WebKit Bugzilla
Attachment 342071 Details for
Bug 186360
: Do some hardening in JSLazyEventListener
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186360-20180606122154.patch (text/plain), 17.69 KB, created by
Chris Dumez
on 2018-06-06 12:21:54 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Chris Dumez
Created:
2018-06-06 12:21:54 PDT
Size:
17.69 KB
patch
obsolete
>Subversion Revision: 232540 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 2c973cc96175f74a9e67156b56753b85bd1f7118..ecbd591be6d2ebf02b3138023326b4b1bfbbdb1f 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,49 @@ >+2018-06-06 Chris Dumez <cdumez@apple.com> >+ >+ Do some hardening in JSLazyEventListener >+ https://bugs.webkit.org/show_bug.cgi?id=186360 >+ <rdar://problem/34297947> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Do some hardening in JSLazyEventListener by using a WeakPtr instead of >+ a raw pointer for m_originalNode data member, since we have evidence that >+ the JSLazyEventListener can outlive its original node. >+ >+ * Modules/credentialmanagement/NavigatorCredentials.cpp: >+ (WebCore::NavigatorCredentials::credentials): >+ * bindings/js/JSLazyEventListener.cpp: >+ (WebCore::JSLazyEventListener::JSLazyEventListener): >+ * bindings/js/JSLazyEventListener.h: >+ * css/MediaQueryEvaluator.cpp: >+ (WebCore::MediaQueryEvaluator::MediaQueryEvaluator): >+ * dom/Document.cpp: >+ (WebCore::Document::postTask): >+ (WebCore::Document::hasStorageAccess): >+ (WebCore::Document::requestStorageAccess): >+ * dom/Document.h: >+ (WebCore::Document::setContextDocument): >+ (WebCore::Document::createWeakPtr): Deleted. >+ * dom/Node.cpp: >+ (WebCore::Node::weakPtrFactory): >+ * dom/Node.h: >+ * dom/NodeRareData.cpp: >+ * dom/NodeRareData.h: >+ (WebCore::NodeRareData::weakPtrFactory const): >+ * html/HTMLImageElement.cpp: >+ (WebCore::HTMLImageElement::setPictureElement): >+ * html/HTMLInputElement.h: >+ (WebCore::HTMLInputElement::weakPtrFactory const): Deleted. >+ * html/HTMLMediaElement.h: >+ (WebCore::HTMLMediaElement::createWeakPtr): Deleted. >+ * html/HTMLPictureElement.h: >+ * loader/LinkLoader.cpp: >+ (WebCore::LinkLoader::preconnectIfNeeded): >+ * loader/MediaResourceLoader.cpp: >+ (WebCore::MediaResourceLoader::MediaResourceLoader): >+ * xml/DOMParser.cpp: >+ (WebCore::DOMParser::DOMParser): >+ > 2018-06-06 Zalan Bujtas <zalan@apple.com> > > [LFC] Add margin computation for floating, no-replaced elements. >diff --git a/Source/WebCore/Modules/credentialmanagement/NavigatorCredentials.cpp b/Source/WebCore/Modules/credentialmanagement/NavigatorCredentials.cpp >index 9d8f0cfe899d5f7c939acea1b41183e945908412..5d8c1d563f320014af1df524a1bc175ef631f56d 100644 >--- a/Source/WebCore/Modules/credentialmanagement/NavigatorCredentials.cpp >+++ b/Source/WebCore/Modules/credentialmanagement/NavigatorCredentials.cpp >@@ -56,7 +56,7 @@ CredentialsContainer* NavigatorCredentials::credentials(Navigator& navigator) > { > if (!navigator.frame() || !navigator.frame()->document()) > return nullptr; >- return NavigatorCredentials::from(&navigator)->credentials(navigator.frame()->document()->createWeakPtr()); >+ return NavigatorCredentials::from(&navigator)->credentials(makeWeakPtr(navigator.frame()->document())); > } > > NavigatorCredentials* NavigatorCredentials::from(Navigator* navigator) >diff --git a/Source/WebCore/bindings/js/JSLazyEventListener.cpp b/Source/WebCore/bindings/js/JSLazyEventListener.cpp >index b382b1f946a7c54ef38eafa527268e0e70e0c960..aa7b9bb921e2c6180cfb46b0454e73ee3aad5b95 100644 >--- a/Source/WebCore/bindings/js/JSLazyEventListener.cpp >+++ b/Source/WebCore/bindings/js/JSLazyEventListener.cpp >@@ -33,6 +33,7 @@ > #include <wtf/NeverDestroyed.h> > #include <wtf/RefCountedLeakCounter.h> > #include <wtf/StdLibExtras.h> >+#include <wtf/WeakPtr.h> > > namespace WebCore { > using namespace JSC; >@@ -71,7 +72,7 @@ JSLazyEventListener::JSLazyEventListener(const CreationArguments& arguments, con > , m_code(arguments.attributeValue) > , m_sourceURL(sourceURL) > , m_sourcePosition(convertZeroToOne(sourcePosition)) >- , m_originalNode(arguments.node) >+ , m_originalNode(makeWeakPtr(arguments.node)) > { > // We don't ref m_originalNode because we assume it will stay alive as long as this > // handler object is around and we need to avoid a reference cycle. If JS transfers >diff --git a/Source/WebCore/bindings/js/JSLazyEventListener.h b/Source/WebCore/bindings/js/JSLazyEventListener.h >index bdee42a845f9fe28a4ffcb22cd4704cabbf91910..7eae46f4e4a9d75300d12c7e9f120bb58a6a9736 100644 >--- a/Source/WebCore/bindings/js/JSLazyEventListener.h >+++ b/Source/WebCore/bindings/js/JSLazyEventListener.h >@@ -20,6 +20,7 @@ > #pragma once > > #include "JSEventListener.h" >+#include <wtf/WeakPtr.h> > > namespace WebCore { > >@@ -53,7 +54,7 @@ private: > String m_code; > String m_sourceURL; > TextPosition m_sourcePosition; >- ContainerNode* m_originalNode; >+ WeakPtr<ContainerNode> m_originalNode; > }; > > } // namespace WebCore >diff --git a/Source/WebCore/css/MediaQueryEvaluator.cpp b/Source/WebCore/css/MediaQueryEvaluator.cpp >index 8c793c2b786903a582c52a08eeab7ccf45354295..cc6eb1b2469769458efef306597b344eea939577 100644 >--- a/Source/WebCore/css/MediaQueryEvaluator.cpp >+++ b/Source/WebCore/css/MediaQueryEvaluator.cpp >@@ -110,7 +110,7 @@ MediaQueryEvaluator::MediaQueryEvaluator(const String& acceptedMediaType, bool m > > MediaQueryEvaluator::MediaQueryEvaluator(const String& acceptedMediaType, const Document& document, const RenderStyle* style) > : m_mediaType(acceptedMediaType) >- , m_document(const_cast<Document&>(document).createWeakPtr()) >+ , m_document(makeWeakPtr(const_cast<Document&>(document))) > , m_style(style) > { > } >diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp >index 50ddc9a160a637a457b16b0367cdb2b3cc4f7591..ea801585518c0e3f0206e90e439a34b76f59929e 100644 >--- a/Source/WebCore/dom/Document.cpp >+++ b/Source/WebCore/dom/Document.cpp >@@ -5821,7 +5821,7 @@ void Document::addMessage(MessageSource source, MessageLevel level, const String > > void Document::postTask(Task&& task) > { >- callOnMainThread([documentReference = m_weakFactory.createWeakPtr(*this), task = WTFMove(task)]() mutable { >+ callOnMainThread([documentReference = makeWeakPtr(*this), task = WTFMove(task)]() mutable { > ASSERT(isMainThread()); > > Document* document = documentReference.get(); >@@ -7559,7 +7559,7 @@ void Document::hasStorageAccess(Ref<DeferredPromise>&& promise) > if (Page* page = this->page()) { > auto iframeHost = securityOrigin.host(); > auto topHost = topSecurityOrigin.host(); >- page->chrome().client().hasStorageAccess(WTFMove(iframeHost), WTFMove(topHost), frameID.value(), pageID.value(), [documentReference = m_weakFactory.createWeakPtr(*this), promise = WTFMove(promise)] (bool hasAccess) { >+ page->chrome().client().hasStorageAccess(WTFMove(iframeHost), WTFMove(topHost), frameID.value(), pageID.value(), [documentReference = makeWeakPtr(*this), promise = WTFMove(promise)] (bool hasAccess) { > Document* document = documentReference.get(); > if (!document) > return; >@@ -7629,14 +7629,14 @@ void Document::requestStorageAccess(Ref<DeferredPromise>&& promise) > return; > } > >- page->chrome().client().requestStorageAccess(WTFMove(iframeHost), WTFMove(topHost), frameID.value(), pageID.value(), [documentReference = m_weakFactory.createWeakPtr(*this), promise = WTFMove(promise)] (bool wasGranted) mutable { >+ page->chrome().client().requestStorageAccess(WTFMove(iframeHost), WTFMove(topHost), frameID.value(), pageID.value(), [documentReference = makeWeakPtr(*this), promise = WTFMove(promise)] (bool wasGranted) mutable { > Document* document = documentReference.get(); > if (!document) > return; > > if (wasGranted) { > document->setHasFrameSpecificStorageAccess(true); >- MicrotaskQueue::mainThreadQueue().append(std::make_unique<VoidMicrotask>([documentReference = document->m_weakFactory.createWeakPtr(*document)] () { >+ MicrotaskQueue::mainThreadQueue().append(std::make_unique<VoidMicrotask>([documentReference = makeWeakPtr(document)] () { > if (auto* document = documentReference.get()) > document->enableTemporaryTimeUserGesture(); > })); >diff --git a/Source/WebCore/dom/Document.h b/Source/WebCore/dom/Document.h >index 499bacbe1a738727c17fdc5d720bc23bef416d66..2de6168cb1aeea98b17c94701074c2a094847251 100644 >--- a/Source/WebCore/dom/Document.h >+++ b/Source/WebCore/dom/Document.h >@@ -799,7 +799,7 @@ public: > WEBCORE_EXPORT WindowProxy* windowProxy() const; > > Document& contextDocument() const; >- void setContextDocument(Document& document) { m_contextDocument = document.createWeakPtr(); } >+ void setContextDocument(Document& document) { m_contextDocument = makeWeakPtr(document); } > > // Helper functions for forwarding DOMWindow event related tasks to the DOMWindow if it exists. > void setWindowAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& value, DOMWrapperWorld&); >@@ -1311,7 +1311,6 @@ public: > bool isCapturing() const { return MediaProducer::isCapturing(m_mediaState); } > WEBCORE_EXPORT void updateIsPlayingMedia(uint64_t = HTMLMediaElementInvalidID); > void pageMutedStateDidChange(); >- WeakPtr<Document> createWeakPtr() { return m_weakFactory.createWeakPtr(*this); } > > #if ENABLE(WIRELESS_PLAYBACK_TARGET) > void addPlaybackTargetPickerClient(MediaPlaybackTargetClient&); >@@ -1694,8 +1693,6 @@ private: > RenderPtr<RenderView> m_renderView; > mutable DocumentEventQueue m_eventQueue; > >- WeakPtrFactory<Document> m_weakFactory; >- > HashSet<MediaCanStartListener*> m_mediaCanStartListeners; > > #if ENABLE(FULLSCREEN_API) >diff --git a/Source/WebCore/dom/Node.cpp b/Source/WebCore/dom/Node.cpp >index 77364e4cdd5eed1ae8945a8baf7d9f9804a91838..5a5bbe0f1e0ec5326abf1b6b07d10b88a223feae 100644 >--- a/Source/WebCore/dom/Node.cpp >+++ b/Source/WebCore/dom/Node.cpp >@@ -1045,6 +1045,11 @@ Node* Node::pseudoAwareLastChild() const > return lastChild(); > } > >+const WeakPtrFactory<Node>& Node::weakPtrFactory() >+{ >+ return ensureRareData().weakPtrFactory(); >+} >+ > const RenderStyle* Node::computedStyle(PseudoId pseudoElementSpecifier) > { > auto* composedParent = composedTreeAncestors(*this).first(); >diff --git a/Source/WebCore/dom/Node.h b/Source/WebCore/dom/Node.h >index 5c27f6b0679f41ac46e7828a7fad31352b5027ec..913f5acbde99856e987e4040e945d8b301f60ae7 100644 >--- a/Source/WebCore/dom/Node.h >+++ b/Source/WebCore/dom/Node.h >@@ -36,6 +36,7 @@ > #include <wtf/IsoMalloc.h> > #include <wtf/ListHashSet.h> > #include <wtf/MainThread.h> >+#include <wtf/WeakPtr.h> > > // This needs to be here because Document.h also depends on it. > #define DUMP_NODE_STATISTICS 0 >@@ -145,6 +146,8 @@ public: > Node* pseudoAwareFirstChild() const; > Node* pseudoAwareLastChild() const; > >+ const WeakPtrFactory<Node>& weakPtrFactory(); >+ > WEBCORE_EXPORT const URL& baseURI() const; > > void getSubresourceURLs(ListHashSet<URL>&) const; >diff --git a/Source/WebCore/dom/NodeRareData.cpp b/Source/WebCore/dom/NodeRareData.cpp >index 821db174e01188f25bd368081aa2b77132a885e4..a7ce3cbb13f96b99e4d5905aa385362e9dc132b4 100644 >--- a/Source/WebCore/dom/NodeRareData.cpp >+++ b/Source/WebCore/dom/NodeRareData.cpp >@@ -35,7 +35,7 @@ namespace WebCore { > > struct SameSizeAsNodeRareData { > unsigned m_bitfields : 20; >- void* m_pointer[3]; >+ void* m_pointer[4]; > }; > > COMPILE_ASSERT(sizeof(NodeRareData) == sizeof(SameSizeAsNodeRareData), NodeRareDataShouldStaySmall); >diff --git a/Source/WebCore/dom/NodeRareData.h b/Source/WebCore/dom/NodeRareData.h >index 3be876c8d8d0f3e3162336ec90e5f365995d7c48..ef977a4972ca126fa1515d7f33ea71c07d80e4b8 100644 >--- a/Source/WebCore/dom/NodeRareData.h >+++ b/Source/WebCore/dom/NodeRareData.h >@@ -30,6 +30,7 @@ > #include "QualifiedName.h" > #include "TagCollection.h" > #include <wtf/HashSet.h> >+#include <wtf/WeakPtr.h> > #include <wtf/text/AtomicString.h> > > namespace WebCore { >@@ -284,11 +285,14 @@ public: > m_connectedFrameCount -= amount; > } > >+ auto& weakPtrFactory() const { return m_weakPtrFactory; } >+ > private: > unsigned m_connectedFrameCount : 10; // Must fit Page::maxNumberOfFrames. > > std::unique_ptr<NodeListsNodeData> m_nodeLists; > std::unique_ptr<NodeMutationObserverData> m_mutationObserverData; >+ WeakPtrFactory<Node> m_weakPtrFactory; > }; > > inline bool NodeListsNodeData::deleteThisAndUpdateNodeRareDataIfAboutToRemoveLastList(Node& ownerNode) >diff --git a/Source/WebCore/html/HTMLImageElement.cpp b/Source/WebCore/html/HTMLImageElement.cpp >index 57399a4d4552c6e972d878e3d16b0c43870e8d48..abe006d03f92830375a146c7752b2f2a322c7bc5 100644 >--- a/Source/WebCore/html/HTMLImageElement.cpp >+++ b/Source/WebCore/html/HTMLImageElement.cpp >@@ -371,7 +371,7 @@ void HTMLImageElement::setPictureElement(HTMLPictureElement* pictureElement) > > if (!gPictureOwnerMap) > gPictureOwnerMap = new PictureOwnerMap(); >- gPictureOwnerMap->add(this, pictureElement->createWeakPtr()); >+ gPictureOwnerMap->add(this, makeWeakPtr(*pictureElement)); > } > > unsigned HTMLImageElement::width(bool ignorePendingStylesheets) >diff --git a/Source/WebCore/html/HTMLInputElement.h b/Source/WebCore/html/HTMLInputElement.h >index bf605dfc3dfb18af853dda6d2388ee00e0bfbf08..0299f0c448d3126f97166b9225a35852951eb19b 100644 >--- a/Source/WebCore/html/HTMLInputElement.h >+++ b/Source/WebCore/html/HTMLInputElement.h >@@ -28,7 +28,6 @@ > #include "HTMLTextFormControlElement.h" > #include "StepRange.h" > #include <memory> >-#include <wtf/WeakPtr.h> > > #if PLATFORM(IOS) > #include "DateComponents.h" >@@ -343,8 +342,6 @@ public: > > ExceptionOr<void> setSelectionRangeForBindings(int start, int end, const String& direction); > >- auto& weakPtrFactory() const { return m_weakFactory; } >- > protected: > HTMLInputElement(const QualifiedName&, Document&, HTMLFormElement*, bool createdByParser); > >@@ -485,7 +482,6 @@ private: > #if ENABLE(DATALIST_ELEMENT) > std::unique_ptr<ListAttributeTargetObserver> m_listAttributeTargetObserver; > #endif >- WeakPtrFactory<HTMLInputElement> m_weakFactory; > }; > > } >diff --git a/Source/WebCore/html/HTMLMediaElement.h b/Source/WebCore/html/HTMLMediaElement.h >index 237c360c3a8023a34240bfd390d1f555489a77bd..631fe1aeccff89befbf9102140f46866ed16d958 100644 >--- a/Source/WebCore/html/HTMLMediaElement.h >+++ b/Source/WebCore/html/HTMLMediaElement.h >@@ -146,7 +146,6 @@ class HTMLMediaElement > { > WTF_MAKE_ISO_ALLOCATED(HTMLMediaElement); > public: >- WeakPtr<HTMLMediaElement> createWeakPtr() { return m_weakFactory.createWeakPtr(*this); } > RefPtr<MediaPlayer> player() const { return m_player; } > > virtual bool isVideo() const { return false; } >@@ -922,7 +921,6 @@ private: > const Logger& mediaPlayerLogger() final { return logger(); } > #endif > >- WeakPtrFactory<HTMLMediaElement> m_weakFactory; > Timer m_pendingActionTimer; > Timer m_progressEventTimer; > Timer m_playbackProgressTimer; >diff --git a/Source/WebCore/html/HTMLPictureElement.h b/Source/WebCore/html/HTMLPictureElement.h >index 3d507cec322cb693b9ebee3c5f487b9a1e852329..a6410fa55bdf2ee96f088ddf593282b65e0f25ae 100644 >--- a/Source/WebCore/html/HTMLPictureElement.h >+++ b/Source/WebCore/html/HTMLPictureElement.h >@@ -44,8 +44,6 @@ public: > > bool viewportChangeAffectedPicture() const; > >- WeakPtr<HTMLPictureElement> createWeakPtr() { return m_weakFactory.createWeakPtr(*this); } >- > #if USE(SYSTEM_PREVIEW) > WEBCORE_EXPORT bool isSystemPreviewImage() const; > #endif >@@ -55,7 +53,6 @@ private: > > void didMoveToNewDocument(Document& oldDocument, Document& newDocument) final; > >- WeakPtrFactory<HTMLPictureElement> m_weakFactory; > Vector<MediaQueryResult> m_viewportDependentMediaQueryResults; > }; > >diff --git a/Source/WebCore/loader/LinkLoader.cpp b/Source/WebCore/loader/LinkLoader.cpp >index bcb50d6c85d046b0d24a184af329180e7fdc97f4..e637b3995b17f051afc596864c9350bd67b1dbd4 100644 >--- a/Source/WebCore/loader/LinkLoader.cpp >+++ b/Source/WebCore/loader/LinkLoader.cpp >@@ -215,7 +215,7 @@ void LinkLoader::preconnectIfNeeded(const LinkRelAttribute& relAttribute, const > if (equalIgnoringASCIICase(crossOrigin, "anonymous") && document.securityOrigin().canAccess(SecurityOrigin::create(href))) > storageCredentialsPolicy = StoredCredentialsPolicy::DoNotUse; > ASSERT(document.frame()->loader().networkingContext()); >- platformStrategies()->loaderStrategy()->preconnectTo(document.frame()->loader(), href, storageCredentialsPolicy, [weakDocument = document.createWeakPtr(), href](ResourceError error) { >+ platformStrategies()->loaderStrategy()->preconnectTo(document.frame()->loader(), href, storageCredentialsPolicy, [weakDocument = makeWeakPtr(document), href](ResourceError error) { > if (!weakDocument) > return; > >diff --git a/Source/WebCore/loader/MediaResourceLoader.cpp b/Source/WebCore/loader/MediaResourceLoader.cpp >index 3d7c4d4c54d6f42bbb17da1c9dbc75fa4471d647..8077d5a5fe8ac58b6e61deb728fec85b3262dbb5 100644 >--- a/Source/WebCore/loader/MediaResourceLoader.cpp >+++ b/Source/WebCore/loader/MediaResourceLoader.cpp >@@ -43,7 +43,7 @@ namespace WebCore { > MediaResourceLoader::MediaResourceLoader(Document& document, HTMLMediaElement& mediaElement, const String& crossOriginMode) > : ContextDestructionObserver(&document) > , m_document(&document) >- , m_mediaElement(mediaElement.createWeakPtr()) >+ , m_mediaElement(makeWeakPtr(mediaElement)) > , m_crossOriginMode(crossOriginMode) > { > } >diff --git a/Source/WebCore/xml/DOMParser.cpp b/Source/WebCore/xml/DOMParser.cpp >index daf2db6d7b8b83db7f7bf4d111e64fef60bb96e8..2713e593d4374676f10502de96e0d1c6832d6ecc 100644 >--- a/Source/WebCore/xml/DOMParser.cpp >+++ b/Source/WebCore/xml/DOMParser.cpp >@@ -25,7 +25,7 @@ > namespace WebCore { > > inline DOMParser::DOMParser(Document& contextDocument) >- : m_contextDocument(contextDocument.createWeakPtr()) >+ : m_contextDocument(makeWeakPtr(contextDocument)) > { > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=342071">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186360
: 342071