[v8] CSS wrapper objects retention

https://bugs.webkit.org/show_bug.cgi?id=66377 Reviewed by Pavel Feldman. Disable object grouping for CSS object wrappers. This logic leads to hard to debug use-after-free problems. Source/WebCore: * bindings/v8/V8GCController.cpp: (WebCore::GrouperVisitor::visitDOMWrapper): LayoutTests: * platform/chromium/test_expectations.txt: git-svn-id: svn://svn.chromium.org/blink/trunk@93397 bbb929c8-8fbe-4397-9dbb-9b2b20218538

[v8] CSS wrapper objects retention
https://bugs.webkit.org/show_bug.cgi?id=66377 Reviewed by Pavel Feldman. Disable object grouping for CSS object wrappers. This logic leads to hard to debug use-after-free problems. Source/WebCore: * bindings/v8/V8GCController.cpp: (WebCore::GrouperVisitor::visitDOMWrapper): LayoutTests: * platform/chromium/test_expectations.txt: git-svn-id: svn://svn.chromium.org/blink/trunk@93397 bbb929c8-8fbe-4397-9dbb-9b2b20218538
30b7aeaf · antonm@chromium.org · a1521dc8 · 30b7aeaf · 30b7aeaf · 30b7aeaf
Commit 30b7aeaf authored Aug 19, 2011 by antonm@chromium.org
4 changed files
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
+2011-08-19  Anton Muhin  <antonm@chromium.org>
+
+        [v8] CSS wrapper objects retention
+        https://bugs.webkit.org/show_bug.cgi?id=66377
+
+        Reviewed by Pavel Feldman.
+
+        Disable object grouping for CSS object wrappers.
+        This logic leads to hard to debug use-after-free problems.
+
+        * platform/chromium/test_expectations.txt:
+
 2011-08-19  Zoltan Horvath  <zoltan@webkit.org>

        [Qt] editing/selection/caret-at-bidi-boundary.html times out after r93369
--- a/third_party/WebKit/LayoutTests/platform/chromium/test_expectations.txt
+++ b/third_party/WebKit/LayoutTests/platform/chromium/test_expectations.txt
@@ -204,6 +204,15 @@ WONTFIX : editing/input/emacs-ctrl-o.html = FAIL
 // Would have to be implemented much differently to work in v8.
 WONTFIX : fast/dom/gc-10.html = FAIL

+// Proper retention of CSS objects is tricky.  Disable the tests for now.
+
+BUGWK66377 : fast/dom/StyleSheet/gc-declaration-parent-rule.html = TEXT
+BUGWK66377 : fast/dom/StyleSheet/gc-inline-style-cssvalues.html = TEXT
+BUGWK66377 : fast/dom/StyleSheet/gc-parent-rule.html = TEXT
+BUGWK66377 : fast/dom/StyleSheet/gc-parent-stylesheet.html = TEXT
+BUGWK66377 : fast/dom/StyleSheet/gc-rule-children-wrappers.html = TEXT
+BUGWK66377 : fast/dom/StyleSheet/gc-styleheet-wrapper.xhtml = TEXT
+
 // This fails because we're missing various useless apple-specific
 // properties on the window object.
 // This test also timeouts in Debug mode.

--- a/third_party/WebKit/Source/WebCore/ChangeLog
+++ b/third_party/WebKit/Source/WebCore/ChangeLog
+2011-08-19  Anton Muhin  <antonm@chromium.org>
+
+        [v8] CSS wrapper objects retention
+        https://bugs.webkit.org/show_bug.cgi?id=66377
+
+        Reviewed by Pavel Feldman.
+
+        Disable object grouping for CSS object wrappers.
+        This logic leads to hard to debug use-after-free problems.
+
+        * bindings/v8/V8GCController.cpp:
+        (WebCore::GrouperVisitor::visitDOMWrapper):
+
 2011-08-19  Pavel Feldman  <pfeldman@google.com>

        Web Inspector: introduce NodeId inherited from integer in the DOM domain description.
--- a/third_party/WebKit/Source/WebCore/bindings/v8/V8GCController.cpp
+++ b/third_party/WebKit/Source/WebCore/bindings/v8/V8GCController.cpp
@@ -287,40 +287,6 @@ static GroupId calculateGroupId(Node* node)
    return GroupId(root);
 }

