RESOLVED FIXED 220464
Use HashSet<RefPtr<Node>> instead of HashSet<Node*> 
https://bugs.webkit.org/show_bug.cgi?id=220464
Summary Use HashSet<RefPtr<Node>> instead of HashSet<Node*>
Alex Christensen
Reported 2021-01-08 09:42:13 PST
Use WeakHashSet<Node> instead of HashSet<Node*>
Attachments
Patch (43.69 KB, patch)
2021-01-08 09:43 PST, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (43.70 KB, patch)
2021-01-08 09:44 PST, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (35.28 KB, patch)
2021-05-10 10:28 PDT, Alex Christensen 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (35.54 KB, patch)
2021-05-10 11:14 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (31.62 KB, patch)
2021-05-10 17:52 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (40.31 KB, patch)
2021-05-11 12:25 PDT, Alex Christensen 		rniwa: review+
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2021-01-08 09:43:28 PST
Created attachment 417271 [details] Patch
Alex Christensen
Comment 2 2021-01-08 09:44:11 PST
Created attachment 417272 [details] Patch
Tim Horton
Comment 3 2021-01-08 11:55:10 PST
Comment on attachment 417272 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=417272&action=review > Source/WebCore/ChangeLog:7 > + Needs more words, this isn't what a WebKit ChangeLog entry should look like
Alex Christensen
Comment 4 2021-01-08 11:58:50 PST
Comment on attachment 417272 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=417272&action=review >> Source/WebCore/ChangeLog:7 >> + > > Needs more words, this isn't what a WebKit ChangeLog entry should look like Will add before landing: WeakHashSet is resistent to use-after-free bugs, which can occur when storing raw pointers in a HashSet.
Radar WebKit Bug Importer
Comment 5 2021-01-15 09:43:14 PST
<rdar://problem/73252016>
Geoffrey Garen
Comment 6 2021-02-03 13:32:03 PST
RefPtr<Node> can be less expensive than WeakPtr<Node>, since the first WeakPtr for any Node needs to allocate the WeakPtrImpl. Do we have a specific motivation to allow these nodes to be deleted? (I didn't see a case where we do.) In any case where we do not specifically want to enable deletion, I think we should use RefPtr<Node> instead. That might be all of these cases.
Alex Christensen
Comment 7 2021-05-08 17:18:29 PDT
Comment on attachment 417272 [details] Patch True.
Alex Christensen
Comment 8 2021-05-10 10:28:23 PDT
Created attachment 428181 [details] Patch
Alex Christensen
Comment 9 2021-05-10 11:14:58 PDT
Created attachment 428185 [details] Patch
Chris Dumez
Comment 10 2021-05-10 11:20:00 PDT
Comment on attachment 428185 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=428185&action=review > Source/WebCore/ChangeLog:3 > + Use HashSet<RefPtr<Node>> instead of HashSet<Node*> Why not a WeakHashSet<Node>? Container of ref pointers are often sources of leaks. This seems to be impacting lifetime management in a potentially significant way just to fix potential lifetime bugs.
Alex Christensen
Comment 11 2021-05-10 11:21:25 PDT
That was my initial approach, but Geoff gave the feedback to use RefPtr/Ref instead. I think it's ok in this case because the containers are basically all created, used, and destroyed within the scope of a function.
Chris Dumez
Comment 12 2021-05-10 11:25:35 PDT
Comment on attachment 428185 [details] Patch Fair point. 2 cases seem to be static vectors though. However, they are apparently only used for debugging purposes.
EWS
Comment 13 2021-05-10 12:09:43 PDT
Committed r277281 (237546@main): <https://commits.webkit.org/237546@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 428185 [details].
WebKit Commit Bot
Comment 14 2021-05-10 16:51:28 PDT
Re-opened since this is blocked by bug 225622
Ryan Haddad
Comment 15 2021-05-10 16:56:43 PDT
(In reply to WebKit Commit Bot from comment #14) > Re-opened since this is blocked by bug 225622 Link to test run showing crashes: https://build.webkit.org/results/Apple-BigSur-Debug-WK2-Tests/r277293%20(1735)/results.html All the ones I clicked appear to be ASSERTION FAILED: isMainThread() /Volumes/Data/worker/bigsur-debug/build/Source/WebCore/dom/Node.h(776) : void WebCore::Node::ref() const
Alex Christensen
Comment 16 2021-05-10 17:50:36 PDT
Comment on attachment 428185 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=428185&action=review > Source/WebCore/dom/MutationObserver.cpp:172 > +HashSet<Ref<Node>> MutationObserver::observedNodes() const This is called from the GC thread. I'll remove this change from this patch to be conservative. We may want to revisit, though. Pun intended.
Alex Christensen
Comment 17 2021-05-10 17:52:04 PDT
Created attachment 428231 [details] Patch
Ryosuke Niwa
Comment 18 2021-05-11 11:13:07 PDT
Comment on attachment 428231 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=428231&action=review > Source/WebCore/dom/Node.cpp:100 > - static NeverDestroyed<HashSet<Node*>> liveNodes; > + static NeverDestroyed<HashSet<Ref<Node>>> liveNodes; We can't do this. This will leak everything! We only remove the node from this set inside ~Node. So if we use Ref<Node> here, then it would never get deleted. We need to use WeakHashSet instead. > Source/WebCore/dom/Node.cpp:300 > - static NeverDestroyed<HashSet<Node*>> ignore; > + static NeverDestroyed<HashSet<Ref<Node>>> ignore; Same issue.
Alex Christensen
Comment 19 2021-05-11 12:25:55 PDT
Created attachment 428305 [details] Patch
Alex Christensen
Comment 20 2021-05-12 11:40:54 PDT
http://trac.webkit.org/r277382
Note You need to log in before you can comment on or make changes to this bug.