Several functions in MessagePort don't initialize their ExceptionCodes. This caused me trouble in DOMWindow::postMessage, which calls MessagePort::clone. The call succeeded, but the uninitialized ec value caused a failure.
Created attachment 24736 [details] Initialize the exceptioncodes.
Created attachment 24737 [details] Updated patch. Same patch as before, but this one contains a changelog.
Comment on attachment 24737 [details] Updated patch. The rules for ExceptionCode& arguments are: 1) If there's no exception, the function has no obligation to set the exception code. 2) If a caller wants to look at the exception code, it's responsible for setting it to 0 before calling. So there's no bug here.
And the caller (JSDOMWindow::postMessage()) does initialize ec - maybe the issue you are seeing is V8-specific?
Thanks Darin for clarification on the convention; I didn't know that. Given that, the changes to MessagePort.cpp are unnecessary. Part of this patch is still valid, I think: DOMWindow.cpp DOMWindow::postMessage calls messagePort->clone with an uninitialized ec. Re-marking for review.
Comment on attachment 24737 [details] Updated patch. See my comments about the changes to DOMWindow.cpp, which I think is still a valid bug.
OK - nevermind. Alexey - I see what you are saying. We want the declarer to initialize.
I might have closed this prematurely. As per Darin, we want the declarer of the ExceptionCode to initialize. That makes sense, and that is why I closed this bug. However, DOMWindow::postMessage is non-deterministic based on whether the caller initialized the ExceptionCode before calling. DOMWindow::postMessage uses ec internally with messagePort->clone(). If the caller of postMessage didn't initialize it, postMessage will have undefined behavior. (clone won't touch ec unless there is an exception, so when we come out of clone() postMessage will be using an uninitialized ec). There are two possible fixes; either we modify postMessage to use a different ExceptionCode for calling into clone() or we initialize ec within postMessage as per the patch here. Does this sound right?
(In reply to comment #8) > DOMWindow::postMessage uses ec internally with messagePort->clone(). If the > caller of postMessage didn't initialize it, postMessage will have undefined > behavior. (clone won't touch ec unless there is an exception, so when we come > out of clone() postMessage will be using an uninitialized ec). > > There are two possible fixes; either we modify postMessage to use a different > ExceptionCode for calling into clone() or we initialize ec within postMessage > as per the patch here. > > Does this sound right? Yes. Retitled bug to reflect this problem.
Hmm - still doesn't make sense to me. JS bindings must initialize ec before calling DOMWindow::postMessage(), so of course its behavior is undefined if that didn't happen. What am I missing?
Or are you saying that some other code could raise an exception before DOMWindow::postMessage (something that doesn't currently happen, as it's only JS bindings that call it)? Looking at some existing code, I see ec being cleared before making a call in DOM, but this seems really weird, as this loses information about the earlier exception.
(In reply to comment #10) > JS bindings must initialize ec before > calling DOMWindow::postMessage(), so of course its behavior is undefined if > that didn't happen. What am I missing? Yes, JavaScript bindings will always initialize ec. But other callers within WebCore are allowed to call the function without initializing ec if they wish to make the call and ignore the exception code. That's our current rule for the DOM. We could change it. A quick grep found at least 31 call sites that make calls and pass uninitialized ExceptionCode arguments because the caller didn't plan to look at the result. For examples of this, look at the call to Node::remove() inside Node::normalize(). And the call to EventTargetNode::dispatchEvent() inside EventHandler::keyEvent().
(In reply to comment #11) > Looking at some existing code, I see ec being > cleared before making a call in DOM, but this seems really weird, as this loses > information about the earlier exception. Generally speaking, if there is an earlier exception, it's the obligation of the implementer to return at that point and not try to do further work. It may be easier to discuss specific cases.
I see, thank you for the clarification!
Created attachment 28229 [details] revised patch Finally cycled back to this bug; revised the patch just to contain the one ec initialization which we agreed was important.
Comment on attachment 28229 [details] revised patch r=me (I hope Darin doesn't mind!) Please be sure to add bug URL and title to ChangeLog when landing.
Landed as http://trac.webkit.org/changeset/41418