Title: [130611] trunk/Source/WebCore
- Revision
- 130611
- Author
- [email protected]
- Date
- 2012-10-07 15:56:50 -0700 (Sun, 07 Oct 2012)
Log Message
REGRESSION (r130584): Crashes in JSC::MarkedAllocator::allocateSlowCase, failing fast/dom/gc-dom-tree-lifetime.html
https://bugs.webkit.org/show_bug.cgi?id=98612
Reviewed by Darin Adler.
Since DOM modification can happen outside of JS, calls into JS due to
DOM modification need to take the JS lock.
* bindings/js/JSNodeCustom.cpp:
(WebCore::willCreatePossiblyOrphanedTreeByRemovalSlowCase): Take the JS
lock before doing a JS allocation, since this may be a JS entrypoint.
* bindings/js/JSNodeCustom.h:
(WebCore::willCreatePossiblyOrphanedTreeByRemoval): Split out a slow case
to help the inliner.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (130610 => 130611)
--- trunk/Source/WebCore/ChangeLog 2012-10-07 22:14:01 UTC (rev 130610)
+++ trunk/Source/WebCore/ChangeLog 2012-10-07 22:56:50 UTC (rev 130611)
@@ -1,3 +1,21 @@
+2012-10-07 Geoffrey Garen <[email protected]>
+
+ REGRESSION (r130584): Crashes in JSC::MarkedAllocator::allocateSlowCase, failing fast/dom/gc-dom-tree-lifetime.html
+ https://bugs.webkit.org/show_bug.cgi?id=98612
+
+ Reviewed by Darin Adler.
+
+ Since DOM modification can happen outside of JS, calls into JS due to
+ DOM modification need to take the JS lock.
+
+ * bindings/js/JSNodeCustom.cpp:
+ (WebCore::willCreatePossiblyOrphanedTreeByRemovalSlowCase): Take the JS
+ lock before doing a JS allocation, since this may be a JS entrypoint.
+
+ * bindings/js/JSNodeCustom.h:
+ (WebCore::willCreatePossiblyOrphanedTreeByRemoval): Split out a slow case
+ to help the inliner.
+
2012-10-07 Nick Carter <[email protected]>
[chromium] Crash in WebCore::GraphicsLayerChromium::setContentsToImage
Modified: trunk/Source/WebCore/bindings/js/JSNodeCustom.cpp (130610 => 130611)
--- trunk/Source/WebCore/bindings/js/JSNodeCustom.cpp 2012-10-07 22:14:01 UTC (rev 130610)
+++ trunk/Source/WebCore/bindings/js/JSNodeCustom.cpp 2012-10-07 22:56:50 UTC (rev 130611)
@@ -276,4 +276,14 @@
return createWrapperInline(exec, globalObject, node);
}
+void willCreatePossiblyOrphanedTreeByRemovalSlowCase(Node* root)
+{
+ ScriptState* scriptState = mainWorldScriptState(root->document()->frame());
+ if (!scriptState)
+ return;
+
+ JSLockHolder lock(scriptState);
+ toJS(scriptState, static_cast<JSDOMGlobalObject*>(scriptState->lexicalGlobalObject()), root);
+}
+
} // namespace WebCore
Modified: trunk/Source/WebCore/bindings/js/JSNodeCustom.h (130610 => 130611)
--- trunk/Source/WebCore/bindings/js/JSNodeCustom.h 2012-10-07 22:14:01 UTC (rev 130610)
+++ trunk/Source/WebCore/bindings/js/JSNodeCustom.h 2012-10-07 22:56:50 UTC (rev 130611)
@@ -73,6 +73,7 @@
// root. In the _javascript_ DOM, a node tree survives as long as there is a
// reference to any node in the tree. To model the _javascript_ DOM on top of
// the C++ DOM, we ensure that the root of every tree has a _javascript_ wrapper.
+void willCreatePossiblyOrphanedTreeByRemovalSlowCase(Node* root);
inline void willCreatePossiblyOrphanedTreeByRemoval(Node* root)
{
if (root->wrapper())
@@ -81,11 +82,7 @@
if (!root->hasChildNodes())
return;
- ScriptState* scriptState = mainWorldScriptState(root->document()->frame());
- if (!scriptState)
- return;
-
- toJS(scriptState, static_cast<JSDOMGlobalObject*>(scriptState->lexicalGlobalObject()), root);
+ willCreatePossiblyOrphanedTreeByRemovalSlowCase(root);
}
} // namespace WebCore
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
