Bug 80880

Created attachment 131404 [details]
Patch

Comment on attachment 131404 [details]
Patch

Attachment 131404 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/11943156

Comment on attachment 131404 [details]
Patch

This patch looks really cool.  It looks like you have a compilation issue though.

Comment on attachment 131404 [details]
Patch

I'm marking this r+ out of pure enthusiasm, but we'll probably need to fix the compile errors before landing.  ;)

(In reply to comment #3)
> (From update of attachment 131404 [details])
> This patch looks really cool.  It looks like you have a compilation issue though.

I got the compile error under control. I was dissecting the initial patch which also set up hidden references for collections.

Wonderful patch!

Created attachment 131448 [details]
Patch for landing

Comment on attachment 131448 [details]
Patch for landing

Clearing flags on attachment: 131448

Committed r110524: <http://trac.webkit.org/changeset/110524>

All reviewed patches have been landed.  Closing bug.

Rolled out at http://trac.webkit.org/changeset/110537 because it broke chromium-win build.

(In reply to comment #10)
> Rolled out at http://trac.webkit.org/changeset/110537 because it broke chromium-win build.
FYI: http://chromegw.corp.google.com/i/chromium.webkit/builders/Webkit%20Win%20Builder%20%28dbg%29/builds/21087/steps/compile/logs/stdio

It looks that the generated source file doesn't include HTMLMediaElement.h and
cannot resolve HTMLMediaElement as a Node subclass.

The patch also seemed to cause a number of ASSERTs.

Comment on attachment 131448 [details]
Patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=131448&action=review

LGTM, pretty neat

> Source/WebCore/ChangeLog:3
> +        [V8] Use v8::V8::AddHiddenReferences instead of SetHiddenValue

Add<Implicit>References?

> Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:2317
> +            } elsif (GetGenerateIsReachable($dataNode) eq "ImplFrame") {

up to you, but looks slightly scary: you'll now return value for GenerateIsReachable, not JSGenerateIsReachable.

> Source/WebCore/bindings/scripts/CodeGeneratorV8.pm:237
> +    if (owner) {

nit: if (Node* owner = ...) {

(In reply to comment #13)
> > Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:2317
> > +            } elsif (GetGenerateIsReachable($dataNode) eq "ImplFrame") {
> 
> up to you, but looks slightly scary: you'll now return value for GenerateIsReachable, not JSGenerateIsReachable.

The idea is that GenerateReachable = JSGenerateIsReachable | V8GenerateIsReachable. This pattern is used all over in the bindings.

Maybe I am missing something?

Created attachment 131692 [details]
Patch

Comment on attachment 131692 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=131692&action=review

> Source/WebCore/ChangeLog:17
> +        Second try. This time with an added include in TextTrackList.cpp.

Did you change more than just adding the include?  There were a bunch of debug crashes (ASSERTSs?) triggered by this change the first time.

Comment on attachment 131692 [details]
Patch

I'll see if I can find those asserts (this is the first time I hear about them)

If you have your IRC log from last night, I sent you a link to them.

I found a link in my IRC log:
http://build.chromium.org/f/chromium/layout_test_results/Webkit_Linux__dbg_/results/layout-test-results/dom/html/level1/core/hc_attrgetvalue1-crash-log.txt

Got it. Thanks.

Created attachment 131716 [details]
Patch

It turns out that the interfaces with GenerateReachable also needs V8DependentLifeTime since these are not independent. I updated the codegen to set the correct hasDependentLifetime.

Comment on attachment 131716 [details]
Patch

Ok.

Comment on attachment 131716 [details]
Patch

Clearing flags on attachment: 131716

Committed r110641: <http://trac.webkit.org/changeset/110641>

All reviewed patches have been landed.  Closing bug.

(In reply to comment #14)
> (In reply to comment #13)
> > > Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:2317
> > > +            } elsif (GetGenerateIsReachable($dataNode) eq "ImplFrame") {
> > 
> > up to you, but looks slightly scary: you'll now return value for GenerateIsReachable, not JSGenerateIsReachable.
> 
> The idea is that GenerateReachable = JSGenerateIsReachable | V8GenerateIsReachable. This pattern is used all over in the bindings.
> 
> Maybe I am missing something?

