[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
dimich at chromium.org
dimich at chromium.org
Wed Dec 22 12:15:23 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 7770b8942972c4846d462b7001f9830b506f1992
Author: dimich at chromium.org <dimich at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Aug 17 22:29:42 2010 +0000
MessagePort.close() crashes if the owning context was destroyed.
https://bugs.webkit.org/show_bug.cgi?id=43140
Reviewed by David Levin.
WebCore:
Test: fast/events/message-port-context-destroyed.html
* dom/MessagePort.cpp:
(WebCore::MessagePort::postMessage):
(WebCore::MessagePort::start):
(WebCore::MessagePort::close):
(WebCore::MessagePort::contextDestroyed):
Use isEntangled() method to gate various operations on MessagePort. This method also takes into account m_closed bit.
* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::stopActiveDOMObjects):
(WebCore::ScriptExecutionContext::closeMessagePorts):
* dom/ScriptExecutionContext.h:
Add closeMessagePorts() method that closes message ports at the same moments when other ActiveDOMObjects are stopped.
LayoutTests:
* fast/events/message-port-context-destroyed-expected.txt: Added.
* fast/events/message-port-context-destroyed.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65563 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 67ca8bb..d4e9d7e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-08-17 Dmitry Titov <dimich at chromium.org>
+
+ Reviewed by David Levin.
+
+ MessagePort.close() crashes if the owning context was destroyed.
+ https://bugs.webkit.org/show_bug.cgi?id=43140
+
+ * fast/events/message-port-context-destroyed-expected.txt: Added.
+ * fast/events/message-port-context-destroyed.html: Added.
+
2010-08-17 Victoria Kirst <vrk at google.com>
Unreviewed. Build fix.
diff --git a/LayoutTests/fast/events/message-port-context-destroyed-expected.txt b/LayoutTests/fast/events/message-port-context-destroyed-expected.txt
new file mode 100644
index 0000000..6bd53b2
--- /dev/null
+++ b/LayoutTests/fast/events/message-port-context-destroyed-expected.txt
@@ -0,0 +1,3 @@
+Test that MessagePort is properly closed when its owning context goes away. The test succeeds if it doesn't crash and prints "PASS" below. See https://bugs.webkit.org/show_bug.cgi?id=43140 for more details.
+
+PASS
diff --git a/LayoutTests/fast/events/message-port-context-destroyed.html b/LayoutTests/fast/events/message-port-context-destroyed.html
new file mode 100644
index 0000000..8adc8a3
--- /dev/null
+++ b/LayoutTests/fast/events/message-port-context-destroyed.html
@@ -0,0 +1,42 @@
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+var port;
+var gc_stuff = new Array();
+
+gc_and_crash = function() {
+ if (this.GCController)
+ GCController.collect();
+ else {
+ // V8 needs that many objects to run GC.
+ for(i = 0; i < 100000; i++) {
+ p = new Object();
+ gc_stuff.push(p);
+ gc_stuff.push(p + p);
+ }
+ }
+
+ // If the bug 43140 is regressed, this will crash, at least in v8-based ports.
+ port.start();
+
+ document.getElementById("log").innerText = "PASS";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+function test() {
+ var iframe = document.getElementById("iframe");
+ var channel = new iframe.contentWindow.MessageChannel();
+ port = channel.port1;
+
+ iframe.onload = function() { gc_and_crash(); }
+ iframe.src = "data:text/html,<body>Hello!" ;
+}
+</script>
+<body onload="test()">
+<p>Test that MessagePort is properly closed when its owning context goes away. The test succeeds if it doesn't crash and prints "PASS" below. See https://bugs.webkit.org/show_bug.cgi?id=43140 for more details.</p>
+<pre id=log></pre>
+<iframe style="display:none" id=iframe></iframe>
\ No newline at end of file
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 9f4fdf7..4caa5da 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2010-08-17 Dmitry Titov <dimich at chromium.org>
+
+ Reviewed by David Levin.
+
+ MessagePort.close() crashes if the owning context was destroyed.
+ https://bugs.webkit.org/show_bug.cgi?id=43140
+
+ Test: fast/events/message-port-context-destroyed.html
+
+ * dom/MessagePort.cpp:
+ (WebCore::MessagePort::postMessage):
+ (WebCore::MessagePort::start):
+ (WebCore::MessagePort::close):
+ (WebCore::MessagePort::contextDestroyed):
+ Use isEntangled() method to gate various operations on MessagePort. This method also takes into account m_closed bit.
+
+ * dom/ScriptExecutionContext.cpp:
+ (WebCore::ScriptExecutionContext::stopActiveDOMObjects):
+ (WebCore::ScriptExecutionContext::closeMessagePorts):
+ * dom/ScriptExecutionContext.h:
+ Add closeMessagePorts() method that closes message ports at the same moments when other ActiveDOMObjects are stopped.
+
2010-08-17 Fady Samuel <fsamuel at chromium.org>
Reviewed by David Hyatt.
diff --git a/WebCore/dom/MessagePort.cpp b/WebCore/dom/MessagePort.cpp
index 8d4ed98..1b7aea7 100644
--- a/WebCore/dom/MessagePort.cpp
+++ b/WebCore/dom/MessagePort.cpp
@@ -20,7 +20,7 @@
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
@@ -72,7 +72,7 @@ void MessagePort::postMessage(PassRefPtr<SerializedScriptValue> message, Excepti
void MessagePort::postMessage(PassRefPtr<SerializedScriptValue> message, const MessagePortArray* ports, ExceptionCode& ec)
{
- if (!m_entangledChannel)
+ if (!isEntangled())
return;
ASSERT(m_scriptExecutionContext);
@@ -118,8 +118,8 @@ void MessagePort::messageAvailable()
void MessagePort::start()
{
- // Do nothing if we've been cloned
- if (!m_entangledChannel)
+ // Do nothing if we've been cloned or closed.
+ if (!isEntangled())
return;
ASSERT(m_scriptExecutionContext);
@@ -133,7 +133,7 @@ void MessagePort::start()
void MessagePort::close()
{
m_closed = true;
- if (!m_entangledChannel)
+ if (!isEntangled())
return;
m_entangledChannel->close();
}
@@ -152,8 +152,9 @@ void MessagePort::entangle(PassOwnPtr<MessagePortChannel> remote)
void MessagePort::contextDestroyed()
{
ASSERT(m_scriptExecutionContext);
- // Must close port before blowing away the cached context, to ensure that we get no more calls to messageAvailable().
- close();
+ // Must be closed before blowing away the cached context, to ensure that we get no more calls to messageAvailable().
+ // ScriptExecutionContext::closeMessagePorts() takes care of that.
+ ASSERT(m_closed);
m_scriptExecutionContext = 0;
}
diff --git a/WebCore/dom/ScriptExecutionContext.cpp b/WebCore/dom/ScriptExecutionContext.cpp
index 6d6b18d..d014d47 100644
--- a/WebCore/dom/ScriptExecutionContext.cpp
+++ b/WebCore/dom/ScriptExecutionContext.cpp
@@ -20,7 +20,7 @@
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
@@ -227,6 +227,9 @@ void ScriptExecutionContext::stopActiveDOMObjects()
ASSERT(iter->first->scriptExecutionContext() == this);
iter->first->stop();
}
+
+ // Also close MessagePorts. If they were ActiveDOMObjects (they could be) then they could be stopped instead.
+ closeMessagePorts();
}
void ScriptExecutionContext::createdActiveDOMObject(ActiveDOMObject* object, void* upcastPointer)
@@ -242,6 +245,14 @@ void ScriptExecutionContext::destroyedActiveDOMObject(ActiveDOMObject* object)
m_activeDOMObjects.remove(object);
}
+void ScriptExecutionContext::closeMessagePorts() {
+ HashSet<MessagePort*>::iterator messagePortsEnd = m_messagePorts.end();
+ for (HashSet<MessagePort*>::iterator iter = m_messagePorts.begin(); iter != messagePortsEnd; ++iter) {
+ ASSERT((*iter)->scriptExecutionContext() == this);
+ (*iter)->close();
+ }
+}
+
void ScriptExecutionContext::setSecurityOrigin(PassRefPtr<SecurityOrigin> securityOrigin)
{
m_securityOrigin = securityOrigin;
diff --git a/WebCore/dom/ScriptExecutionContext.h b/WebCore/dom/ScriptExecutionContext.h
index 68beef0..30c12e5 100644
--- a/WebCore/dom/ScriptExecutionContext.h
+++ b/WebCore/dom/ScriptExecutionContext.h
@@ -20,7 +20,7 @@
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
@@ -94,7 +94,7 @@ namespace WebCore {
virtual void reportException(const String& errorMessage, int lineNumber, const String& sourceURL) = 0;
virtual void addMessage(MessageSource, MessageType, MessageLevel, const String& message, unsigned lineNumber, const String& sourceURL) = 0;
-
+
// Active objects are not garbage collected even if inaccessible, e.g. because their activity may result in callbacks being invoked.
bool canSuspendActiveDOMObjects();
// Active objects can be asked to suspend even if canSuspendActiveDOMObjects() returns 'false' -
@@ -157,6 +157,8 @@ namespace WebCore {
virtual const KURL& virtualURL() const = 0;
virtual KURL virtualCompleteURL(const String&) const = 0;
+ void closeMessagePorts();
+
RefPtr<SecurityOrigin> m_securityOrigin;
HashSet<MessagePort*> m_messagePorts;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list