Attachment 340647 Details for Bug 185737 – Patch

[patch] Patch

bug-185737-20180517144434.patch (text/plain), 22.42 KB, created by Chris Dumez on 2018-05-17 14:44:34 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Chris Dumez

Created: 2018-05-17 14:44:34 PDT

Size: 22.42 KB

patch

obsolete

>Subversion Revision: 231909
>diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
>index 385c13ad4a13a4358b89650e67f3e15972bc8dab..975814f410965fe6e46261de21310edd222b51f3 100644
>--- a/Source/WebCore/ChangeLog
>+++ b/Source/WebCore/ChangeLog
>@@ -1,3 +1,61 @@
>+2018-05-17  Chris Dumez  <cdumez@apple.com>
>+
>+        Avoid keeping the frame alive when ref'ing a WindowProxy
>+        https://bugs.webkit.org/show_bug.cgi?id=185737
>+        <rdar://problem/40004666>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        Avoid keeping the frame alive when ref'ing a WindowProxy by making WindowProxy
>+        manage its own refcount (instead of proxying refcounting to the Frame). As a
>+        result, a WindowProxy can now be detached from its Frame. When detached, it
>+        return null when asked for a JSWindowProxy.
>+
>+        It is important to not extend the lifetime of the Frame because we want script
>+        to stop running when the Page gets destroyed.
>+
>+        * bindings/js/JSWindowProxy.cpp:
>+        (WebCore::toJS):
>+        (WebCore::toJSWindowProxy):
>+        * bindings/js/JSWindowProxy.h:
>+        (WebCore::toJSWindowProxy):
>+        * bindings/js/ScriptController.cpp:
>+        (WebCore::ScriptController::evaluateInWorld):
>+        (WebCore::ScriptController::loadModuleScriptInWorld):
>+        (WebCore::ScriptController::linkAndEvaluateModuleScriptInWorld):
>+        (WebCore::ScriptController::evaluateModule):
>+        (WebCore::ScriptController::setupModuleScriptHandlers):
>+        (WebCore::ScriptController::jsWindowProxy):
>+        (WebCore::ScriptController::windowScriptNPObject):
>+        (WebCore::ScriptController::executeIfJavaScriptURL):
>+        * bindings/js/ScriptController.h:
>+        (WebCore::ScriptController::globalObject):
>+        * bindings/js/ScriptControllerMac.mm:
>+        (WebCore::ScriptController::windowScriptObject):
>+        * bindings/js/ScriptState.cpp:
>+        (WebCore::mainWorldExecState):
>+        * bindings/js/WindowProxy.cpp:
>+        (WebCore::WindowProxy::WindowProxy):
>+        (WebCore::WindowProxy::~WindowProxy):
>+        (WebCore::WindowProxy::detachFromFrame):
>+        (WebCore::WindowProxy::createJSWindowProxy):
>+        (WebCore::WindowProxy::globalObject):
>+        (WebCore::WindowProxy::createJSWindowProxyWithInitializedScript):
>+        (WebCore::WindowProxy::setDOMWindow):
>+        (WebCore::WindowProxy::window const):
>+        (WebCore::WindowProxy::ref): Deleted.
>+        (WebCore::WindowProxy::deref): Deleted.
