RESOLVED FIXED 235658
JSEventListener::replaceJSFunctionForAttributeListener() should not replace m_wrapper unconditionally 
https://bugs.webkit.org/show_bug.cgi?id=235658
Summary JSEventListener::replaceJSFunctionForAttributeListener() should not replace m...
Alexey Shvayka
Reported 2022-01-26 11:29:34 PST
JSEventListener::replaceJSFunctionForAttributeListener() should not replace m_wrapper unconditionally
Attachments
Patch (2.07 KB, patch)
2022-01-26 11:30 PST, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Follow-up patch (1.42 KB, patch)
2022-01-26 15:51 PST, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Follow-up patch (1.42 KB, patch)
2022-01-26 16:35 PST, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Follow-up patch (3.27 KB, patch)
2022-01-27 14:59 PST, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Alexey Shvayka
Comment 1 2022-01-26 11:30:22 PST
Created attachment 450044 [details] Patch
Yusuke Suzuki
Comment 2 2022-01-26 11:46:08 PST
Comment on attachment 450044 [details] Patch r=me
Alexey Shvayka
Comment 3 2022-01-26 15:03:45 PST
Comment on attachment 450044 [details] Patch Thanks Yusuke!
EWS
Comment 4 2022-01-26 15:09:06 PST
Committed r288648 (246456@main): <https://commits.webkit.org/246456@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450044 [details].
Radar WebKit Bug Importer
Comment 5 2022-01-26 15:10:17 PST
<rdar://problem/88098051>
Geoffrey Garen
Comment 6 2022-01-26 15:22:10 PST
Comment on attachment 450044 [details] Patch Why is it OK (or a memory improvement) to replace m_jsFunction unconditionally but replace m_wrapper conditionally? There seem to be some null checks of m_wrapper in JSEventListener. Wouldn't the choice not to update M-wrapper change their behavior? Write barrier changes the behavior of GC. Why is it OK to skip sometimes?
Geoffrey Garen
Comment 7 2022-01-26 15:26:54 PST
Comment on attachment 450044 [details] Patch If I understand the intent correctly, I *think* a better fix would be: m_jsFunction = Weak { function }; if (m_isInitialized) ASSERT(m_wrapper == wrapper); else { m_wrapper = Weak { wrapper }; m_isInitialized = true; } auto& vm = m_isolatedWorld->vm(); vm.writeBarrier(m_wrapper, m_jsFunction);
Alexey Shvayka
Comment 8 2022-01-26 15:38:38 PST
(In reply to Geoffrey Garen from comment #6) > Comment on attachment 450044 [details] > Patch > > Why is it OK (or a memory improvement) to replace m_jsFunction > unconditionally but replace m_wrapper conditionally? > > There seem to be some null checks of m_wrapper in JSEventListener. Wouldn't > the choice not to update M-wrapper change their behavior? As you've noted in https://bugs.webkit.org/show_bug.cgi?id=235658#c7, we hope (assert) the m_wrapper stays alive and unchanged. > Write barrier changes the behavior of GC. Why is it OK to skip sometimes? Write barrier is being set up only in case of JSLazyEventListener, where we create m_jsFunction from a string; that's not the case for replaceJSFunctionForAttributeListener(), so I guess the better fix would be just: m_jsFunction = Weak { function }; if (m_isInitialized) ASSERT(m_wrapper == wrapper); else { m_wrapper = Weak { wrapper }; m_isInitialized = true; } <no write barrier necessary>
Alexey Shvayka
Comment 9 2022-01-26 15:51:38 PST
Reopening to attach new patch.
Alexey Shvayka
Comment 10 2022-01-26 15:51:42 PST
Created attachment 450081 [details] Follow-up patch
Alexey Shvayka
Comment 11 2022-01-26 16:35:39 PST
Created attachment 450083 [details] Follow-up patch Fix comparison.
Alexey Shvayka
Comment 12 2022-01-27 14:59:53 PST
Created attachment 450184 [details] Follow-up patch Pass correct wrapper for Window-reflecting event handlers and improve ChangeLog.
Alexey Shvayka
Comment 13 2022-01-28 11:42:23 PST
Comment on attachment 450184 [details] Follow-up patch Geoff, thank you for valuable comments that led to discovering & fixing the incorrect behavior, which was probably user-facing.
EWS
Comment 14 2022-01-28 11:49:46 PST
Committed r288753 (246544@main): <https://commits.webkit.org/246544@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450184 [details].
Note You need to log in before you can comment on or make changes to this bug.