WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
29031
[v8] speed up access to windows impl from various methods
https://bugs.webkit.org/show_bug.cgi?id=29031
Summary
[v8] speed up access to windows impl from various methods
anton muhin
Reported
2009-09-08 07:35:02 PDT
Currently we use lookupDOMWrapper to find out a proper JS wrapper which allows access to window C++ counterpart and stuff. Let's access it immediately from holder (but that requires some duplication)
Attachments
First pass
(10.35 KB, patch)
2009-09-08 07:40 PDT
,
anton muhin
no flags
Details
Formatted Diff
Diff
ChangeLog fixed
(10.40 KB, patch)
2009-09-08 07:42 PDT
,
anton muhin
abarth
: review-
Details
Formatted Diff
Diff
Second iteration
(
deleted
)
2009-09-21 08:53 PDT
,
anton muhin
abarth
: commit-queue-
Details
Formatted Diff
Diff
Another iteration: now we have necessary method in V8 public API
(6.89 KB, patch)
2009-10-02 11:11 PDT
,
anton muhin
abarth
: review+
commit-queue
: commit-queue-
Details
Formatted Diff
Diff
And another attempt, for WebKit@49221
(6.86 KB, patch)
2009-10-07 09:37 PDT
,
anton muhin
no flags
Details
Formatted Diff
Diff
Show Obsolete
(4)
View All
Add attachment
proposed patch, testcase, etc.
anton muhin
Comment 1
2009-09-08 07:40:09 PDT
Created
attachment 39183
[details]
First pass Guys, I'd esp. ask to review security-related changes as my knowledge of this domain is limited. And sorry if svn-preparePatch put wrong paths---I'll fix it in a next round.
anton muhin
Comment 2
2009-09-08 07:42:31 PDT
Created
attachment 39184
[details]
ChangeLog fixed
Adam Barth
Comment 3
2009-09-08 07:57:06 PDT
Comment on
attachment 39184
[details]
ChangeLog fixed I think this is ok. The dangerous piece is in installDOMWindow, but that should run before any evil JS has had a chance to screw up the jsWindow's prototype chain.
Adam Barth
Comment 4
2009-09-08 07:59:43 PDT
Comment on
attachment 39184
[details]
ChangeLog fixed Actually, I lied.
Adam Barth
Comment 5
2009-09-08 08:02:51 PDT
Can you add the following test case: Evil window creates an iframe to honest domain. Evil window then sets its __proto__ to the iframe's window object. Now, try to access properties that are normally on the WindowPrototype and see if you get the wrong answers w.r.t. security. It might be ok. I'll have to think about it more, but we should have the test case in any event.
Adam Barth
Comment 6
2009-09-15 10:23:35 PDT
I went over this this patch in detail with Anton. Everything looks fine except for the NAMED and INDEX access checks function. It's unclear whether |host| is always the same object as |holder|. If the objects are different, we might be access checking one object and operating on another object. He's going to investigate and write some tests.
anton muhin
Comment 7
2009-09-21 08:53:57 PDT
Created
attachment 39853
[details]
Second iteration Another pass. It passes newly added layout tests. The major difference is lookupDOMWrapper is restored in accessors checks. I believe the reason is not security, but some technical details (if you're curious: the way v8 is implemented it installs security callback on global object proxy and I don't want to put pointers to window impl on it). I'll address those issues with a separate CL. IMPORTANT NOTE (sorry for the case): please, do not land this patch: if it passes a review, I'd have to add a helper method to public V8 API (to lookup real named property).
Adam Barth
Comment 8
2009-09-23 14:18:09 PDT
Comment on
attachment 39853
[details]
Second iteration This looks great. Much easier to understand than the last round. One question: +namespace v8 { +Handle<Value> GetRealNamedProperty( + Handle<Object> object, + Handle<String> key); +} Shouldn't this be in a v8 header file? As written, it looks like it's grabbing at some random symbol in V8.
anton muhin
Comment 9
2009-09-23 14:28:34 PDT
(In reply to
comment #8
)
> (From update of
attachment 39853
[details]
) > This looks great. Much easier to understand than the last round. One > question: > > +namespace v8 { > +Handle<Value> GetRealNamedProperty( > + Handle<Object> object, > + Handle<String> key); > +} > > Shouldn't this be in a v8 header file? As written, it looks like it's grabbing > at some random symbol in V8.
You're right, Adam---I just didn't want to touch v8's header, but still have something compilable. And exactly for same reason I asked not to land this patch as I want to add this function into public V8 API. So I'll ask for another round when this lookup goes into v8. Thanks a lot for review, Adam!
anton muhin
Comment 10
2009-10-02 11:11:16 PDT
Created
attachment 40534
[details]
Another iteration: now we have necessary method in V8 public API Guys, that's exactly the same patch, but now with the resolved dep on public V8 API
Adam Barth
Comment 11
2009-10-02 14:09:24 PDT
Comment on
attachment 40534
[details]
Another iteration: now we have necessary method in V8 public API I just saw your committer paperwork go by, so you can either land this one yourself, or we can put it though commit queue.
anton muhin
Comment 12
2009-10-05 04:41:25 PDT
(In reply to
comment #11
)
> (From update of
attachment 40534
[details]
) > I just saw your committer paperwork go by, so you can either land this one > yourself, or we can put it though commit queue.
If you please, put it into commit queue---paper travels very slow over the ocean :)
WebKit Commit Bot
Comment 13
2009-10-05 08:48:50 PDT
Comment on
attachment 40534
[details]
Another iteration: now we have necessary method in V8 public API Rejecting patch 40534 from commit-queue. Patch
https://bugs.webkit.org/attachment.cgi?id=40534
from
bug 29031
failed to download and apply.
Eric Seidel (no email)
Comment 14
2009-10-05 11:03:53 PDT
Comment on
attachment 39853
[details]
Second iteration Obsoleting an older revision of this patch.
Eric Seidel (no email)
Comment 15
2009-10-05 11:04:30 PDT
Comment on
attachment 40534
[details]
Another iteration: now we have necessary method in V8 public API IIRC the CodeGeneratorV8.pm diff failed to apply.
anton muhin
Comment 16
2009-10-06 06:14:48 PDT
(In reply to
comment #15
)
> (From update of
attachment 40534
[details]
) > IIRC the CodeGeneratorV8.pm diff failed to apply.
Eric, anything I can help with? I synced to 49163 and svn up'ed it all fine.
anton muhin
Comment 17
2009-10-07 09:37:17 PDT
Created
attachment 40796
[details]
And another attempt, for WebKit@49221 Adam, Eric, that's just successfully compiled (on Mac) version of the same patch.
Adam Barth
Comment 18
2009-10-07 09:39:40 PDT
Comment on
attachment 40796
[details]
And another attempt, for WebKit@49221 Let's give it a spin.
WebKit Commit Bot
Comment 19
2009-10-07 09:59:16 PDT
Comment on
attachment 40796
[details]
And another attempt, for WebKit@49221 Clearing flags on attachment: 40796 Committed
r49248
: <
http://trac.webkit.org/changeset/49248
>
WebKit Commit Bot
Comment 20
2009-10-07 09:59:20 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug