[webkit-changes] [288753] trunk/Source/WebCore

[commit-queue]

Title: [288753] trunk/Source/WebCore

Revision

288753

Author

commit-qu...@webkit.org

Date

2022-01-28 11:48:34 -0800 (Fri, 28 Jan 2022)

Log Message

JSEventListener::replaceJSFunctionForAttributeListener() should not replace m_wrapper unconditionally
https://bugs.webkit.org/show_bug.cgi?id=235658

Unreviewed, follow-up to r288648 based on Geoff's feedback.

Assert that if replaceJSFunctionForAttributeListener() is invoked, m_wrapper is
alive and remains unchanged. Remove writeBarrier() as ensureJSFunction() sets it
up only for functions created from source code.

To meet the expectation for Window-reflecting event handlers, ensure that
setAttributeEventListener() is called with the correct wrapper, and also call it
directly on DOMWindow to improve readability.

Patch by Alexey Shvayka <ashva...@apple.com> on 2022-01-28

* bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::replaceJSFunctionForAttributeListener):
* bindings/js/JSEventListener.h:
(WebCore::setWindowEventHandlerAttribute):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/js/JSEventListener.cpp
• trunk/Source/WebCore/bindings/js/JSEventListener.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (288752 => 288753)

--- trunk/Source/WebCore/ChangeLog	2022-01-28 19:47:34 UTC (rev 288752)
+++ trunk/Source/WebCore/ChangeLog	2022-01-28 19:48:34 UTC (rev 288753)
@@ -1,3 +1,23 @@
+2022-01-28  Alexey Shvayka  <ashva...@apple.com>
+
+        JSEventListener::replaceJSFunctionForAttributeListener() should not replace m_wrapper unconditionally
+        https://bugs.webkit.org/show_bug.cgi?id=235658
+
+        Unreviewed, follow-up to r288648 based on Geoff's feedback.
+
+        Assert that if replaceJSFunctionForAttributeListener() is invoked, m_wrapper is
+        alive and remains unchanged. Remove writeBarrier() as ensureJSFunction() sets it
+        up only for functions created from source code.
+
+        To meet the expectation for Window-reflecting event handlers, ensure that
+        setAttributeEventListener() is called with the correct wrapper, and also call it
+        directly on DOMWindow to improve readability.
+
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::JSEventListener::replaceJSFunctionForAttributeListener):
+        * bindings/js/JSEventListener.h:
+        (WebCore::setWindowEventHandlerAttribute):
+
 2022-01-28  Michael Saboff  <msab...@apple.com>
 
         Catalyst builds fail for WebCore, WebKi and WebKitLegacy for builds with system content path

Modified: trunk/Source/WebCore/bindings/js/JSEventListener.cpp (288752 => 288753)

--- trunk/Source/WebCore/bindings/js/JSEventListener.cpp	2022-01-28 19:47:34 UTC (rev 288752)
+++ trunk/Source/WebCore/bindings/js/JSEventListener.cpp	2022-01-28 19:48:34 UTC (rev 288753)
@@ -86,10 +86,10 @@
     ASSERT(wrapper);
 
     m_jsFunction = Weak { function };
-    if (UNLIKELY(!m_isInitialized)) {
+    if (m_isInitialized)
+        ASSERT(m_wrapper.get() == wrapper);
+    else {
         m_wrapper = Weak { wrapper };
-        auto& vm = m_isolatedWorld->vm();
-        vm.writeBarrier(wrapper, function);
         m_isInitialized = true;
     }
 }

Modified: trunk/Source/WebCore/bindings/js/JSEventListener.h (288752 => 288753)

--- trunk/Source/WebCore/bindings/js/JSEventListener.h	2022-01-28 19:47:34 UTC (rev 288752)
+++ trunk/Source/WebCore/bindings/js/JSEventListener.h	2022-01-28 19:48:34 UTC (rev 288753)
@@ -107,7 +107,7 @@
 template<typename JSMaybeErrorEventListener>
 inline void setWindowEventHandlerAttribute(DOMWindow& window, const AtomString& eventType, JSC::JSValue listener, JSC::JSObject& jsEventTarget)
 {
-    window.setAttributeEventListener<JSMaybeErrorEventListener>(eventType, listener, jsEventTarget);
+    window.setAttributeEventListener<JSMaybeErrorEventListener>(eventType, listener, *jsEventTarget.globalObject());
 }
 
 template<typename JSMaybeErrorEventListener>
@@ -114,7 +114,7 @@
 inline void setWindowEventHandlerAttribute(HTMLElement& element, const AtomString& eventType, JSC::JSValue listener, JSC::JSObject& jsEventTarget)
 {
     if (auto* domWindow = element.document().domWindow())
-        setWindowEventHandlerAttribute<JSMaybeErrorEventListener>(*domWindow, eventType, listener, jsEventTarget);
+        domWindow->setAttributeEventListener<JSMaybeErrorEventListener>(eventType, listener, *jsEventTarget.globalObject());
 }
 
 inline JSC::JSObject* JSEventListener::ensureJSFunction(ScriptExecutionContext& scriptExecutionContext) const

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes