[webkit-changes] [112161] trunk

[adamk]

Title: [112161] trunk

Revision

112161

Author

ad...@chromium.org

Date

2012-03-26 15:49:27 -0700 (Mon, 26 Mar 2012)

Log Message

V8RecursionScope should not hold a raw pointer to ScriptExecutionContext
https://bugs.webkit.org/show_bug.cgi?id=82222

Reviewed by Eric Seidel.

Source/WebCore:

Instead of holding onto ScriptExecutionContext, cache the boolean value we
care about (context->isDocument()). This avoids problems if the
context goes away as a result of the script we just ran.

Test: fast/frames/subframe-load-js-url-crash.html

* bindings/v8/V8RecursionScope.cpp:
(WebCore::V8RecursionScope::didLeaveScriptContext): Check the cached
bool instead of calling into the context.
* bindings/v8/V8RecursionScope.h:
(WebCore::V8RecursionScope::V8RecursionScope): Call isDocument from
the constructor and cache the result.
(WebCore::V8RecursionScope::~V8RecursionScope): No longer need to pass
anything to didLeaveScriptContext since it's now a member.
(V8RecursionScope): Make didLeaveScriptContext a member function and
remove its argument. Add member bool to hold the value of isDocument.

LayoutTests:

* fast/frames/resources/subframe-load-js-url-crash-iframe.html: Added.
* fast/frames/subframe-load-js-url-crash-expected.txt: Added.
* fast/frames/subframe-load-js-url-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/v8/V8RecursionScope.cpp
• trunk/Source/WebCore/bindings/v8/V8RecursionScope.h

Added Paths

• trunk/LayoutTests/fast/frames/resources/subframe-load-js-url-crash-iframe.html
• trunk/LayoutTests/fast/frames/subframe-load-js-url-crash-expected.txt
• trunk/LayoutTests/fast/frames/subframe-load-js-url-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (112160 => 112161)

--- trunk/LayoutTests/ChangeLog	2012-03-26 22:47:29 UTC (rev 112160)
+++ trunk/LayoutTests/ChangeLog	2012-03-26 22:49:27 UTC (rev 112161)
@@ -1,3 +1,14 @@
+2012-03-26  Adam Klein  <ad...@chromium.org>
+
+        V8RecursionScope should not hold a raw pointer to ScriptExecutionContext
+        https://bugs.webkit.org/show_bug.cgi?id=82222
+
+        Reviewed by Eric Seidel.
+
+        * fast/frames/resources/subframe-load-js-url-crash-iframe.html: Added.
+        * fast/frames/subframe-load-js-url-crash-expected.txt: Added.
+        * fast/frames/subframe-load-js-url-crash.html: Added.
+
 2012-03-26  Raphael Kubo da Costa  <rak...@freebsd.org>
 
         [EFL] Unreviewed gardening i fast/frames, fast/html and

Added: trunk/LayoutTests/fast/frames/resources/subframe-load-js-url-crash-iframe.html (0 => 112161)

--- trunk/LayoutTests/fast/frames/resources/subframe-load-js-url-crash-iframe.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/resources/subframe-load-js-url-crash-iframe.html	2012-03-26 22:49:27 UTC (rev 112161)
@@ -0,0 +1,7 @@
+<script src=""
+<script>
+setTimeout(function() {
+    frameElement.src = ""
+    gc();
+}, 0);
+</script>

Added: trunk/LayoutTests/fast/frames/subframe-load-js-url-crash-expected.txt (0 => 112161)

--- trunk/LayoutTests/fast/frames/subframe-load-js-url-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/subframe-load-js-url-crash-expected.txt	2012-03-26 22:49:27 UTC (rev 112161)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

Added: trunk/LayoutTests/fast/frames/subframe-load-js-url-crash.html (0 => 112161)

--- trunk/LayoutTests/fast/frames/subframe-load-js-url-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/subframe-load-js-url-crash.html	2012-03-26 22:49:27 UTC (rev 112161)
@@ -0,0 +1,3 @@
+<div>Test passes if it does not crash.</div>
+<script>if (window.layoutTestController) layoutTestController.dumpAsText();</script>
+<iframe src=""

Modified: trunk/Source/WebCore/ChangeLog (112160 => 112161)

