Bug 108579

Created attachment 185940 [details] performance benchmark

Created attachment 185942 [details] Patch

Comment on attachment 185942 [details] Patch Attachment 185942 [details] did not pass cr-android-ews (chromium-android): Output: http://queues.webkit.org/results/16296336

Comment on attachment 185942 [details] Patch Attachment 185942 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/16298362

Created attachment 185947 [details] Patch

Comment on attachment 185947 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=185947&action=review > Source/WebCore/bindings/v8/DOMDataStore.h:172 > { > ASSERT(object->wrapper().IsEmpty()); > object->setWrapper(wrapper); > - V8GCController::didCreateWrapperForNode(object); > wrapper.MakeWeak(static_cast<ScriptWrappable*>(object), weakCallback); > } We can now delete this whole function and use the ScriptWrappable version of setWrapperInObject instead. > Source/WebCore/bindings/v8/V8GCController.cpp:199 > + // The fact that we encounter a node that is not in the Eden space Should this comment still refer to Eden now that we've removed that concept?

Created attachment 185952 [details] patch for landing

(In reply to comment #6) > > We can now delete this whole function and use the ScriptWrappable version of setWrapperInObject instead. > > > Source/WebCore/bindings/v8/V8GCController.cpp:199 > > + // The fact that we encounter a node that is not in the Eden space > > Should this comment still refer to Eden now that we've removed that concept? Fixed. Thanks!

Comment on attachment 185952 [details] patch for landing Clearing flags on attachment: 185952 Committed r141548: <http://trac.webkit.org/changeset/141548>

All reviewed patches have been landed. Closing bug.

Reverted r141548 for reason: userscript-plugin-document.html is flaky Committed r141577: <http://trac.webkit.org/changeset/141577>

Comment on attachment 185952 [details] patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=185952&action=review > Source/WebCore/bindings/v8/V8GCController.cpp:262 > + ASSERT(!m_nodesInNewSpace[i]->wrapper().IsEmpty()); The following tests hit this ASSERT(), which looks strange. This ASSERT() should not be hit. userscripts/mixed-case-stylesheet.html [ Crash ] userscripts/script-run-at-start.html [ Crash ] userscripts/user-script-all-frames.html [ Crash ] userscripts/user-style-all-frames.html [ Crash ]

Comment on attachment 185952 [details] patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=185952&action=review > Source/WebCore/bindings/v8/V8GCController.cpp:254 > + Node* node = V8Node::toNative(wrapper); More specifically, if we insert ASSERT(!node->wrapper().IsEmpty()), the userscripts/* tests hit the ASSERT(). Let me take a detailed look on Monday.

Created attachment 186356 [details] Patch

Comment on attachment 186356 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186356&action=review > Source/WebCore/bindings/v8/V8GCController.cpp:364 > + // A minor GC can handle the main world only. > + DOMWrapperWorld* world = worldForEnteredContextWithoutContextCheck(); > + if (world && world->isMainWorld()) { abarth: Since the latest review, I just added this check. Review again please? I'm pretty sure that we need the isMainWorld() check here because a minor GC can handle the main world only. On the other hand, the reason why we cannot simply use worldForEnteredContext() to get the current world is complicated: (1) A minor GC can be triggered while the current context is being initialized. Specifically, V8DOMWindowShell::installDOMWindow() calls V8ObjectConstructor::newInstance(), which can trigger a minor GC. At this point, native information is not yet set on context->Global()->GetPrototype(). (2) The minor GC calls back V8GCController::minorGCPrologue(). Here imagine that minorGCPrologue() calls worldForEnteredContext(). (3) worldForEnteredContext() calls assertContextHasCorrectPrototype(context), which calls isWrapperOfType(toInnerGlobalObject(context), ...), which tries to retrieve native information from context->Global()->GetPrototype(). Because the native information has not yet set, the code crashes. To avoid the situation, I added another version of worldForEnteredContext() that does not call assertContextHasCorrectPrototype(context).