No, I don't think so.  Thanks a lot for explanations.

Is the landed patch correct? Now I can find no "visitDOMWrapper" in the generated code.

Sorry, this got reverted again because it had ASAN problems:


AllUrlsApiTest.WhitelistedExtension: 
[6008:6008:0314/155218:1809070530:WARNING:zygote_host_impl_linux.cc(154)] Running without the SUID sandbox! See http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on.
[6008:6008:0314/155219:1810342920:WARNING:CONSOLE(2109)] "Missing string for id: login_status_message", source: chrome://newtab/ (2109)
[6008:6008:0314/155219:1810343124:WARNING:CONSOLE(2109)] "Missing string for id: ntp4_intro_message", source: chrome://newtab/ (2109)
[6008:6008:0314/155219:1810343207:WARNING:CONSOLE(2109)] "Missing string for id: serverpromo", source: chrome://newtab/ (2109)
ASAN:SIGSEGV
==6041== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x00000396c3e9 sp 0x7fffeab329f0 bp 0x7fffeab32a20 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x396c3e9 in v8::Context::Global() ???:0
    #1 0x5a4e8ec in WebCore::DOMData::getCurrentStore() ???:0
    #2 0x52242d9 in WebCore::getDOMNodeMap() ???:0
    #3 0x659e806 in WebCore::V8DOMTokenList::visitDOMWrapper(WebCore::DOMDataStore*, void*, v8::Persistent<v8::Object>) ???:0
    #4 0x5a5634f in WebCore::WeakReferenceMap<void, v8::Object>::visit(WebCore::DOMDataStore*, WebCore::AbstractWeakReferenceMap<void, v8::Object>::Visitor*) ???:0
    #5 0x5224eb8 in WebCore::visitDOMObjects(WebCore::AbstractWeakReferenceMap<void, v8::Object>::Visitor*) ???:0
    #6 0x522e4b6 in WebCore::V8GCController::gcPrologue() ???:0
    #7 0x3a6c83e in v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GCTracer*) ???:0
Stats: 35M malloced (47M for red zones) by 142313 calls
Stats: 0M realloced by 258 calls
Stats: 29M freed by 81525 calls
Stats: 0M really freed by 0 calls
Stats: 112M (28687 full pages) mmaped in 28 calls
  mmaps   by size class: 8:131064; 9:16382; 10:8190; 11:2047; 12:1024; 13:1024; 14:512; 15:128; 16:128; 17:96; 18:32; 19:8; 20:4;
  mallocs by size class: 8:124488; 9:9231; 10:6162; 11:801; 12:317; 13:680; 14:334; 15:115; 16:72; 17:79; 18:26; 19:7; 20:1;
  frees   by size class: 8:67711; 9:6245; 10:5667; 11:547; 12:251; 13:546; 14:291; 15:103; 16:60; 17:70; 18:26; 19:7; 20:1;
  rfrees  by size class:
Stats: malloc large: 113 small slow: 511
Killed (timed out).

Adam (Barth), I cannot reproduce this ASAN report and Adam (Klein) suspects it is a ASAN bug. My plan is to try to submit this again Wed next week and see if it still happens. Are you OK with that?

Ok

Created attachment 148622 [details]
Patch for landing

Comment on attachment 148622 [details]
Patch for landing

Rejecting attachment 148622 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 1

ERROR: /mnt/git/webkit-commit-queue/Source/WebCore/ChangeLog neither lists a valid reviewer nor contains the string "Unreviewed" or "Rubber stamp" (case insensitive).

Full output: http://queues.webkit.org/results/13010011

Comment on attachment 148622 [details]
Patch for landing

This has no changes since last time it was r+ed. The only diffs are due to rebaseling.

(In reply to comment #33)
> (From update of attachment 148622 [details])
> This has no changes since last time it was r+ed. The only diffs are due to rebaseling.

In that case you can just put the reviewer in the ChangeLog(s) and cq+ it (which is all webkit-patch land-safely does anyway).

Created attachment 148627 [details]
Patch for landing

Comment on attachment 148627 [details]
Patch for landing

Clearing flags on attachment: 148627

Committed r120854: <http://trac.webkit.org/changeset/120854>

All reviewed patches have been landed.  Closing bug.

Re-opened since this is blocked by 89604

http://build.chromium.org/p/chromium.webkit/builders/Webkit%20Linux%20%28dbg%29/builds/8243

Regressions: Unexpected crashes : (2)
  inspector/extensions/extensions-audits-content-script.html = CRASH
  inspector/extensions/extensions-eval-content-script.html = CRASH

Crash was observed in release build as well:

http://build.chromium.org/p/chromium.webkit/builders/Webkit%20Linux/builds/27170

Regressions: Unexpected crashes : (1)
  inspector/extensions/extensions-audits-content-script.html = CRASH

14:55:27.236 7483 worker/3 inspector/extensions/extensions-audits-content-script.html crashed, stack trace:
14:55:27.236 7483   	base::debug::StackTrace::StackTrace() [0x673c5e]
14:55:27.236 7483   	base::(anonymous namespace)::StackDumpSignalHandler() [0x6602b9]
14:55:27.236 7483   	0x7f5a4d43eaf0
14:55:27.236 7483   	WebCore::DOMData::getCurrentStore() [0xfd35ab]
14:55:27.236 7483   	WebCore::getDOMNodeMap() [0xce0639]
14:55:27.236 7483   	WebCore::V8DOMTokenList::visitDOMWrapper() [0x137bcb9]
14:55:27.236 7483   	WebCore::WeakReferenceMap<>::visit() [0xfd5bf6]
14:55:27.236 7483   	WebCore::visitDOMObjects() [0xce04c9]
14:55:27.236 7483   	WebCore::V8GCController::gcPrologue() [0xce5de3]
14:55:27.236 7483   	v8::internal::Heap::PerformGarbageCollection() [0x8126bf]
14:55:27.236 7483   	v8::internal::Heap::CollectGarbage() [0x81301f]
14:55:27.236 7483   	v8::internal::Heap::CollectAllGarbage() [0x813520]
14:55:27.236 7483   	v8::internal::Debug::GetLoadedScripts() [0x7bc544]
14:55:27.236 7483   	v8::internal::Runtime_DebugGetLoadedScripts() [0x933cce]
14:55:27.236 7483   	0x1bd65730618e
14:55:27.238 7462   inspector/extensions/extensions-audits-content-script.html -> unexpected crash

From the debug build, an assertion in V8:

STDERR: #
STDERR: # Fatal error in v8/src/objects-inl.h, line 1489
STDERR: # CHECK(index < GetInternalFieldCount() && index >= 0) failed
STDERR: #

Comment on attachment 148627 [details]
Patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=148627&action=review

Adam Klein helped me figure this out. A new patch is coming.

> Source/WebCore/bindings/scripts/CodeGeneratorV8.pm:226
> +        v8::Persistent<v8::Object> ownerWrapper = getDOMNodeMap().get(owner);

This line was the problem. It needs to be store->domNodeMap() to get the correct map.

Created attachment 148683 [details]
Patch

Comment on attachment 148683 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=148683&action=review

neat

> Source/WebCore/bindings/v8/V8GCController.cpp:344
> +        if (info->domWrapperVisitorFunction)

I think it's time to make WrapperTypeInfo a proper class and switch to virtual functions.

Comment on attachment 148683 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=148683&action=review

>> Source/WebCore/bindings/v8/V8GCController.cpp:344
>> +        if (info->domWrapperVisitorFunction)
> 
> I think it's time to make WrapperTypeInfo a proper class and switch to virtual functions.

That seems lika a good idea. I can do that in a follow up patch.

Created attachment 148860 [details]
Patch for landing

Comment on attachment 148860 [details]
Patch for landing

Clearing flags on attachment: 148860

Committed r120968: <http://trac.webkit.org/changeset/120968>

All reviewed patches have been landed.  Closing bug.