Changeset 54400 in webkit

Timestamp:

Feb 4, 2010 7:39:09 PM (14 years ago)

Author:

ggaren@apple.com

Message:

WebCore: REGRESSION (r52082): Missing event handlers on JQuery demo page (33383)
​https://bugs.webkit.org/show_bug.cgi?id=33383
<rdar://problem/7559449>

Reviewed by Alexey Proskuryakov and Darin Adler.

There were two bugs here:

1. A stale wrapper would invalidate a node's event listeners, even if

the node had a fresh wrapper keeping it alive.

The fix for this is for an event listener to keep a WeakGCPtr back-pointer
to the wrapper it expects to mark it. The wrapper destructor checks this
back-pointer, and only invalidates the event listener in the case of a match.

2. Conversely, a stale wrapper would not invalidate a node's event

listeners soon enough, if its destructor didn't have a chance to run
before an event fired on the node. (This can only happen in cases where
we've made some other error and failed to mark a wrapper that was circuitously
observable in the DOM. But we know we have edge case bugs like this, and
we don't want them to be crashes.)

The fix for this is to check the wrapper back-pointer before firing the
event listener. As long as the the wrapper back-pointer is not null,
it's safe to fire the listener.

• ForwardingHeaders/runtime/WeakGCPtr.h: Added. Appease build gods.

• bindings/js/JSAbstractWorkerCustom.cpp:

(WebCore::JSAbstractWorker::addEventListener):
(WebCore::JSAbstractWorker::removeEventListener):

• bindings/js/JSDOMApplicationCacheCustom.cpp:

(WebCore::JSDOMApplicationCache::addEventListener):
(WebCore::JSDOMApplicationCache::removeEventListener):

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::markChildren):
(WebCore::JSDOMWindow::addEventListener):
(WebCore::JSDOMWindow::removeEventListener): Updated to pass a wrapper
to the JSEventListener constructor.

• bindings/js/JSEventListener.cpp:

(WebCore::JSEventListener::JSEventListener):
(WebCore::JSEventListener::initializeJSFunction):
(WebCore::JSEventListener::invalidateJSFunction):

• bindings/js/JSEventListener.h:

(WebCore::JSEventListener::create):
(WebCore::JSEventListener::isolatedWorld):
(WebCore::JSEventListener::wrapper):
(WebCore::JSEventListener::setWrapper):
(WebCore::JSEventListener::jsFunction):
(WebCore::createJSAttributeEventListener): Implemented the back-pointer
described above. Refactored the jsFunction() accessor to return 0 if
the wrapper back-pointer is 0.

• bindings/js/JSEventSourceCustom.cpp:

(WebCore::JSEventSource::addEventListener):
(WebCore::JSEventSource::removeEventListener):

• bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::JSLazyEventListener):
(WebCore::JSLazyEventListener::initializeJSFunction):

• bindings/js/JSLazyEventListener.h:

(WebCore::JSLazyEventListener::create):

• bindings/js/JSMessagePortCustom.cpp:

(WebCore::JSMessagePort::markChildren):
(WebCore::JSMessagePort::addEventListener):
(WebCore::JSMessagePort::removeEventListener):

• bindings/js/JSNodeCustom.cpp:

(WebCore::JSNode::addEventListener):
(WebCore::JSNode::removeEventListener):
(WebCore::JSNode::markChildren):

• bindings/js/JSSVGElementInstanceCustom.cpp:

(WebCore::JSSVGElementInstance::addEventListener):
(WebCore::JSSVGElementInstance::removeEventListener):

• bindings/js/JSWebSocketCustom.cpp:

(WebCore::JSWebSocket::addEventListener):
(WebCore::JSWebSocket::removeEventListener):

• bindings/js/JSWorkerContextCustom.cpp:

(WebCore::JSWorkerContext::markChildren):
(WebCore::JSWorkerContext::addEventListener):
(WebCore::JSWorkerContext::removeEventListener):

• bindings/js/JSXMLHttpRequestCustom.cpp:

(WebCore::JSXMLHttpRequest::markChildren):
(WebCore::JSXMLHttpRequest::addEventListener):
(WebCore::JSXMLHttpRequest::removeEventListener):

• bindings/js/JSXMLHttpRequestUploadCustom.cpp:

(WebCore::JSXMLHttpRequestUpload::markChildren):
(WebCore::JSXMLHttpRequestUpload::addEventListener):
(WebCore::JSXMLHttpRequestUpload::removeEventListener): Updated to pass a wrapper
to the JSEventListener constructor.

• bindings/js/ScriptEventListener.cpp:

(WebCore::createAttributeEventListener): Updated to pass a wrapper
to the JSEventListener constructor.
(WebCore::getEventListenerHandlerBody): Updated for the fact that jsFunction()
is no longer a virtual accessor on the EventHandler base class.

• bindings/scripts/CodeGeneratorJS.pm: Updated for the fact that jsFunction()

is no longer a virtual accessor on the EventHandler base class. Added a "JS"
to invalidateEventListeners and markEventListeners to clarify that these
actions are for JS event listeners only. Added a wrapper parameter to
invalidateEventListeners for the back-pointer check explained above.

• dom/EventListener.h:

(WebCore::EventListener::invalidateJSFunction): ditto

• dom/EventTarget.h:

(WebCore::EventTarget::markJSEventListeners):
(WebCore::EventTarget::invalidateJSEventListeners): ditto

LayoutTests: REGRESSION (r52082): Missing event handlers on JQuery demo page (33383)
​https://bugs.webkit.org/show_bug.cgi?id=33383
<rdar://problem/7559449>

Reviewed by Alexey Proskuryakov and Darin Adler.

• fast/events/bogus-event-listener-invalidation-expected.txt: Added.
• fast/events/bogus-event-listener-invalidation.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/events/bogus-event-listener-invalidation-expected.txt (added)
• LayoutTests/fast/events/bogus-event-listener-invalidation.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSAbstractWorkerCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMApplicationCacheCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSEventListener.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSEventListener.h (modified) (3 diffs)
• WebCore/bindings/js/JSEventSourceCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSLazyEventListener.cpp (modified) (6 diffs)
• WebCore/bindings/js/JSLazyEventListener.h (modified) (1 diff)
• WebCore/bindings/js/JSMessagePortCustom.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSNodeCustom.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSSVGElementInstanceCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSWebSocketCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSWorkerContextCustom.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSXMLHttpRequestCustom.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSXMLHttpRequestUploadCustom.cpp (modified) (3 diffs)
• WebCore/bindings/js/ScriptEventListener.cpp (modified) (4 diffs)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (4 diffs)
• WebCore/dom/EventListener.h (modified) (1 diff)
• WebCore/dom/EventTarget.h (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-01-27  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Alexey Proskuryakov and Darin Adler.
+
+        REGRESSION (r52082): Missing event handlers on JQuery demo page (33383)
+        https://bugs.webkit.org/show_bug.cgi?id=33383
+        <rdar://problem/7559449>
+
+        * fast/events/bogus-event-listener-invalidation-expected.txt: Added.
+        * fast/events/bogus-event-listener-invalidation.html: Added.
+
 2010-02-04  Tony Chang  <tony@chromium.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-02-04  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Alexey Proskuryakov and Darin Adler.
+
+        REGRESSION (r52082): Missing event handlers on JQuery demo page (33383)
+        https://bugs.webkit.org/show_bug.cgi?id=33383
+        <rdar://problem/7559449>
+        
+        There were two bugs here:
+        
+        1. A stale wrapper would invalidate a node's event listeners, even if
+        the node had a fresh wrapper keeping it alive.
+        
+        The fix for this is for an event listener to keep a WeakGCPtr back-pointer
+        to the wrapper it expects to mark it. The wrapper destructor checks this
+        back-pointer, and only invalidates the event listener in the case of a match.
+
+        2. Conversely, a stale wrapper would not invalidate a node's event
+        listeners soon enough, if its destructor didn't have a chance to run
+        before an event fired on the node. (This can only happen in cases where
+        we've made some other error and failed to mark a wrapper that was circuitously
+        observable in the DOM. But we know we have edge case bugs like this, and
+        we don't want them to be crashes.)
+        
+        The fix for this is to check the wrapper back-pointer before firing the
+        event listener. As long as the the wrapper back-pointer is not null,
+        it's safe to fire the listener. 
