[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf
dglazkov at chromium.org
dglazkov at chromium.org
Tue Jan 5 23:41:38 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit de3144d120e5d24753021dc246148d35d649f2ae
Author: dglazkov at chromium.org <dglazkov at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Dec 3 16:57:55 2009 +0000
2009-12-03 Dimitri Glazkov <dglazkov at chromium.org>
Reviewed by Adam Barth.
[V8] Attributes and NamedNodeMaps aren't tracked correctly and may be prematurely garbage-collected.
https://bugs.webkit.org/show_bug.cgi?id=32094
Covered by existing test: LayoutTests/fast/dom/Attr/access-after-element-destruction.html
* bindings/v8/DOMObjectsInclude.h:
* bindings/v8/V8DOMWrapper.cpp:
(WebCore::V8DOMWrapper::getTemplate):
(WebCore::V8DOMWrapper::convertToV8Object):
(WebCore::V8DOMWrapper::convertNamedNodeMapToV8Object):
* bindings/v8/V8DOMWrapper.h:
* bindings/v8/V8GCController.cpp:
(WebCore::ObjectGrouperVisitor::visitDOMWrapper):
* bindings/v8/custom/V8CustomBinding.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51638 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e687c13..af6e9e5 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2009-12-03 Dimitri Glazkov <dglazkov at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ [V8] Attributes and NamedNodeMaps aren't tracked correctly and may be prematurely garbage-collected.
+ https://bugs.webkit.org/show_bug.cgi?id=32094
+
+ Covered by existing test: LayoutTests/fast/dom/Attr/access-after-element-destruction.html
+
+ * bindings/v8/DOMObjectsInclude.h:
+ * bindings/v8/V8DOMWrapper.cpp:
+ (WebCore::V8DOMWrapper::getTemplate):
+ (WebCore::V8DOMWrapper::convertToV8Object):
+ (WebCore::V8DOMWrapper::convertNamedNodeMapToV8Object):
+ * bindings/v8/V8DOMWrapper.h:
+ * bindings/v8/V8GCController.cpp:
+ (WebCore::ObjectGrouperVisitor::visitDOMWrapper):
+ * bindings/v8/custom/V8CustomBinding.h:
+
2009-12-03 Pavel Feldman <pfeldman at chromium.org>
Reviewed by Timothy Hatcher.
diff --git a/WebCore/bindings/v8/DOMObjectsInclude.h b/WebCore/bindings/v8/DOMObjectsInclude.h
index 7855809..9941aeb 100644
--- a/WebCore/bindings/v8/DOMObjectsInclude.h
+++ b/WebCore/bindings/v8/DOMObjectsInclude.h
@@ -31,6 +31,7 @@
#ifndef DOMObjectsInclude_h
#define DOMObjectsInclude_h
+#include "Attr.h"
#include "BarInfo.h"
#include "BeforeLoadEvent.h"
#include "WebGLActiveInfo.h"
diff --git a/WebCore/bindings/v8/V8DOMWrapper.cpp b/WebCore/bindings/v8/V8DOMWrapper.cpp
index 6c6207d..969611f 100644
--- a/WebCore/bindings/v8/V8DOMWrapper.cpp
+++ b/WebCore/bindings/v8/V8DOMWrapper.cpp
@@ -366,10 +366,15 @@ v8::Persistent<v8::FunctionTemplate> V8DOMWrapper::getTemplate(V8ClassIndex::V8W
case V8ClassIndex::MIMETYPEARRAY:
setCollectionIndexedAndNamedGetters<MimeTypeArray, MimeType>(descriptor, V8ClassIndex::MIMETYPE);
break;
- case V8ClassIndex::NAMEDNODEMAP:
- descriptor->InstanceTemplate()->SetNamedPropertyHandler(USE_NAMED_PROPERTY_GETTER(NamedNodeMap));
- descriptor->InstanceTemplate()->SetIndexedPropertyHandler(USE_INDEXED_PROPERTY_GETTER(NamedNodeMap), 0, 0, 0, collectionIndexedPropertyEnumerator<NamedNodeMap>, v8::Integer::New(V8ClassIndex::NODE));
+ case V8ClassIndex::NAMEDNODEMAP: {
+ // We add an extra internal field to hold a reference to the owner node.