>+        * bindings/js/WindowProxy.h:
>+        (WebCore::WindowProxy::create):
>+        (WebCore::WindowProxy::frame const):
>+        (WebCore::WindowProxy::jsWindowProxy):
>+        * dom/DocumentTouch.cpp:
>+        (WebCore::DocumentTouch::createTouch):
>+        * page/AbstractFrame.cpp:
>+        (WebCore::AbstractFrame::AbstractFrame):
>+        (WebCore::AbstractFrame::~AbstractFrame):
>+        * page/AbstractFrame.h:
>+
> 2018-05-17  Zalan Bujtas  <zalan@apple.com>
> 
>         [LFC] Introduce DisplayBox::Style
>diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
>index 28926839018abefbf0120b3f684f1ba92cffc93f..e789e97330dacb1d44841c4edde8ec7d53c39469 100644
>--- a/Source/WebKit/ChangeLog
>+++ b/Source/WebKit/ChangeLog
>@@ -1,3 +1,14 @@
>+2018-05-17  Chris Dumez  <cdumez@apple.com>
>+
>+        Avoid keeping the frame alive when ref'ing a WindowProxy
>+        https://bugs.webkit.org/show_bug.cgi?id=185737
>+        <rdar://problem/40004666>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * WebProcess/Plugins/PluginView.cpp:
>+        (WebKit::PluginView::windowScriptNPObject):
>+
> 2018-05-17  Jer Noble  <jer.noble@apple.com>
> 
>         Turn Modern EME API on by default and remove it as an experimental feature
>diff --git a/Source/WebKitLegacy/mac/ChangeLog b/Source/WebKitLegacy/mac/ChangeLog
>index eb48da8586ce753ed9b7a8e858f5bffdc0308520..a2b2356f67f5ef8068bf89c6ca05d88a7ebe78ee 100644
>--- a/Source/WebKitLegacy/mac/ChangeLog
>+++ b/Source/WebKitLegacy/mac/ChangeLog
>@@ -1,3 +1,14 @@
>+2018-05-17  Chris Dumez  <cdumez@apple.com>
>+
>+        Avoid keeping the frame alive when ref'ing a WindowProxy
>+        https://bugs.webkit.org/show_bug.cgi?id=185737
>+        <rdar://problem/40004666>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
>+        (WebKit::NetscapePluginInstanceProxy::getWindowNPObject):
>+
> 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
> 
>         Add support for Intl NumberFormat formatToParts
>diff --git a/Source/WebCore/bindings/js/JSWindowProxy.cpp b/Source/WebCore/bindings/js/JSWindowProxy.cpp
>index a4b1805c652e2320bfd79a0979279acc087b6941..ca32bb6a6e6113c5c0a81cd24ead1c63d96c9bd5 100644
>--- a/Source/WebCore/bindings/js/JSWindowProxy.cpp
>+++ b/Source/WebCore/bindings/js/JSWindowProxy.cpp
>@@ -146,10 +146,11 @@ AbstractDOMWindow& JSWindowProxy::wrapped() const
> 
> JSValue toJS(ExecState* state, WindowProxy& windowProxy)
> {
>-    return &windowProxy.jsWindowProxy(currentWorld(*state));
>+    auto* jsWindowProxy = windowProxy.jsWindowProxy(currentWorld(*state));
>+    return jsWindowProxy ? JSValue(jsWindowProxy) : jsNull();
> }
> 
>-JSWindowProxy& toJSWindowProxy(WindowProxy& windowProxy, DOMWrapperWorld& world)
>+JSWindowProxy* toJSWindowProxy(WindowProxy& windowProxy, DOMWrapperWorld& world)
> {
>     return windowProxy.jsWindowProxy(world);
> }
>diff --git a/Source/WebCore/bindings/js/JSWindowProxy.h b/Source/WebCore/bindings/js/JSWindowProxy.h
>index e6f171c68696a91a1dcd41d2381c04ce0d348ca2..08093dc6e17203c47eab4e175ac3298d9c2c1410 100644
>--- a/Source/WebCore/bindings/js/JSWindowProxy.h
>+++ b/Source/WebCore/bindings/js/JSWindowProxy.h
>@@ -77,8 +77,8 @@ inline JSC::JSValue toJS(JSC::ExecState* state, WindowProxy* windowProxy) { retu
> inline JSC::JSValue toJS(JSC::ExecState* state, JSDOMGlobalObject*, WindowProxy& windowProxy) { return toJS(state, windowProxy); }
> inline JSC::JSValue toJS(JSC::ExecState* state, JSDOMGlobalObject* globalObject, WindowProxy* windowProxy) { return windowProxy ? toJS(state, globalObject, *windowProxy) : JSC::jsNull(); }
> 
>-JSWindowProxy& toJSWindowProxy(WindowProxy&, DOMWrapperWorld&);
>-inline JSWindowProxy* toJSWindowProxy(WindowProxy* windowProxy, DOMWrapperWorld& world) { return windowProxy ? &toJSWindowProxy(*windowProxy, world) : nullptr; }
>+JSWindowProxy* toJSWindowProxy(WindowProxy&, DOMWrapperWorld&);
>+inline JSWindowProxy* toJSWindowProxy(WindowProxy* windowProxy, DOMWrapperWorld& world) { return windowProxy ? toJSWindowProxy(*windowProxy, world) : nullptr; }
> 
> 
> template<> struct JSDOMWrapperConverterTraits<WindowProxy> {
>diff --git a/Source/WebCore/bindings/js/ScriptController.cpp b/Source/WebCore/bindings/js/ScriptController.cpp
>index 6e2e408264dbf18c489b9c987b509a85fe0062a0..e9a3b69fedd1211f8959e5dd95d1b6cb039bba01 100644
>--- a/Source/WebCore/bindings/js/ScriptController.cpp
>+++ b/Source/WebCore/bindings/js/ScriptController.cpp
>@@ -117,7 +117,7 @@ JSValue ScriptController::evaluateInWorld(const ScriptSourceCode& sourceCode, DO
>     // and false for <script>doSomething()</script>. Check if it has the
>     // expected value in all cases.
>     // See smart window.open policy for where this is used.
>-    auto& proxy = windowProxy().jsWindowProxy(world);
>+    auto& proxy = jsWindowProxy(world);
>     auto& exec = *proxy.window()->globalExec();
>     const String* savedSourceURL = m_sourceURL;
>     m_sourceURL = &sourceURL;
>@@ -150,7 +150,7 @@ void ScriptController::loadModuleScriptInWorld(LoadableModuleScript& moduleScrip
> {
>     JSLockHolder lock(world.vm());
> 
>-    auto& proxy = windowProxy().jsWindowProxy(world);
>+    auto& proxy = jsWindowProxy(world);
>     auto& state = *proxy.window()->globalExec();
> 
>     auto& promise = JSMainThreadExecState::loadModule(state, moduleName, JSC::JSScriptFetchParameters::create(state.vm(), WTFMove(topLevelFetchParameters)), JSC::JSScriptFetcher::create(state.vm(), { &moduleScript }));
>@@ -166,7 +166,7 @@ void ScriptController::loadModuleScriptInWorld(LoadableModuleScript& moduleScrip
> {
>     JSLockHolder lock(world.vm());
> 
>-    auto& proxy = windowProxy().jsWindowProxy(world);
>+    auto& proxy = jsWindowProxy(world);
>     auto& state = *proxy.window()->globalExec();
> 
>     auto& promise = JSMainThreadExecState::loadModule(state, sourceCode.jsSourceCode(), JSC::JSScriptFetcher::create(state.vm(), { &moduleScript }));
>@@ -182,7 +182,7 @@ JSC::JSValue ScriptController::linkAndEvaluateModuleScriptInWorld(LoadableModule
> {
>     JSLockHolder lock(world.vm());
> 
>-    auto& proxy = windowProxy().jsWindowProxy(world);
>+    auto& proxy = jsWindowProxy(world);
>     auto& state = *proxy.window()->globalExec();
> 
>     // FIXME: Preventing Frame from being destroyed is essentially unnecessary.
>@@ -211,7 +211,7 @@ JSC::JSValue ScriptController::evaluateModule(const URL& sourceURL, JSModuleReco
> 
>     const auto& jsSourceCode = moduleRecord.sourceCode();
> 
>-    auto& proxy = windowProxy().jsWindowProxy(world);
>+    auto& proxy = jsWindowProxy(world);
>     auto& state = *proxy.window()->globalExec();
>     SetForScope<const String*> sourceURLScope(m_sourceURL, &sourceURL.string());
> 
>@@ -268,7 +268,7 @@ static Identifier jsValueToModuleKey(ExecState* exec, JSValue value)
> 
> void ScriptController::setupModuleScriptHandlers(LoadableModuleScript& moduleScriptRef, JSInternalPromise& promise, DOMWrapperWorld& world)
> {
>-    auto& proxy = windowProxy().jsWindowProxy(world);
>+    auto& proxy = jsWindowProxy(world);
>     auto& state = *proxy.window()->globalExec();
> 
>     // It is not guaranteed that either fulfillHandler or rejectHandler is eventually called.
>@@ -325,6 +325,13 @@ WindowProxy& ScriptController::windowProxy()
>     return m_frame.windowProxy();
> }
> 
>+JSWindowProxy& ScriptController::jsWindowProxy(DOMWrapperWorld& world)
>+{
>+    auto* jsWindowProxy = m_frame.windowProxy().jsWindowProxy(world);
>+    ASSERT_WITH_MESSAGE(jsWindowProxy, "The JSWindowProxy can only be null if the frame has been destroyed");
>+    return *jsWindowProxy;
>+}
>+
> TextPosition ScriptController::eventHandlerPosition() const
> {
>     // FIXME: If we are not currently parsing, we should use our current location
>@@ -442,7 +449,7 @@ NPObject* ScriptController::windowScriptNPObject()
>         if (canExecuteScripts(NotAboutToExecuteScript)) {
>             // JavaScript is enabled, so there is a JavaScript window object.
>             // Return an NPObject bound to the window object.
>-            auto* window = windowProxy().jsWindowProxy(pluginWorld()).window();
>+            auto* window = jsWindowProxy(pluginWorld()).window();
>             ASSERT(window);
>             Bindings::RootObject* root = bindingRootObject();
>             m_windowScriptNPObject = _NPN_CreateScriptObject(0, window, root);
>@@ -603,7 +610,7 @@ bool ScriptController::executeIfJavaScriptURL(const URL& url, ShouldReplaceDocum
>         return true;
> 
>     String scriptResult;
>-    if (!result || !result.getString(windowProxy().jsWindowProxy(mainThreadNormalWorld()).window()->globalExec(), scriptResult))
>+    if (!result || !result.getString(jsWindowProxy(mainThreadNormalWorld()).window()->globalExec(), scriptResult))
>         return true;
> 
>     // FIXME: We should always replace the document, but doing so
>diff --git a/Source/WebCore/bindings/js/ScriptController.h b/Source/WebCore/bindings/js/ScriptController.h
>index d6e59001f28c25362adda437fd89da0e193bcbda..fb4de4da15aadaad529aa5bb95296e7b791ef660 100644
>--- a/Source/WebCore/bindings/js/ScriptController.h
>+++ b/Source/WebCore/bindings/js/ScriptController.h
>@@ -83,7 +83,7 @@ public:
> 
>     JSDOMWindow* globalObject(DOMWrapperWorld& world)
>     {
>-        return JSC::jsCast<JSDOMWindow*>(windowProxy().jsWindowProxy(world).window());
>+        return JSC::jsCast<JSDOMWindow*>(jsWindowProxy(world).window());
>     }
> 
>     static void getAllWorlds(Vector<Ref<DOMWrapperWorld>>&);
>@@ -166,6 +166,7 @@ private:
>     void disconnectPlatformScriptObjects();
> 
>     WEBCORE_EXPORT WindowProxy& windowProxy();
>+    WEBCORE_EXPORT JSWindowProxy& jsWindowProxy(DOMWrapperWorld&);
> 
>     Frame& m_frame;
>     const String* m_sourceURL;
>diff --git a/Source/WebCore/bindings/js/ScriptControllerMac.mm b/Source/WebCore/bindings/js/ScriptControllerMac.mm
>index 3ec416585ba008716dede225e5097755358ddf54..de7938e9f6a5c2bc0914ef0f2ba9a79d2da2931b 100644
>--- a/Source/WebCore/bindings/js/ScriptControllerMac.mm
>+++ b/Source/WebCore/bindings/js/ScriptControllerMac.mm
>@@ -103,7 +103,7 @@ WebScriptObject *ScriptController::windowScriptObject()
>     if (!m_windowScriptObject) {
>         JSC::JSLockHolder lock(commonVM());
>         JSC::Bindings::RootObject* root = bindingRootObject();
>-        m_windowScriptObject = [WebScriptObject scriptObjectForJSObject:toRef(&windowProxy().jsWindowProxy(pluginWorld())) originRootObject:root rootObject:root];
>+        m_windowScriptObject = [WebScriptObject scriptObjectForJSObject:toRef(&jsWindowProxy(pluginWorld())) originRootObject:root rootObject:root];
>     }
> 
>     return m_windowScriptObject.get();
>diff --git a/Source/WebCore/bindings/js/ScriptState.cpp b/Source/WebCore/bindings/js/ScriptState.cpp
>index 31b6e784234eff5a4f15c955747fb359e383b32e..eee839cc4264fbe4a29dfb991b5fde50d60bab1c 100644
>--- a/Source/WebCore/bindings/js/ScriptState.cpp
>+++ b/Source/WebCore/bindings/js/ScriptState.cpp
>@@ -75,7 +75,7 @@ JSC::ExecState* mainWorldExecState(Frame* frame)
> {
>     if (!frame)
>         return nullptr;
>-    return frame->windowProxy().jsWindowProxy(mainThreadNormalWorld()).window()->globalExec();
>+    return frame->windowProxy().jsWindowProxy(mainThreadNormalWorld())->window()->globalExec();
> }
> 
> JSC::ExecState* execStateFromNode(DOMWrapperWorld& world, Node* node)
>diff --git a/Source/WebCore/bindings/js/WindowProxy.cpp b/Source/WebCore/bindings/js/WindowProxy.cpp
>index 9018d23d23ca1e947aed2993d184f9102db7189b..dcf1e0e560ca9c9a75fa58a3da9d902cfc982d1a 100644
>--- a/Source/WebCore/bindings/js/WindowProxy.cpp
>+++ b/Source/WebCore/bindings/js/WindowProxy.cpp
>@@ -49,12 +49,22 @@ static void collectGarbageAfterWindowProxyDestruction()
> }
> 
> WindowProxy::WindowProxy(AbstractFrame& frame)
>-    : m_frame(frame)
>+    : m_frame(&frame)
> {
> }
> 
> WindowProxy::~WindowProxy()
> {
>+    ASSERT(!m_frame);
>+    ASSERT(m_jsWindowProxies.isEmpty());
>+}
>+
>+void WindowProxy::detachFromFrame()
>+{
>+    ASSERT(m_frame);
>+
>+    m_frame = nullptr;
>+
>     // It's likely that destroying windowProxies will create a lot of garbage.
>     if (!m_jsWindowProxies.isEmpty()) {
>         while (!m_jsWindowProxies.isEmpty()) {
>@@ -75,12 +85,14 @@ void WindowProxy::destroyJSWindowProxy(DOMWrapperWorld& world)
> 
> JSWindowProxy& WindowProxy::createJSWindowProxy(DOMWrapperWorld& world)
> {
>+    ASSERT(m_frame);
>+
>     ASSERT(!m_jsWindowProxies.contains(&world));
>-    ASSERT(m_frame.window());
>+    ASSERT(m_frame->window());
> 
>     VM& vm = world.vm();
> 
>-    Strong<JSWindowProxy> jsWindowProxy(vm, &JSWindowProxy::create(vm, *m_frame.window(), world));
>+    Strong<JSWindowProxy> jsWindowProxy(vm, &JSWindowProxy::create(vm, *m_frame->window(), world));
>     Strong<JSWindowProxy> jsWindowProxy2(jsWindowProxy);
>     m_jsWindowProxies.add(&world, jsWindowProxy);
>     world.didCreateWindowProxy(this);
>@@ -94,15 +106,19 @@ Vector<JSC::Strong<JSWindowProxy>> WindowProxy::jsWindowProxiesAsVector() const
> 
> JSDOMGlobalObject* WindowProxy::globalObject(DOMWrapperWorld& world)
> {
>-    return jsWindowProxy(world).window();
>+    if (auto* windowProxy = jsWindowProxy(world))
>+        return windowProxy->window();
>+    return nullptr;
> }
> 
> JSWindowProxy& WindowProxy::createJSWindowProxyWithInitializedScript(DOMWrapperWorld& world)
> {
>+    ASSERT(m_frame);
>+
>     JSLockHolder lock(world.vm());
>     auto& windowProxy = createJSWindowProxy(world);
>-    if (is<Frame>(m_frame))
>-        downcast<Frame>(m_frame).script().initScriptForWindowProxy(windowProxy);
>+    if (is<Frame>(*m_frame))
>+        downcast<Frame>(*m_frame).script().initScriptForWindowProxy(windowProxy);
>     return windowProxy;
> }
> 
>@@ -137,6 +153,8 @@ void WindowProxy::setDOMWindow(AbstractDOMWindow* newDOMWindow)
>     if (m_jsWindowProxies.isEmpty())
>         return;
> 
>+    ASSERT(m_frame);
>+
>     JSLockHolder lock(commonVM());
> 
>     for (auto& windowProxy : jsWindowProxiesAsVector()) {
>@@ -147,8 +165,8 @@ void WindowProxy::setDOMWindow(AbstractDOMWindow* newDOMWindow)
> 
>         ScriptController* scriptController = nullptr;
>         Page* page = nullptr;
>-        if (is<Frame>(m_frame)) {
>-            auto& frame = downcast<Frame>(m_frame);
>+        if (is<Frame>(*m_frame)) {
>+            auto& frame = downcast<Frame>(*m_frame);
>             scriptController = &frame.script();
>             page = frame.page();
>         }