+
+        * ForwardingHeaders/runtime/WeakGCPtr.h: Added. Appease build gods.
+
+        * bindings/js/JSAbstractWorkerCustom.cpp:
+        (WebCore::JSAbstractWorker::addEventListener):
+        (WebCore::JSAbstractWorker::removeEventListener):
+        * bindings/js/JSDOMApplicationCacheCustom.cpp:
+        (WebCore::JSDOMApplicationCache::addEventListener):
+        (WebCore::JSDOMApplicationCache::removeEventListener):
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::markChildren):
+        (WebCore::JSDOMWindow::addEventListener):
+        (WebCore::JSDOMWindow::removeEventListener): Updated to pass a wrapper
+        to the JSEventListener constructor.
+
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::JSEventListener::JSEventListener):
+        (WebCore::JSEventListener::initializeJSFunction):
+        (WebCore::JSEventListener::invalidateJSFunction):
+        * bindings/js/JSEventListener.h:
+        (WebCore::JSEventListener::create):
+        (WebCore::JSEventListener::isolatedWorld):
+        (WebCore::JSEventListener::wrapper):
+        (WebCore::JSEventListener::setWrapper):
+        (WebCore::JSEventListener::jsFunction):
+        (WebCore::createJSAttributeEventListener): Implemented the back-pointer
+        described above. Refactored the jsFunction() accessor to return 0 if
+        the wrapper back-pointer is 0.
+
+        * bindings/js/JSEventSourceCustom.cpp:
+        (WebCore::JSEventSource::addEventListener):
+        (WebCore::JSEventSource::removeEventListener):
+        * bindings/js/JSLazyEventListener.cpp:
+        (WebCore::JSLazyEventListener::JSLazyEventListener):
+        (WebCore::JSLazyEventListener::initializeJSFunction):
+        * bindings/js/JSLazyEventListener.h:
+        (WebCore::JSLazyEventListener::create):
+        * bindings/js/JSMessagePortCustom.cpp:
+        (WebCore::JSMessagePort::markChildren):
+        (WebCore::JSMessagePort::addEventListener):
+        (WebCore::JSMessagePort::removeEventListener):
+        * bindings/js/JSNodeCustom.cpp:
+        (WebCore::JSNode::addEventListener):
+        (WebCore::JSNode::removeEventListener):
+        (WebCore::JSNode::markChildren):
+        * bindings/js/JSSVGElementInstanceCustom.cpp:
+        (WebCore::JSSVGElementInstance::addEventListener):
+        (WebCore::JSSVGElementInstance::removeEventListener):
+        * bindings/js/JSWebSocketCustom.cpp:
+        (WebCore::JSWebSocket::addEventListener):
+        (WebCore::JSWebSocket::removeEventListener):
+        * bindings/js/JSWorkerContextCustom.cpp:
+        (WebCore::JSWorkerContext::markChildren):
+        (WebCore::JSWorkerContext::addEventListener):
+        (WebCore::JSWorkerContext::removeEventListener):
+        * bindings/js/JSXMLHttpRequestCustom.cpp:
+        (WebCore::JSXMLHttpRequest::markChildren):
+        (WebCore::JSXMLHttpRequest::addEventListener):
+        (WebCore::JSXMLHttpRequest::removeEventListener):
+        * bindings/js/JSXMLHttpRequestUploadCustom.cpp:
+        (WebCore::JSXMLHttpRequestUpload::markChildren):
+        (WebCore::JSXMLHttpRequestUpload::addEventListener):
+        (WebCore::JSXMLHttpRequestUpload::removeEventListener): Updated to pass a wrapper
+        to the JSEventListener constructor.
+
+
+        * bindings/js/ScriptEventListener.cpp:
+        (WebCore::createAttributeEventListener): Updated to pass a wrapper
+        to the JSEventListener constructor.
+        (WebCore::getEventListenerHandlerBody): Updated for the fact that jsFunction()
+        is no longer a virtual accessor on the EventHandler base class.
+
+        * bindings/scripts/CodeGeneratorJS.pm: Updated for the fact that jsFunction()
+        is no longer a virtual accessor on the EventHandler base class. Added a "JS"
+        to invalidateEventListeners and markEventListeners to clarify that these
+        actions are for JS event listeners only. Added a wrapper parameter to
+        invalidateEventListeners for the back-pointer check explained above.
+
+        * dom/EventListener.h:
+        (WebCore::EventListener::invalidateJSFunction): ditto
+
+        * dom/EventTarget.h:
+        (WebCore::EventTarget::markJSEventListeners):
+        (WebCore::EventTarget::invalidateJSEventListeners): ditto
+
 2010-02-04  Tony Chang  <tony@chromium.org>
 

trunk/WebCore/bindings/js/JSAbstractWorkerCustom.cpp

@@ -51 +51 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -61 +61 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/JSDOMApplicationCacheCustom.cpp

@@ -92 +92 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -102 +102 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -98 +98 @@
     Base::markChildren(markStack);
 
-    impl()->markEventListeners(markStack);
+    impl()->markJSEventListeners(markStack);
 
     JSGlobalData& globalData = *Heap::heap(this)->globalData();
@@ -998 +998 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -1012 +1012 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/JSEventListener.cpp

@@ -32 +32 @@
 namespace WebCore {
 
-JSEventListener::JSEventListener(JSObject* function, bool isAttribute, DOMWrapperWorld* isolatedWorld)
+JSEventListener::JSEventListener(JSObject* function, JSObject* wrapper, bool isAttribute, DOMWrapperWorld* isolatedWorld)
     : EventListener(JSEventListenerType)
     , m_jsFunction(function)
+    , m_wrapper(wrapper)
     , m_isAttribute(isAttribute)
     , m_isolatedWorld(isolatedWorld)
@@ -44 +45 @@
 }
 
-JSObject* JSEventListener::jsFunction(ScriptExecutionContext*) const
-{
-    return m_jsFunction;
+JSObject* JSEventListener::initializeJSFunction(ScriptExecutionContext*) const
+{
+    ASSERT_NOT_REACHED();
+    return 0;
 }
 
@@ -53 +55 @@
     if (m_jsFunction)
         markStack.append(m_jsFunction);
+}
+
+void JSEventListener::invalidateJSFunction(JSC::JSObject* wrapper)
+{
+    // Since m_wrapper is a WeakGCPtr, it pretends to be null, and therefore !=
+    // to wrapper, when it's awaiting destruction. So, we check for == wrapper
+    // or == null.
+    if (!m_wrapper || m_wrapper == wrapper)
+        m_wrapper = 0;
 }
 

trunk/WebCore/bindings/js/JSEventListener.h

@@ -23 +23 @@
 #include "EventListener.h"
 #include "JSDOMWindow.h"
-#include <runtime/Protect.h>
+#include <runtime/WeakGCPtr.h>
 
 namespace WebCore {
@@ -31 +31 @@
     class JSEventListener : public EventListener {
     public:
-        static PassRefPtr<JSEventListener> create(JSC::JSObject* listener, bool isAttribute, DOMWrapperWorld* isolatedWorld)
+        static PassRefPtr<JSEventListener> create(JSC::JSObject* listener, JSC::JSObject* wrapper, bool isAttribute, DOMWrapperWorld* isolatedWorld)
         {
-            return adoptRef(new JSEventListener(listener, isAttribute, isolatedWorld));
+            return adoptRef(new JSEventListener(listener, wrapper, isAttribute, isolatedWorld));
         }
 
@@ -50 +50 @@
         bool isAttribute() const { return m_isAttribute; }
 
-        virtual JSC::JSObject* jsFunction(ScriptExecutionContext*) const;
+        JSC::JSObject* jsFunction(ScriptExecutionContext*) const;
+        DOMWrapperWorld* isolatedWorld() const { return m_isolatedWorld.get(); }
+
+        JSC::JSObject* wrapper() const { return m_wrapper.get(); }
+        void setWrapper(JSC::JSObject* wrapper) const { m_wrapper = wrapper; }
 
     private:
+        virtual JSC::JSObject* initializeJSFunction(ScriptExecutionContext*) const;
         virtual void markJSFunction(JSC::MarkStack&);
+        virtual void invalidateJSFunction(JSC::JSObject*);
         virtual void handleEvent(ScriptExecutionContext*, Event*);
         virtual bool reportError(ScriptExecutionContext*, const String& message, const String& url, int lineNumber);
         virtual bool virtualisAttribute() const;
-        void clearJSFunctionInline();
 
     protected:
-        JSEventListener(JSC::JSObject* function, bool isAttribute, DOMWrapperWorld* isolatedWorld);
+        JSEventListener(JSC::JSObject* function, JSC::JSObject* wrapper, bool isAttribute, DOMWrapperWorld* isolatedWorld);
 
+    private:
         mutable JSC::JSObject* m_jsFunction;
+        mutable JSC::WeakGCPtr<JSC::JSObject> m_wrapper;
+
         bool m_isAttribute;
         RefPtr<DOMWrapperWorld> m_isolatedWorld;
     };
 
+    inline JSC::JSObject* JSEventListener::jsFunction(ScriptExecutionContext* scriptExecutionContext) const
+    {
+        if (!m_jsFunction)
+            m_jsFunction = initializeJSFunction(scriptExecutionContext);
+
+        // Verify that we have a valid wrapper protecting our function from
+        // garbage collection.
+        ASSERT(m_wrapper || !m_jsFunction);
+        if (!m_wrapper)
+            return 0;
+
+        // Try to verify that m_jsFunction wasn't recycled. (Not exact, since an
+        // event listener can be almost anything, but this makes test-writing easier).
+        ASSERT(!m_jsFunction || static_cast<JSC::JSCell*>(m_jsFunction)->isObject());
+
+        return m_jsFunction;
+    }
+
     // Creates a JS EventListener for an "onXXX" event attribute.
-    inline PassRefPtr<JSEventListener> createJSAttributeEventListener(JSC::ExecState* exec, JSC::JSValue listener)
+    inline PassRefPtr<JSEventListener> createJSAttributeEventListener(JSC::ExecState* exec, JSC::JSValue listener, JSC::JSObject* wrapper)
     {
         if (!listener.isObject())
             return 0;
 
-        return JSEventListener::create(asObject(listener), true, currentWorld(exec));
+        return JSEventListener::create(asObject(listener), wrapper, true, currentWorld(exec));
     }
 

trunk/WebCore/bindings/js/JSEventSourceCustom.cpp

@@ -50 +50 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -60 +60 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/JSLazyEventListener.cpp

@@ -36 +36 @@
 #endif
 
-JSLazyEventListener::JSLazyEventListener(const String& functionName, const String& eventParameterName, const String& code, Node* node, const String& sourceURL, int lineNumber, DOMWrapperWorld* isolatedWorld)
-    : JSEventListener(0, true, isolatedWorld)
+JSLazyEventListener::JSLazyEventListener(const String& functionName, const String& eventParameterName, const String& code, Node* node, const String& sourceURL, int lineNumber, JSObject* wrapper, DOMWrapperWorld* isolatedWorld)
+    : JSEventListener(0, wrapper, true, isolatedWorld)
     , m_functionName(functionName)
     , m_eventParameterName(eventParameterName)
     , m_code(code)
-    , m_parsed(false)
     , m_sourceURL(sourceURL)
     , m_lineNumber(lineNumber)
@@ -49 +48 @@
     // will stay alive as long as this handler object is around
     // and we need to avoid a reference cycle. If JS transfers
-    // this handler to another node, parseCode will be called and
-    // then originalNode is no longer needed.
+    // this handler to another node, initializeJSFunction will
+    // be called and then originalNode is no longer needed.
 
     // A JSLazyEventListener can be created with a line number of zero when it is created with
@@ -69 +68 @@
 }
 
-JSObject* JSLazyEventListener::jsFunction(ScriptExecutionContext* executionContext) const
-{
-    parseCode(executionContext);
-    return m_jsFunction;
-}
-
-void JSLazyEventListener::parseCode(ScriptExecutionContext* executionContext) const
+JSObject* JSLazyEventListener::initializeJSFunction(ScriptExecutionContext* executionContext) const
 {
     ASSERT(executionContext);
     ASSERT(executionContext->isDocument());
     if (!executionContext)
-        return;
-
-    if (m_parsed)
-        return;
+        return 0;
 
     Frame* frame = static_cast<Document*>(executionContext)->frame();
     if (!frame)
-        return;
+        return 0;
 
     ScriptController* scriptController = frame->script();
     if (!scriptController->canExecuteScripts())
-        return;
+        return 0;
 
-    JSDOMGlobalObject* globalObject = toJSDOMGlobalObject(executionContext, m_isolatedWorld.get());
+    JSDOMGlobalObject* globalObject = toJSDOMGlobalObject(executionContext, isolatedWorld());
     if (!globalObject)
-        return;
-
-    // Ensure that 'node' has a JavaScript wrapper to mark the event listener we're creating.
-    if (m_originalNode) {
-        JSLock lock(SilenceAssertionsOnly);
-        // FIXME: Should pass the global object associated with the node
-        toJS(globalObject->globalExec(), globalObject, m_originalNode);
-    }
+        return 0;
 
     if (executionContext->isDocument()) {
@@ -108 +91 @@
         Frame* frame = window->impl()->frame();
         if (!frame)
-            return;
+            return 0;
         // FIXME: Is this check needed for non-Document contexts?
         ScriptController* script = frame->script();
         if (!script->canExecuteScripts() || script->isPaused())
-            return;
+            return 0;
     }
-
-    m_parsed = true;
 
     ExecState* exec = globalObject->globalExec();
@@ -123 +104 @@
     args.append(jsString(exec, m_code));
 
-    m_jsFunction = constructFunction(exec, args, Identifier(exec, m_functionName), m_sourceURL, m_lineNumber); // FIXME: is globalExec ok?
-
-    JSFunction* listenerAsFunction = static_cast<JSFunction*>(m_jsFunction);
-
+    JSObject* jsFunction = constructFunction(exec, args, Identifier(exec, m_functionName), m_sourceURL, m_lineNumber); // FIXME: is globalExec ok?
     if (exec->hadException()) {
         exec->clearException();
+        return 0;
+    }
 
-        // failed to parse, so let's just make this listener a no-op
-        m_jsFunction = 0;
-    } else if (m_originalNode) {
+    JSFunction* listenerAsFunction = static_cast<JSFunction*>(jsFunction);
+    if (m_originalNode) {
+        if (!wrapper()) {
+            // Ensure that 'node' has a JavaScript wrapper to mark the event listener we're creating.
+            JSLock lock(SilenceAssertionsOnly);
+            // FIXME: Should pass the global object associated with the node
+            setWrapper(asObject(toJS(globalObject->globalExec(), globalObject, m_originalNode)));
+        }
+
         // Add the event's home element to the scope
         // (and the document, and the form - see JSHTMLElement::eventHandlerScope)
         ScopeChain scope = listenerAsFunction->scope();
-
-        JSValue thisObj = toJS(exec, globalObject, m_originalNode);
-        if (thisObj.isObject()) {
-            static_cast<JSNode*>(asObject(thisObj))->pushEventHandlerScope(exec, scope);
-            listenerAsFunction->setScope(scope);
-        }
+        static_cast<JSNode*>(wrapper())->pushEventHandlerScope(exec, scope);
+        listenerAsFunction->setScope(scope);
     }
 
@@ -149 +131 @@
     m_eventParameterName = String();
     m_sourceURL = String();
+    return jsFunction;
 }
 

trunk/WebCore/bindings/js/JSLazyEventListener.h

@@ -30 +30 @@
     class JSLazyEventListener : public JSEventListener {
     public:
-        static PassRefPtr<JSLazyEventListener> create(const String& functionName, const String& eventParameterName, const String& code, Node* node, const String& sourceURL, int lineNumber, DOMWrapperWorld* isolatedWorld)
+        static PassRefPtr<JSLazyEventListener> create(const String& functionName, const String& eventParameterName, const String& code, Node* node, const String& sourceURL, int lineNumber, JSC::JSObject* wrapper, DOMWrapperWorld* isolatedWorld)
         {
-            return adoptRef(new JSLazyEventListener(functionName, eventParameterName, code, node, sourceURL, lineNumber, isolatedWorld));
+            return adoptRef(new JSLazyEventListener(functionName, eventParameterName, code, node, sourceURL, lineNumber, wrapper, isolatedWorld));
         }
         virtual ~JSLazyEventListener();
 
     private:
-        JSLazyEventListener(const String& functionName, const String& eventParameterName, const String& code, Node*, const String& sourceURL, int lineNumber, DOMWrapperWorld* isolatedWorld);
+        JSLazyEventListener(const String& functionName, const String& eventParameterName, const String& code, Node*, const String& sourceURL, int lineNumber, JSC::JSObject* wrapper, DOMWrapperWorld* isolatedWorld);
 
-        virtual JSC::JSObject* jsFunction(ScriptExecutionContext*) const;
+        virtual JSC::JSObject* initializeJSFunction(ScriptExecutionContext*) const;
         virtual bool wasCreatedFromMarkup() const { return true; }
-
-        void parseCode(ScriptExecutionContext*) const;
 
         mutable String m_functionName;
         mutable String m_eventParameterName;
         mutable String m_code;
-        mutable bool m_parsed;
         mutable String m_sourceURL;
         int m_lineNumber;

trunk/WebCore/bindings/js/JSMessagePortCustom.cpp

@@ -50 +50 @@
         markDOMObjectWrapper(markStack, *Heap::heap(this)->globalData(), entangledPort);
 
-    m_impl->markEventListeners(markStack);
+    m_impl->markJSEventListeners(markStack);
 }
 
@@ -59 +59 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -69 +69 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/JSNodeCustom.cpp

@@ -115 +115 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -125 +125 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -138 +138 @@
 
     Node* node = m_impl.get();
-    node->markEventListeners(markStack);
+    node->markJSEventListeners(markStack);
 
     // Nodes in the document are kept alive by JSDocument::mark, so, if we're in

trunk/WebCore/bindings/js/JSSVGElementInstanceCustom.cpp

@@ -53 +53 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -63 +63 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/JSWebSocketCustom.cpp

@@ -66 +66 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -76 +76 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/JSWorkerContextCustom.cpp

@@ -61 +61 @@
     markDOMObjectWrapper(markStack, globalData, impl()->optionalNavigator());
 
-    impl()->markEventListeners(markStack);
+    impl()->markJSEventListeners(markStack);
 }
 
@@ -128 +128 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -138 +138 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp

@@ -57 +57 @@
         markDOMObjectWrapper(markStack, *Heap::heap(this)->globalData(), upload);
 
-    m_impl->markEventListeners(markStack);
+    m_impl->markJSEventListeners(markStack);
 }
 
@@ -154 +154 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -164 +164 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/JSXMLHttpRequestUploadCustom.cpp

@@ -49 +49 @@
         markDOMObjectWrapper(markStack, *Heap::heap(this)->globalData(), xmlHttpRequest);
 
-    m_impl->markEventListeners(markStack);
+    m_impl->markJSEventListeners(markStack);
 }
 
@@ -58 +58 @@
         return jsUndefined();
 
-    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)), args.at(2).toBoolean(exec));
+    impl()->addEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)), args.at(2).toBoolean(exec));
     return jsUndefined();
 }
@@ -68 +68 @@
         return jsUndefined();
 
-    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
+    impl()->removeEventListener(args.at(0).toString(exec), JSEventListener::create(asObject(listener), this, false, currentWorld(exec)).get(), args.at(2).toBoolean(exec));
     return jsUndefined();
 }

trunk/WebCore/bindings/js/ScriptEventListener.cpp

@@ -38 +38 @@
 #include "Frame.h"
 #include "XSSAuditor.h"
+#include <runtime/JSLock.h>
 
 using namespace JSC;
@@ -59 +60 @@
     int lineNumber = 1;
     String sourceURL;
+    JSObject* wrapper = 0;
     
     // FIXME: We should be able to provide accurate source information for frameless documents, too (e.g. for importing nodes from XMLHttpRequest.responseXML).
@@ -73 +75 @@
         lineNumber = scriptController->eventHandlerLineNumber();
         sourceURL = node->document()->url().string();
+
+        JSC::JSLock lock(SilenceAssertionsOnly);
+        JSDOMGlobalObject* globalObject = toJSDOMGlobalObject(node->document(), mainThreadNormalWorld());
+        wrapper = asObject(toJS(globalObject->globalExec(), globalObject, node));
     }
 
-    return JSLazyEventListener::create(attr->localName().string(), eventParameterName(node->isSVGElement()), attr->value(), node, sourceURL, lineNumber, mainThreadNormalWorld());
+    return JSLazyEventListener::create(attr->localName().string(), eventParameterName(node->isSVGElement()), attr->value(), node, sourceURL, lineNumber, wrapper, mainThreadNormalWorld());
 }
 
@@ -101 +107 @@
     lineNumber = scriptController->eventHandlerLineNumber();
     sourceURL = frame->document()->url().string();
-    return JSLazyEventListener::create(attr->localName().string(), eventParameterName(frame->document()->isSVGDocument()), attr->value(), 0, sourceURL, lineNumber, mainThreadNormalWorld());
+    JSObject* wrapper = toJSDOMWindow(frame, mainThreadNormalWorld());
+    return JSLazyEventListener::create(attr->localName().string(), eventParameterName(frame->document()->isSVGDocument()), attr->value(), 0, sourceURL, lineNumber, wrapper, mainThreadNormalWorld());
 }
 
 String getEventListenerHandlerBody(ScriptExecutionContext* context, ScriptState* scriptState, EventListener* eventListener)
 {
-    JSC::JSObject* functionObject = eventListener->jsFunction(context);
-    if (!functionObject)
+    const JSEventListener* jsListener = JSEventListener::cast(eventListener);
+    if (!jsListener)
         return "";
-    return functionObject->toString(scriptState);
+    JSC::JSObject* jsFunction = jsListener->jsFunction(context);
+    if (!jsFunction)
+        return "";
+    return jsFunction->toString(scriptState);
 }
 

trunk/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -1199 +1199 @@
         if ($eventTarget) {
             $implIncludes{"RegisteredEventListener.h"} = 1;
-            push(@implContent, "    impl()->invalidateEventListeners();\n");
+            push(@implContent, "    impl()->invalidateJSEventListeners(this);\n");
         }
 
@@ -1219 +1219 @@
         push(@implContent, "{\n");
         push(@implContent, "    Base::markChildren(markStack);\n");
-        push(@implContent, "    impl()->markEventListeners(markStack);\n");
+        push(@implContent, "    impl()->markJSEventListeners(markStack);\n");
         push(@implContent, "}\n\n");
     }
@@ -1319 +1319 @@
                     push(@implContent, "    $implClassName* imp = static_cast<$implClassName*>(castedThis->impl());\n");
                     push(@implContent, "    if (EventListener* listener = imp->$implGetterFunctionName()) {\n");
+                    push(@implContent, "        if (const JSEventListener* jsListener = JSEventListener::cast(listener)) {\n");
                     if ($implClassName eq "Document" || $implClassName eq "WorkerContext" || $implClassName eq "SharedWorkerContext" || $implClassName eq "DedicatedWorkerContext") {
-                        push(@implContent, "        if (JSObject* jsFunction = listener->jsFunction(imp))\n");
+                        push(@implContent, "            if (JSObject* jsFunction = jsListener->jsFunction(imp))\n");
                     } else {
-                        push(@implContent, "        if (JSObject* jsFunction = listener->jsFunction(imp->scriptExecutionContext()))\n");
+                        push(@implContent, "            if (JSObject* jsFunction = jsListener->jsFunction(imp->scriptExecutionContext()))\n");
                     }
-                    push(@implContent, "            return jsFunction;\n");
+                    push(@implContent, "                return jsFunction;\n");
+                    push(@implContent, "        }\n");
                     push(@implContent, "    }\n");
                     push(@implContent, "    return jsNull();\n");
@@ -1478 +1480 @@
                             push(@implContent, "    UNUSED_PARAM(exec);\n");
                             push(@implContent, "    $implClassName* imp = static_cast<$implClassName*>(static_cast<$className*>(thisObject)->impl());\n");
-                            push(@implContent, "    imp->set$implSetterFunctionName(createJSAttributeEventListener(exec, value));\n");
+                            push(@implContent, "    imp->set$implSetterFunctionName(createJSAttributeEventListener(exec, value, thisObject));\n");
                         } elsif ($attribute->signature->type =~ /Constructor$/) {
                             my $constructorType = $attribute->signature->type;

trunk/WebCore/dom/EventListener.h

@@ -52 +52 @@
 
 #if USE(JSC)
-        virtual JSC::JSObject* jsFunction(ScriptExecutionContext*) const { return 0; }
         virtual void markJSFunction(JSC::MarkStack&) { }
+        virtual void invalidateJSFunction(JSC::JSObject*) { }
 #endif
 

trunk/WebCore/dom/EventTarget.h

@@ -141 +141 @@
 
 #if USE(JSC)
-        void markEventListeners(JSC::MarkStack&);
-        void invalidateEventListeners();
+        void markJSEventListeners(JSC::MarkStack&);
+        void invalidateJSEventListeners(JSC::JSObject*);
 #endif
 
@@ -186 +186 @@
 
 #if USE(JSC)
-    inline void EventTarget::markEventListeners(JSC::MarkStack& markStack)
+    inline void EventTarget::markJSEventListeners(JSC::MarkStack& markStack)
     {
         EventTargetData* d = eventTargetData();
@@ -200 +200 @@
     }
 
-    inline void EventTarget::invalidateEventListeners()
+    inline void EventTarget::invalidateJSEventListeners(JSC::JSObject* wrapper)
     {
         EventTargetData* d = eventTargetData();
@@ -206 +206 @@
             return;
 
-        deleteAllValues(d->eventListenerMap);
-        d->eventListenerMap.clear();
+        EventListenerMap::iterator end = d->eventListenerMap.end();
+        for (EventListenerMap::iterator it = d->eventListenerMap.begin(); it != end; ++it) {
+            EventListenerVector& entry = *it->second;
+            for (size_t i = 0; i < entry.size(); ++i)
+                entry[i].listener->invalidateJSFunction(wrapper);
+        }
     }
 #endif