+ v8::Local<v8::ObjectTemplate> instanceTemplate = descriptor->InstanceTemplate();
+ ASSERT(instanceTemplate->InternalFieldCount() == V8Custom::kDefaultWrapperInternalFieldCount);
+ instanceTemplate->SetInternalFieldCount(V8Custom::kNamedNodeMapInternalFieldCount);
+ instanceTemplate->SetNamedPropertyHandler(USE_NAMED_PROPERTY_GETTER(NamedNodeMap));
+ instanceTemplate->SetIndexedPropertyHandler(USE_INDEXED_PROPERTY_GETTER(NamedNodeMap), 0, 0, 0, collectionIndexedPropertyEnumerator<NamedNodeMap>, v8::Integer::New(V8ClassIndex::NODE));
break;
+ }
#if ENABLE(DOM_STORAGE)
case V8ClassIndex::STORAGE:
descriptor->InstanceTemplate()->SetNamedPropertyHandler(USE_NAMED_PROPERTY_GETTER(Storage), USE_NAMED_PROPERTY_SETTER(Storage), 0, USE_NAMED_PROPERTY_DELETER(Storage), V8Custom::v8StorageNamedPropertyEnumerator);
@@ -698,6 +703,8 @@ v8::Handle<v8::Value> V8DOMWrapper::convertToV8Object(V8ClassIndex::V8WrapperTyp
return convertStyleSheetToV8Object(static_cast<StyleSheet*>(impl));
case V8ClassIndex::DOMWINDOW:
return convertWindowToV8Object(static_cast<DOMWindow*>(impl));
+ case V8ClassIndex::NAMEDNODEMAP:
+ return convertNamedNodeMapToV8Object(static_cast<NamedNodeMap*>(impl));
#if ENABLE(SVG)
SVG_NONNODE_TYPES(MAKE_CASE)
if (type == V8ClassIndex::SVGELEMENTINSTANCE)
@@ -1736,4 +1743,30 @@ v8::Handle<v8::Value> V8DOMWrapper::convertWindowToV8Object(DOMWindow* window)
return global;
}
+v8::Handle<v8::Value> V8DOMWrapper::convertNamedNodeMapToV8Object(NamedNodeMap* map)
+{
+ if (!map)
+ return v8::Null();
+
+ v8::Handle<v8::Object> wrapper = getDOMObjectMap().get(map);
+ if (!wrapper.IsEmpty())
+ return wrapper;
+
+ v8::Handle<v8::Object> result = instantiateV8Object(V8ClassIndex::NAMEDNODEMAP, V8ClassIndex::NAMEDNODEMAP, map);
+ if (result.IsEmpty())
+ return result;
+
+ // Only update the DOM object map if the result is non-empty.
+ map->ref();
+ setJSWrapperForDOMObject(map, v8::Persistent<v8::Object>::New(result));
+
+ // Add a hidden reference from named node map to its owner node.
+ if (Element* element = map->element()) {
+ v8::Handle<v8::Object> owner = v8::Handle<v8::Object>::Cast(convertNodeToV8Object(element));
+ result->SetInternalField(V8Custom::kNamedNodeMapOwnerNodeIndex, owner);
+ }
+
+ return result;
+}
+
} // namespace WebCore
diff --git a/WebCore/bindings/v8/V8DOMWrapper.h b/WebCore/bindings/v8/V8DOMWrapper.h
index 0ea3669..eff3252 100644
--- a/WebCore/bindings/v8/V8DOMWrapper.h
+++ b/WebCore/bindings/v8/V8DOMWrapper.h
@@ -292,6 +292,7 @@ namespace WebCore {
// Returns the JS wrapper of a window object, initializes the environment
// of the window frame if needed.
static v8::Handle<v8::Value> convertWindowToV8Object(DOMWindow*);
+ static v8::Handle<v8::Value> convertNamedNodeMapToV8Object(NamedNodeMap*);
#if ENABLE(SVG)
static v8::Handle<v8::Value> convertSVGElementInstanceToV8Object(SVGElementInstance*);
diff --git a/WebCore/bindings/v8/V8GCController.cpp b/WebCore/bindings/v8/V8GCController.cpp
index 74f879e..b478636 100644
--- a/WebCore/bindings/v8/V8GCController.cpp
+++ b/WebCore/bindings/v8/V8GCController.cpp
@@ -262,14 +262,21 @@ public:
groupId = reinterpret_cast<uintptr_t>(node->document());
else {
Node* root = node;
- while (root->parent())
- root = root->parent();
-
- // If the node is alone in its DOM tree (doesn't have a parent or any
- // children) then the group will be filtered out later anyway.
- if (root == node && !node->hasChildNodes())
- return;
-
+ if (node->isAttributeNode()) {
+ root = static_cast<Attr*>(node)->ownerElement();
+ // If the attribute has no element, no need to put it in the group,
+ // because it'll always be a group of 1.
+ if (!root)
+ return;
+ } else {
+ while (root->parent())
+ root = root->parent();
+
+ // If the node is alone in its DOM tree (doesn't have a parent or any
+ // children) then the group will be filtered out later anyway.
+ if (root == node && !node->hasChildNodes() && !node->hasAttributes())
+ return;
+ }
groupId = reinterpret_cast<uintptr_t>(root);
}
m_grouper.append(GrouperItem(groupId, node, wrapper));
diff --git a/WebCore/bindings/v8/custom/V8CustomBinding.h b/WebCore/bindings/v8/custom/V8CustomBinding.h
index 4aa1152..5e3fe66 100644
--- a/WebCore/bindings/v8/custom/V8CustomBinding.h
+++ b/WebCore/bindings/v8/custom/V8CustomBinding.h
@@ -173,6 +173,8 @@ namespace WebCore {
static const int kStyleSheetOwnerNodeIndex = kDefaultWrapperInternalFieldCount + 0;
static const int kStyleSheetInternalFieldCount = kDefaultWrapperInternalFieldCount + 1;
+ static const int kNamedNodeMapOwnerNodeIndex = kDefaultWrapperInternalFieldCount + 0;
+ static const int kNamedNodeMapInternalFieldCount = kDefaultWrapperInternalFieldCount + 1;
#if ENABLE(OFFLINE_WEB_APPLICATIONS)
static const int kDOMApplicationCacheCacheIndex = kDefaultWrapperInternalFieldCount + 0;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list