[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.21-584-g1e41756

barraclough at apple.com barraclough at apple.com
Fri Feb 26 22:19:06 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit 5630d070217f90080197980c89b19f0de33b4d7f
Author: barraclough at apple.com <barraclough at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Feb 12 22:42:28 2010 +0000

    Workers' EventListeners should be removed before JSGlobalData is destroyed
    https://bugs.webkit.org/show_bug.cgi?id=34903
    
    Reviewed by Sam Weinig.
    
    (Patch co-developed with Alexey Proskuryakov).
    
    Since http://trac.webkit.org/changeset/54460 the EventListeners registered by a
    worker thread are not removed until after the thread's JSGlobalData has been
    destroyed.  This is slightly worrisome since the JSEventListener contains
    JSObject*s, which will be dangling once the heap is destroyed.  The
    JSEventListeners may also reference the worker thread's normal world, which
    again it makes no sense to keep around after the JSGlobalData is freed.
    
    Remove all event listeners immediately prior to tearing down the JSGlobalData.
    
    https://bugs.webkit.org/show_bug.cgi?id=34728 addressed the symptoms of this
    problem, and it is probably cleaner to make the client data's normal world no
    longer be a member (since it is a ref-counted object), however they should be
    no requirement to 'detatch' – it makes no sense for anyone to be referencing
    the world after the JSGlobalData has gone away (the world's purpose is to hold
    wrapper objects in the JSGlobalData's heap).  Keep the restructuring that makes
    the normal world no longer be a member, but remove the detach mechanism this
    patch added & replace with stronger ASSERTs.
    
    * bindings/js/JSDOMBinding.cpp:
    (WebCore::DOMWrapperWorld::~DOMWrapperWorld):
    * bindings/js/JSDOMBinding.h:
    (WebCore::WebCoreJSClientData::~WebCoreJSClientData):
    * workers/WorkerThread.cpp:
    (WebCore::WorkerThreadShutdownStartTask::performTask):
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@54740 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 24deafc..585351c 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -2,6 +2,40 @@
 
         Reviewed by Sam Weinig.
 
+        Workers' EventListeners should be removed before JSGlobalData is destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=34903
+
+        (Patch co-developed with Alexey Proskuryakov).
+
+        Since http://trac.webkit.org/changeset/54460 the EventListeners registered by a
+        worker thread are not removed until after the thread's JSGlobalData has been
+        destroyed.  This is slightly worrisome since the JSEventListener contains
+        JSObject*s, which will be dangling once the heap is destroyed.  The
+        JSEventListeners may also reference the worker thread's normal world, which
+        again it makes no sense to keep around after the JSGlobalData is freed.
+
+        Remove all event listeners immediately prior to tearing down the JSGlobalData.
+
+        https://bugs.webkit.org/show_bug.cgi?id=34728 addressed the symptoms of this
+        problem, and it is probably cleaner to make the client data's normal world no
+        longer be a member (since it is a ref-counted object), however they should be
+        no requirement to 'detatch' – it makes no sense for anyone to be referencing
+        the world after the JSGlobalData has gone away (the world's purpose is to hold
+        wrapper objects in the JSGlobalData's heap).  Keep the restructuring that makes
+        the normal world no longer be a member, but remove the detach mechanism this
+        patch added & replace with stronger ASSERTs.
+
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::DOMWrapperWorld::~DOMWrapperWorld):
+        * bindings/js/JSDOMBinding.h:
+        (WebCore::WebCoreJSClientData::~WebCoreJSClientData):
+        * workers/WorkerThread.cpp:
+        (WebCore::WorkerThreadShutdownStartTask::performTask):
+
+2010-02-12  Gavin Barraclough  <barraclough at apple.com>
+
+        Reviewed by Sam Weinig.
+
         https://bugs.webkit.org/show_bug.cgi?id=33731
         Remove uses of PtrAndFlags from WebCore::StringImpl.
 
diff --git a/WebCore/bindings/js/JSDOMBinding.cpp b/WebCore/bindings/js/JSDOMBinding.cpp
index d718cba..abba405 100644
--- a/WebCore/bindings/js/JSDOMBinding.cpp
+++ b/WebCore/bindings/js/JSDOMBinding.cpp
@@ -151,11 +151,9 @@ DOMWrapperWorld::DOMWrapperWorld(JSC::JSGlobalData* globalData, bool isNormal)
 
 DOMWrapperWorld::~DOMWrapperWorld()
 {
-    if (m_globalData) {
-        JSGlobalData::ClientData* clientData = m_globalData->clientData;
-        ASSERT(clientData);
-        static_cast<WebCoreJSClientData*>(clientData)->forgetWorld(this);
-    }
+    JSGlobalData::ClientData* clientData = m_globalData->clientData;
+    ASSERT(clientData);
+    static_cast<WebCoreJSClientData*>(clientData)->forgetWorld(this);
 
     for (HashSet<Document*>::iterator iter = documentsWithWrappers.begin(); iter != documentsWithWrappers.end(); ++iter)
         forgetWorldOfDOMNodesForDocument(*iter, this);
diff --git a/WebCore/bindings/js/JSDOMBinding.h b/WebCore/bindings/js/JSDOMBinding.h
index 930f9cc..807bf82 100644
--- a/WebCore/bindings/js/JSDOMBinding.h
+++ b/WebCore/bindings/js/JSDOMBinding.h
@@ -144,7 +144,6 @@ namespace WebCore {
         }
         ~DOMWrapperWorld();
 
-        void detachFromGlobalData() { m_globalData = 0; }
         void rememberDocument(Document* document) { documentsWithWrappers.add(document); }
         void forgetDocument(Document* document) { documentsWithWrappers.remove(document); }
 
@@ -201,7 +200,9 @@ namespace WebCore {
         {
             ASSERT(m_worldSet.contains(m_normalWorld.get()));
             ASSERT(m_worldSet.size() == 1);
-            m_normalWorld->detachFromGlobalData();
+            ASSERT(m_normalWorld->hasOneRef());
+            m_normalWorld.clear();
+            ASSERT(m_worldSet.isEmpty());
         }
 
         DOMWrapperWorld* normalWorld() { return m_normalWorld.get(); }
diff --git a/WebCore/workers/WorkerThread.cpp b/WebCore/workers/WorkerThread.cpp
index fbeb95b..4e3ffa1 100644
--- a/WebCore/workers/WorkerThread.cpp
+++ b/WebCore/workers/WorkerThread.cpp
@@ -189,6 +189,10 @@ public:
         workerContext->stopDatabases(&cleanupSync);
 
         workerContext->stopActiveDOMObjects();
+
+        // Event listeners would keep DOMWrapperWorld objects alive for too long. Also, they have references to JS objects,
+        // which become dangling once Heap is destroyed.
+        workerContext->removeAllEventListeners();
         workerContext->clearScript();
 
         // We wait for the database thread to clean up all its stuff so that we

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list