Comment on attachment 186356 [details] Patch Attachment 186356 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/16371270 New failing tests: accessibility/anchor-linked-anonymous-block-crash.html http/tests/appcache/main-resource-hash.html animations/3d/matrix-transform-type-animation.html accessibility/aria-readonly.html animations/3d/state-at-end-event-transform.html animations/animation-add-events-in-handler.html accessibility/aria-labelledby-on-input.html canvas/philip/tests/2d.clearRect.globalalpha.html accessibility/aria-disabled.html animations/animation-direction-alternate-reverse.html accessibility/aria-labelledby-overrides-label.html http/tests/appcache/access-via-redirect.php accessibility/aria-option-role.html accessibility/aria-controls-with-tabs.html http/tests/appcache/destroyed-frame.html http/tests/appcache/deferred-events-delete-while-raising-timer.html http/tests/appcache/insert-html-element-with-manifest.html accessibility/aria-link-supports-press.html animations/3d/transform-perspective.html accessibility/aria-hidden-updates-alldescendants.html accessibility/aria-scrollbar-role.html http/tests/appcache/local-content.html http/tests/appcache/manifest-parsing.html canvas/philip/tests/2d.canvas.reference.html animations/animation-controller-drt-api.html canvas/philip/tests/2d.clearRect.basic.html accessibility/aria-hidden.html http/tests/appcache/foreign-fallback.html accessibility/aria-help.html canvas/philip/tests/2d.clearRect+fillRect.alpha0.html

Looks like you've got some test failures to work through. What you've written in Comment #15 makes sense.

Created attachment 186506 [details] Patch

Comment on attachment 186506 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186506&action=review > Source/WebCore/bindings/v8/V8Binding.h:467 > inline DOMWrapperWorld* worldForEnteredContextIfIsolated() > { > - if (!v8::Context::InContext()) > + v8::Handle<v8::Context> context = v8::Context::GetEntered(); > + if (context.IsEmpty()) > return 0; > - return DOMWrapperWorld::isolated(v8::Context::GetEntered()); > + return DOMWrapperWorld::isolated(context); > + } > + > + inline DOMWrapperWorld* worldForEnteredContextWithoutContextCheck() > + { > + v8::Handle<v8::Context> context = v8::Context::GetEntered(); > + if (context.IsEmpty()) > + return 0; > + return DOMWrapperWorld::getWorldWithoutContextCheck(context); > } abarth: I just changed these lines, which I think fixed the test failures. Given that we are using an entered context, we have to do an empty check for the entered context instead of InContext().

abarth: review?

Comment on attachment 186506 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186506&action=review > Source/WebCore/bindings/v8/DOMWrapperWorld.h:74 > + static DOMWrapperWorld* getWorldWithoutContextCheck(v8::Handle<v8::Context> context) Can you add a comment about when you'd wan to call getWorldWithoutContextCheck instead of getWorld()/isolated() ? > Source/WebCore/bindings/v8/V8Binding.h:455 > + v8::Handle<v8::Context> context = v8::Context::GetEntered(); Is this safe to call if !InContext()? I guess so if we pass all the tests. >> Source/WebCore/bindings/v8/V8Binding.h:467 >> } > > abarth: I just changed these lines, which I think fixed the test failures. Given that we are using an entered context, we have to do an empty check for the entered context instead of InContext(). In what situations does InContext return true but GetEntered returns an empty context? That seems very odd.

I see your explanation in Comment #15. It would be good to add a comment about that to the code because that's a very subtle issue.

(In reply to comment #22) > I see your explanation in Comment #15. It would be good to add a comment about that to the code because that's a very subtle issue. Will add a comment. The weird situation happens only during an initialization step.

Committed r141983: <http://trac.webkit.org/changeset/141983>

This seems to cause lots of crashes in trunk. See http://test-results.appspot.com/dashboards/flakiness_dashboard.html#showExpectations=true&tests=fast%2Fcanvas%2Fwebgl%2Fgl-vertexattribpointer.html%2Cfast%2Fcanvas%2Fwebgl%2Fcontext-release-upon-reload.html%2Cfast%2Fcanvas%2Fwebgl%2Fdata-view-test.html%2Cfast%2Fcanvas%2Fwebgl%2Fframebuffer-bindings-unaffected-on-resize.html%2Cfast%2Fcanvas%2Fwebgl%2Ffunctions-returning-strings.html%2Cfast%2Fcanvas%2Fwebgl%2Fincorrect-context-object-behaviour.html%2Cfast%2Fcanvas%2Fwebgl%2Fframebuffer-object-attachment.html I'm rolling it out. :-(

Re-opened since this is blocked by bug 109055

Created attachment 186997 [details] patch for landing

Comment on attachment 186997 [details] patch for landing Corrected a place where a handle scope is created.

Committed r142077: <http://trac.webkit.org/changeset/142077>

Reverted r142077 for reason: fast/filesystem/workers/file-writer-empty-blob.html is broken Committed r142103: <http://trac.webkit.org/changeset/142103>

Created attachment 187286 [details] patch for landing

Committed r142419: <http://trac.webkit.org/changeset/142419>