>@@ -173,17 +191,7 @@ void WindowProxy::attachDebugger(JSC::Debugger* debugger)
> 
> AbstractDOMWindow* WindowProxy::window() const
> {
>-    return m_frame.window();
>-}
>-
>-void WindowProxy::ref()
>-{
>-    m_frame.ref();
>-}
>-
>-void WindowProxy::deref()
>-{
>-    m_frame.deref();
>+    return m_frame ? m_frame->window() : nullptr;
> }
> 
> } // namespace WebCore
>diff --git a/Source/WebCore/bindings/js/WindowProxy.h b/Source/WebCore/bindings/js/WindowProxy.h
>index 11f02248b7acac5e5fc79ff434e1544c8fb52056..4722e493b0609d91176a62ad357840ed0d77de83 100644
>--- a/Source/WebCore/bindings/js/WindowProxy.h
>+++ b/Source/WebCore/bindings/js/WindowProxy.h
>@@ -23,6 +23,7 @@
> #include "DOMWrapperWorld.h"
> #include <JavaScriptCore/Strong.h>
> #include <wtf/HashMap.h>
>+#include <wtf/RefCounted.h>
> 
> namespace JSC {
> class Debugger;
>@@ -35,15 +36,20 @@ class AbstractFrame;
> class JSDOMGlobalObject;
> class JSWindowProxy;
> 
>-class WindowProxy {
>+class WindowProxy : public RefCounted<WindowProxy> {
>     WTF_MAKE_FAST_ALLOCATED;
> public:
>     using ProxyMap = HashMap<RefPtr<DOMWrapperWorld>, JSC::Strong<JSWindowProxy>>;
> 
>-    explicit WindowProxy(AbstractFrame&);
>-    ~WindowProxy();
>+    static Ref<WindowProxy> create(AbstractFrame& frame)
>+    {
>+        return adoptRef(*new WindowProxy(frame));
>+    }
> 
>-    AbstractFrame& frame() const { return m_frame; }
>+    WEBCORE_EXPORT ~WindowProxy();
>+
>+    AbstractFrame* frame() const { return m_frame; }
>+    void detachFromFrame();
> 
>     void destroyJSWindowProxy(DOMWrapperWorld&);
> 
>@@ -53,13 +59,15 @@ public:
>     ProxyMap releaseJSWindowProxies() { return std::exchange(m_jsWindowProxies, ProxyMap()); }
>     void setJSWindowProxies(ProxyMap&& windowProxies) { m_jsWindowProxies = WTFMove(windowProxies); }
> 
>-    JSWindowProxy& jsWindowProxy(DOMWrapperWorld& world)
>+    JSWindowProxy* jsWindowProxy(DOMWrapperWorld& world)
>     {
>-        auto it = m_jsWindowProxies.find(&world);
>-        if (it != m_jsWindowProxies.end())
>-            return *it->value.get();
>+        if (!m_frame)
>+            return nullptr;
> 
>-        return createJSWindowProxyWithInitializedScript(world);
>+        if (auto* existingProxy = existingJSWindowProxy(world))
>+            return existingProxy;
>+
>+        return &createJSWindowProxyWithInitializedScript(world);
>     }
> 
>     JSWindowProxy* existingJSWindowProxy(DOMWrapperWorld& world) const
>@@ -79,14 +87,13 @@ public:
> 
>     WEBCORE_EXPORT AbstractDOMWindow* window() const;
> 
>-    WEBCORE_EXPORT void ref();
>-    WEBCORE_EXPORT void deref();
>-
> private:
>+    explicit WindowProxy(AbstractFrame&);
>+
>     JSWindowProxy& createJSWindowProxy(DOMWrapperWorld&);
>     WEBCORE_EXPORT JSWindowProxy& createJSWindowProxyWithInitializedScript(DOMWrapperWorld&);
> 
>-    AbstractFrame& m_frame;
>+    AbstractFrame* m_frame;
>     ProxyMap m_jsWindowProxies;
> };
> 
>diff --git a/Source/WebCore/dom/DocumentTouch.cpp b/Source/WebCore/dom/DocumentTouch.cpp
>index 5d126c3c324714f39f9f96e16369c0187847a80e..4515b022c79c70dbc8b192691f9d93ce585c1f21 100644
>--- a/Source/WebCore/dom/DocumentTouch.cpp
>+++ b/Source/WebCore/dom/DocumentTouch.cpp
>@@ -40,7 +40,7 @@ Ref<Touch> DocumentTouch::createTouch(Document& document, RefPtr<WindowProxy>&&
> {
>     Frame* frame;
>     if (window && is<Frame>(window->frame()))
>-        frame = &downcast<Frame>(window->frame());
>+        frame = downcast<Frame>(window->frame());
>     else
>         frame = document.frame();
> 
>diff --git a/Source/WebCore/page/AbstractFrame.cpp b/Source/WebCore/page/AbstractFrame.cpp
>index 1fded40ea047f75dc60f9c81fe755ee3120dfd0a..594a55e10451bab9e871ee981fb3b62e429552a2 100644
>--- a/Source/WebCore/page/AbstractFrame.cpp
>+++ b/Source/WebCore/page/AbstractFrame.cpp
>@@ -31,12 +31,13 @@
> namespace WebCore {
> 
> AbstractFrame::AbstractFrame()
>-    : m_windowProxy(makeUniqueRef<WindowProxy>(*this))
>+    : m_windowProxy(WindowProxy::create(*this))
> {
> }
> 
> AbstractFrame::~AbstractFrame()
> {
>+    m_windowProxy->detachFromFrame();
> }
> 
> } // namespace WebCore
>diff --git a/Source/WebCore/page/AbstractFrame.h b/Source/WebCore/page/AbstractFrame.h
>index c65b3ac487bf353c07c569a5abbefdeb9c8e244d..995a3612820a6ff414ac0d104edc48924872ff4f 100644
>--- a/Source/WebCore/page/AbstractFrame.h
>+++ b/Source/WebCore/page/AbstractFrame.h
>@@ -25,8 +25,8 @@
> 
> #pragma once
> 
>+#include <wtf/Ref.h>
> #include <wtf/ThreadSafeRefCounted.h>
>-#include <wtf/UniqueRef.h>
> 
> namespace WebCore {
> 
>@@ -52,7 +52,7 @@ protected:
> private:
>     virtual AbstractDOMWindow* virtualWindow() const = 0;
> 
>-    UniqueRef<WindowProxy> m_windowProxy;
>+    Ref<WindowProxy> m_windowProxy;
> };
> 
> } // namespace WebCore
>diff --git a/Source/WebKit/WebProcess/Plugins/PluginView.cpp b/Source/WebKit/WebProcess/Plugins/PluginView.cpp
>index a7fcacedaa116707ccdf838c0a82cb1aa9b4994f..bcfee0045317af7cc810950c974560ecc1083803 100644
>--- a/Source/WebKit/WebProcess/Plugins/PluginView.cpp
>+++ b/Source/WebKit/WebProcess/Plugins/PluginView.cpp
>@@ -1448,7 +1448,7 @@ NPObject* PluginView::windowScriptNPObject()
>         return nullptr;
>     }
> 
>-    return m_npRuntimeObjectMap.getOrCreateNPObject(pluginWorld().vm(), frame()->windowProxy().jsWindowProxy(pluginWorld()).window());
>+    return m_npRuntimeObjectMap.getOrCreateNPObject(pluginWorld().vm(), frame()->windowProxy().jsWindowProxy(pluginWorld())->window());
> }
> 
> NPObject* PluginView::pluginElementNPObject()
>diff --git a/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm b/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm
>index bb89cbb8b959d419eefed87348dad288fd18a452..39e9c44761e342fe46745601d741e5f80cd5c337 100644
>--- a/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm
>+++ b/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm
>@@ -839,7 +839,7 @@ bool NetscapePluginInstanceProxy::getWindowNPObject(uint32_t& objectID)
>     if (!frame->script().canExecuteScripts(NotAboutToExecuteScript))
>         objectID = 0;
>     else
>-        objectID = m_localObjects.idForObject(pluginWorld().vm(), frame->windowProxy().jsWindowProxy(pluginWorld()).window());
>+        objectID = m_localObjects.idForObject(pluginWorld().vm(), frame->windowProxy().jsWindowProxy(pluginWorld())->window());
>         
>     return true;
> }

Actions: View | Formatted Diff | Diff

Attachments on bug 185737: 340598 | 340600 | 340607 | 340612 | 340619 | 340631 | 340647 | 340707