Bug 30033

Summary: [chromium] DateExtension has reliability bot crashes
Product: WebKit Reporter: John Abd-El-Malek <jam>
Component: WebCore JavaScriptAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, dglazkov, eric
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
Attachments:
Description Flags
Proposed patch
abarth: review-
Updated per review comments
abarth: review-
Updated patch abarth: review+, commit-queue: commit-queue-

John Abd-El-Malek
Reported 2009-10-02 16:23:56 PDT
See http://code.google.com/p/chromium/issues/detail?id=23043 Mads helped me track this down, looks like the weak persistent handle approach is problematic since the JS function has no one else grabbing a reference to it, so it can be destroyed during GC when the other JS enableSleepDetection function pointers are being called. This leads to problem since during iteration the vector can change. A simpler solution is to add the function pointer as a hidden value on the Date constructor. This patch achieves that.
Attachments
Proposed patch (6.21 KB, patch)
2009-10-02 16:32 PDT, John Abd-El-Malek 		abarth: review-
DetailsFormatted DiffDiff
Updated per review comments (7.56 KB, patch)
2009-10-05 10:51 PDT, John Abd-El-Malek 		abarth: review-
DetailsFormatted DiffDiff
Updated patch (7.56 KB, patch)
2009-10-05 21:38 PDT, John Abd-El-Malek 		abarth: review+
commit-queue: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
John Abd-El-Malek
Comment 1 2009-10-02 16:32:18 PDT
Created attachment 40557 [details] Proposed patch
Adam Barth
Comment 2 2009-10-05 10:11:45 PDT
Comment on attachment 40557 [details] Proposed patch Please use V8HiddenPropertyName to avoid hidden property name collisions.
Adam Barth
Comment 3 2009-10-05 10:44:49 PDT
Also, we need a test. :)
John Abd-El-Malek
Comment 4 2009-10-05 10:51:22 PDT
Created attachment 40642 [details] Updated per review comments
John Abd-El-Malek
Comment 5 2009-10-05 10:55:20 PDT
This code is already tested by slow_unload_handler.html. The crash happened on the reliability bot sporadically, and I couldn't repro it.
Adam Barth
Comment 6 2009-10-05 10:57:53 PDT
Comment on attachment 40642 [details] Updated per review comments We should add a test for the crash. + v8::Local<v8::Value> result = V8Proxy::retrieve()->evaluate(WebCore::ScriptSourceCode("Date"), 0); This seems overly complicated. Why not just get the "Date" property of the context's global object? Other than those two issue, this looks reasonable.
Adam Barth
Comment 7 2009-10-05 10:58:36 PDT
(In reply to comment #5) > This code is already tested by slow_unload_handler.html. The crash happened on > the reliability bot sporadically, and I couldn't repro it. Ah, didn't see this comment before. Have you tried forcing a GC while running the test?
John Abd-El-Malek
Comment 8 2009-10-05 11:01:18 PDT
(In reply to comment #6) > (From update of attachment 40642 [details]) > We should add a test for the crash. This wasn't a reproducible crash. I'm open to suggestions on how this crash can be reproduced. > > + v8::Local<v8::Value> result = > V8Proxy::retrieve()->evaluate(WebCore::ScriptSourceCode("Date"), 0); > > This seems overly complicated. Why not just get the "Date" property of the > context's global object? Mads had suggested this. It's useful in case the page replaced the Date object, in which case we don't want to override getTime since they could have changed its functionality (i.e. added extra parameters). > > Other than those two issue, this looks reasonable.
Adam Barth
Comment 9 2009-10-05 13:10:30 PDT
(In reply to comment #8) > This wasn't a reproducible crash. I'm open to suggestions on how this crash > can be reproduced. Did you try running GC explicitly at an opportune moment? I think there's a function to force GC around somewhere in LayoutTests. > > + v8::Local<v8::Value> result = > > V8Proxy::retrieve()->evaluate(WebCore::ScriptSourceCode("Date"), 0); > > > > This seems overly complicated. Why not just get the "Date" property of the > > context's global object? > > Mads had suggested this. It's useful in case the page replaced the Date > object, in which case we don't want to override getTime since they could have > changed its functionality (i.e. added extra parameters). How does this solve that problem? Won't evaling "Date" just give you the modified object?
John Abd-El-Malek
Comment 10 2009-10-05 13:31:30 PDT
(In reply to comment #9) > (In reply to comment #8) > > This wasn't a reproducible crash. I'm open to suggestions on how this crash > > can be reproduced. > > Did you try running GC explicitly at an opportune moment? I think there's a > function to force GC around somewhere in LayoutTests. Yeah I tried that, but the crash only happens if GC happens during the call to the enableSleepDetection function that's in the closure. Trying to simulate gc in the unload handlers themselves doesn't trigger this. > > > > + v8::Local<v8::Value> result = > > > V8Proxy::retrieve()->evaluate(WebCore::ScriptSourceCode("Date"), 0); > > > > > > This seems overly complicated. Why not just get the "Date" property of the > > > context's global object? > > > > Mads had suggested this. It's useful in case the page replaced the Date > > object, in which case we don't want to override getTime since they could have > > changed its functionality (i.e. added extra parameters). > > How does this solve that problem? Won't evaling "Date" just give you the > modified object? It prevents this problem because the modified "Date" object won't have the hidden property on it, so the code will early return.
Adam Barth
Comment 11 2009-10-05 15:27:44 PDT
> > > > This seems overly complicated. Why not just get the "Date" property of the > > > > context's global object? > > It prevents this problem because the modified "Date" object won't have the > hidden property on it, so the code will early return. Oh, I'm just saying that you replace the "eval the string Date" code with "get the Date property of the global object". I agree that you should continue to store the hidden property on the Date object itself.
John Abd-El-Malek
Comment 12 2009-10-05 21:38:17 PDT
Created attachment 40684 [details] Updated patch
Adam Barth
Comment 13 2009-10-05 21:45:57 PDT
Comment on attachment 40684 [details] Updated patch Thanks John. Normally we check the result of V8Proxy::retrieve()->context() to see if the context is empty (e.g., because JavaScript is disabled). I don't think we can get into that situation here, however.
WebKit Commit Bot
Comment 14 2009-10-05 21:48:30 PDT
Comment on attachment 40684 [details] Updated patch Rejecting patch 40684 from commit-queue. Patch https://bugs.webkit.org/attachment.cgi?id=40684 from bug 30033 failed to download and apply.
Adam Barth
Comment 15 2009-10-05 21:49:34 PDT
I'll land this by hand.
Adam Barth
Comment 16 2009-10-05 21:55:23 PDT
Committed r49148: <http://trac.webkit.org/changeset/49148>
John Abd-El-Malek
Comment 17 2009-10-05 22:23:51 PDT
(In reply to comment #16) > Committed r49148: <http://trac.webkit.org/changeset/49148> Thanks, btw for future reference I'm a committer so I don't need to burden anyone anymore.
Adam Barth
Comment 18 2009-10-05 22:28:24 PDT
> Thanks, btw for future reference I'm a committer so I don't need to burden > anyone anymore. Ah, I knew that, but forgot. You might want to add yourself to this page: http://trac.webkit.org/wiki/WebKit%20Team In any case, I knew what the merge conflict was because I r+ed the conflicting change, so it was easy for me to fix.
Note You need to log in before you can comment on or make changes to this bug.