--- trunk/Source/WebCore/ChangeLog	2012-03-26 22:47:29 UTC (rev 112160)
+++ trunk/Source/WebCore/ChangeLog	2012-03-26 22:49:27 UTC (rev 112161)
@@ -1,3 +1,27 @@
+2012-03-26  Adam Klein  <ad...@chromium.org>
+
+        V8RecursionScope should not hold a raw pointer to ScriptExecutionContext
+        https://bugs.webkit.org/show_bug.cgi?id=82222
+
+        Reviewed by Eric Seidel.
+
+        Instead of holding onto ScriptExecutionContext, cache the boolean value we
+        care about (context->isDocument()). This avoids problems if the
+        context goes away as a result of the script we just ran.
+
+        Test: fast/frames/subframe-load-js-url-crash.html
+
+        * bindings/v8/V8RecursionScope.cpp:
+        (WebCore::V8RecursionScope::didLeaveScriptContext): Check the cached
+        bool instead of calling into the context.
+        * bindings/v8/V8RecursionScope.h:
+        (WebCore::V8RecursionScope::V8RecursionScope): Call isDocument from
+        the constructor and cache the result.
+        (WebCore::V8RecursionScope::~V8RecursionScope): No longer need to pass
+        anything to didLeaveScriptContext since it's now a member.
+        (V8RecursionScope): Make didLeaveScriptContext a member function and
+        remove its argument. Add member bool to hold the value of isDocument.
+
 2012-03-26  Dana Jansens  <dan...@chromium.org>
 
         [chromium] assertion being hit in CCLayerTreeHost::updateCompositorResources

Modified: trunk/Source/WebCore/bindings/v8/V8RecursionScope.cpp (112160 => 112161)

--- trunk/Source/WebCore/bindings/v8/V8RecursionScope.cpp	2012-03-26 22:47:29 UTC (rev 112160)
+++ trunk/Source/WebCore/bindings/v8/V8RecursionScope.cpp	2012-03-26 22:49:27 UTC (rev 112161)
@@ -32,12 +32,11 @@
 #include "V8RecursionScope.h"
 
 #include "IDBPendingTransactionMonitor.h"
-#include "ScriptExecutionContext.h"
 #include "WebKitMutationObserver.h"
 
 namespace WebCore {
 
-void V8RecursionScope::didLeaveScriptContext(ScriptExecutionContext* context)
+void V8RecursionScope::didLeaveScriptContext()
 {
     // FIXME: Instrument any work that takes place when script exits to c++ (e.g. Mutation Observers).
 
@@ -49,7 +48,7 @@
 #endif
 
 #if ENABLE(MUTATION_OBSERVERS)
-    if (context && context->isDocument())
+    if (m_isDocumentContext)
         WebKitMutationObserver::deliverAllMutations();
 #endif
 }

Modified: trunk/Source/WebCore/bindings/v8/V8RecursionScope.h (112160 => 112161)

--- trunk/Source/WebCore/bindings/v8/V8RecursionScope.h	2012-03-26 22:47:29 UTC (rev 112160)
+++ trunk/Source/WebCore/bindings/v8/V8RecursionScope.h	2012-03-26 22:49:27 UTC (rev 112161)
@@ -31,17 +31,16 @@
 #ifndef V8RecursionScope_h
 #define V8RecursionScope_h
 
+#include "ScriptExecutionContext.h"
 #include "V8Binding.h"
 
 namespace WebCore {
 
-class ScriptExecutionContext;
-
 class V8RecursionScope {
     WTF_MAKE_NONCOPYABLE(V8RecursionScope);
 public:
     explicit V8RecursionScope(ScriptExecutionContext* context)
-        : m_context(context)
+        : m_isDocumentContext(context && context->isDocument())
     {
         V8BindingPerIsolateData::current()->incrementRecursionLevel();
     }
@@ -49,15 +48,15 @@
     ~V8RecursionScope()
     {
         if (!V8BindingPerIsolateData::current()->decrementRecursionLevel())
-            didLeaveScriptContext(m_context);
+            didLeaveScriptContext();
     }
 
     static int recursionLevel() { return V8BindingPerIsolateData::current()->recursionLevel(); }
 
 private:
-    static void didLeaveScriptContext(ScriptExecutionContext*);
+    void didLeaveScriptContext();
 
-    ScriptExecutionContext* m_context;
+    bool m_isDocumentContext;
 };
 
 } // namespace WebCore

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes