Title: [220177] trunk/Source/WebCore
- Revision
- 220177
- Author
- [email protected]
- Date
- 2017-08-02 20:49:53 -0700 (Wed, 02 Aug 2017)
Log Message
Fix crashes in GC creating a document fragment on a background thread
https://bugs.webkit.org/show_bug.cgi?id=175111
Patch by Sam Weinig <[email protected]> on 2017-08-02
Reviewed by Chris Dumez.
r220095 (https://webkit.org/b/175006) change JSHTMLTemplateElement from using a
private name + property to manager the lifetime of the reference DocumentFragment
to using the idiomatic visitAdditionalChildren. Unfortunately, the function to access
the DocumentFragment lazily creates it. If this lazy creation happens on a GC thread,
badness ensues. This introduces an accessor that returns the DocumentFragment if it
has been created or null if it has not.
* bindings/js/JSHTMLTemplateElementCustom.cpp:
(WebCore::JSHTMLTemplateElement::visitAdditionalChildren):
* html/HTMLTemplateElement.cpp:
(WebCore::HTMLTemplateElement::contentIfAvailable):
* html/HTMLTemplateElement.h:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (220176 => 220177)
--- trunk/Source/WebCore/ChangeLog 2017-08-03 03:25:30 UTC (rev 220176)
+++ trunk/Source/WebCore/ChangeLog 2017-08-03 03:49:53 UTC (rev 220177)
@@ -1,5 +1,25 @@
2017-08-02 Sam Weinig <[email protected]>
+ Fix crashes in GC creating a document fragment on a background thread
+ https://bugs.webkit.org/show_bug.cgi?id=175111
+
+ Reviewed by Chris Dumez.
+
+ r220095 (https://webkit.org/b/175006) change JSHTMLTemplateElement from using a
+ private name + property to manager the lifetime of the reference DocumentFragment
+ to using the idiomatic visitAdditionalChildren. Unfortunately, the function to access
+ the DocumentFragment lazily creates it. If this lazy creation happens on a GC thread,
+ badness ensues. This introduces an accessor that returns the DocumentFragment if it
+ has been created or null if it has not.
+
+ * bindings/js/JSHTMLTemplateElementCustom.cpp:
+ (WebCore::JSHTMLTemplateElement::visitAdditionalChildren):
+ * html/HTMLTemplateElement.cpp:
+ (WebCore::HTMLTemplateElement::contentIfAvailable):
+ * html/HTMLTemplateElement.h:
+
+2017-08-02 Sam Weinig <[email protected]>
+
[WebIDL] Simplify [EnabledBySettings] extended attribute code to not require passing a global object to finishCreation
https://bugs.webkit.org/show_bug.cgi?id=175087
Modified: trunk/Source/WebCore/bindings/js/JSHTMLTemplateElementCustom.cpp (220176 => 220177)
--- trunk/Source/WebCore/bindings/js/JSHTMLTemplateElementCustom.cpp 2017-08-03 03:25:30 UTC (rev 220176)
+++ trunk/Source/WebCore/bindings/js/JSHTMLTemplateElementCustom.cpp 2017-08-03 03:49:53 UTC (rev 220177)
@@ -39,7 +39,8 @@
void JSHTMLTemplateElement::visitAdditionalChildren(JSC::SlotVisitor& visitor)
{
- visitor.addOpaqueRoot(root(&wrapped().content()));
+ if (auto* content = wrapped().contentIfAvailable())
+ visitor.addOpaqueRoot(root(content));
}
} // namespace WebCore
Modified: trunk/Source/WebCore/html/HTMLTemplateElement.cpp (220176 => 220177)
--- trunk/Source/WebCore/html/HTMLTemplateElement.cpp 2017-08-03 03:25:30 UTC (rev 220176)
+++ trunk/Source/WebCore/html/HTMLTemplateElement.cpp 2017-08-03 03:49:53 UTC (rev 220177)
@@ -56,6 +56,11 @@
return adoptRef(*new HTMLTemplateElement(tagName, document));
}
+DocumentFragment* HTMLTemplateElement::contentIfAvailable() const
+{
+ return m_content.get();
+}
+
DocumentFragment& HTMLTemplateElement::content() const
{
if (!m_content)
Modified: trunk/Source/WebCore/html/HTMLTemplateElement.h (220176 => 220177)
--- trunk/Source/WebCore/html/HTMLTemplateElement.h 2017-08-03 03:25:30 UTC (rev 220176)
+++ trunk/Source/WebCore/html/HTMLTemplateElement.h 2017-08-03 03:49:53 UTC (rev 220177)
@@ -43,6 +43,7 @@
virtual ~HTMLTemplateElement();
DocumentFragment& content() const;
+ DocumentFragment* contentIfAvailable() const;
private:
HTMLTemplateElement(const QualifiedName&, Document&);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
