObject* jsFunction = this->jsFunction(scriptExecutionContext);
+    JSObject* jsFunction = ensureJSFunction(scriptExecutionContext);
     if (!jsFunction)
         return;
@@ -243 +243 @@
         return jsNull();
 
-    auto* function = downcast<JSEventListener>(*abstractListener).jsFunction(context);
+    auto* function = downcast<JSEventListener>(*abstractListener).ensureJSFunction(context);
     if (!function)
         return jsNull();

trunk/Source/WebCore/bindings/js/JSEventListener.h

@@ -49 +49 @@
     bool isAttribute() const final { return m_isAttribute; }
 
-    JSC::JSObject* jsFunction(ScriptExecutionContext&) const;
+    JSC::JSObject* ensureJSFunction(ScriptExecutionContext&) const;
     DOMWrapperWorld& isolatedWorld() const { return m_isolatedWorld; }
 
-    JSC::JSObject* wrapper() const { return m_wrapper.get(); }
+
+    JSC::JSObject* jsFunction() const final { return m_jsFunction.get(); }
+    JSC::JSObject* wrapper() const final { return m_wrapper.get(); }
 
     virtual String sourceURL() const { return String(); }
@@ -93 +95 @@
 void setDocumentEventHandlerAttribute(JSC::JSGlobalObject&, JSC::JSObject&, Document&, const AtomString& eventType, JSC::JSValue);
 
-inline JSC::JSObject* JSEventListener::jsFunction(ScriptExecutionContext& scriptExecutionContext) const
+inline JSC::JSObject* JSEventListener::ensureJSFunction(ScriptExecutionContext& scriptExecutionContext) const
 {
     // initializeJSFunction can trigger code that deletes this event listener

trunk/Source/WebCore/dom/EventListener.h

@@ -61 +61 @@
 #endif
 
+    virtual JSC::JSObject* jsFunction() const { return nullptr; }
+    virtual JSC::JSObject* wrapper() const { return nullptr; }
+
 protected:
     explicit EventListener(Type type)

trunk/Source/WebCore/dom/EventTarget.cpp

@@ -305 +305 @@
             break;
 
+        // Make sure the JS wrapper and function stay alive until the end of this scope. Otherwise,
+        // event listeners with 'once' flag may get collected as soon as they get unregistered below,
+        // before we call the js function.
+        JSC::EnsureStillAliveScope wrapperProtector(registeredListener->callback().wrapper());
+        JSC::EnsureStillAliveScope jsFunctionProtector(registeredListener->callback().jsFunction());
+
         // Do this before invocation to avoid reentrancy issues.
         if (registeredListener->isOnce())

trunk/Source/WebCore/inspector/CommandLineAPIHost.cpp

@@ -114 +114 @@
                 continue;
 
-            auto* function = jsListener.jsFunction(*scriptExecutionContext);
+            auto* function = jsListener.ensureJSFunction(*scriptExecutionContext);
             if (!function)
                 continue;

trunk/Source/WebCore/inspector/agents/InspectorDOMAgent.cpp

@@ -1771 +1771 @@
 
         if (document) {
-            handlerObject = scriptListener.jsFunction(*document);
+            handlerObject = scriptListener.ensureJSFunction(*document);
             exec = execStateFromNode(scriptListener.isolatedWorld(), document);
         }