-static GroupId calculateGroupId(StyleBase* styleBase)
-{
-    ASSERT(styleBase);
-    StyleBase* current = styleBase;
-    StyleSheet* styleSheet = 0;
-    while (true) {
-        // Special case: CSSStyleDeclarations might be either inline and in this case
-        // we need to group them with their node or regular ones.
-        if (current->isMutableStyleDeclaration()) {
-            CSSMutableStyleDeclaration* cssMutableStyleDeclaration = static_cast<CSSMutableStyleDeclaration*>(current);
-            if (cssMutableStyleDeclaration->isInlineStyleDeclaration())
-                return calculateGroupId(cssMutableStyleDeclaration->node());
-            // Either we have no parent, or this parent is a CSSRule.
-            ASSERT(cssMutableStyleDeclaration->parent() == cssMutableStyleDeclaration->parentRule());
-        }
-
-        if (current->isStyleSheet())
-            styleSheet = static_cast<StyleSheet*>(current);
-
-        StyleBase* parent = current->parent();
-        if (!parent)
-            break;
-        current = parent;
-    }
-
-    if (styleSheet) {
-        if (Node* ownerNode = styleSheet->ownerNode())
-            return calculateGroupId(ownerNode);
-        return GroupId(styleSheet);
-    }
-
-    return GroupId(current);
-}
-
 class GrouperVisitor : public DOMWrapperMap<Node>::Visitor, public DOMWrapperMap<void>::Visitor {
 public:
    void visitDOMWrapper(DOMDataStore* store, Node* node, v8::Persistent<v8::Object> wrapper)
@@ -348,49 +314,6 @@ public:

    void visitDOMWrapper(DOMDataStore* store, void* object, v8::Persistent<v8::Object> wrapper)
    {
-        WrapperTypeInfo* typeInfo = V8DOMWrapper::domWrapperType(wrapper);
-
-        if (typeInfo->isSubclass(&V8StyleSheetList::info)) {
-            StyleSheetList* styleSheetList = static_cast<StyleSheetList*>(object);
-            GroupId groupId(styleSheetList);
-            if (Document* document = styleSheetList->document())
-                groupId = GroupId(document);
-            m_grouper.append(GrouperItem(groupId, wrapper));
-
-        } else if (typeInfo->isSubclass(&V8DOMImplementation::info)) {
-            DOMImplementation* domImplementation = static_cast<DOMImplementation*>(object);
-            GroupId groupId(domImplementation);
-            if (Document* document = domImplementation->document())
-                groupId = GroupId(document);
-            m_grouper.append(GrouperItem(groupId, wrapper));
-
-        } else if (typeInfo->isSubclass(&V8StyleSheet::info) || typeInfo->isSubclass(&V8CSSRule::info)) {
-            m_grouper.append(GrouperItem(calculateGroupId(static_cast<StyleBase*>(object)), wrapper));
-
-        } else if (typeInfo->isSubclass(&V8CSSStyleDeclaration::info)) {
-            CSSStyleDeclaration* cssStyleDeclaration = static_cast<CSSStyleDeclaration*>(object);
-
-            GroupId groupId = calculateGroupId(cssStyleDeclaration);
-            m_grouper.append(GrouperItem(groupId, wrapper));
-
-            // Keep alive "dirty" primitive values (i.e. the ones that
-            // have user-added properties) by creating implicit
-            // references between the style declaration and the values
-            // in it.
-            if (cssStyleDeclaration->isMutableStyleDeclaration()) {
-                CSSMutableStyleDeclaration* cssMutableStyleDeclaration = static_cast<CSSMutableStyleDeclaration*>(cssStyleDeclaration);
-                Vector<v8::Persistent<v8::Value> > values;
-                values.reserveCapacity(cssMutableStyleDeclaration->length());
-                CSSMutableStyleDeclaration::const_iterator end = cssMutableStyleDeclaration->end();
-                for (CSSMutableStyleDeclaration::const_iterator it = cssMutableStyleDeclaration->begin(); it != end; ++it) {
-                    v8::Persistent<v8::Object> value = store->domObjectMap().get(it->value());
-                    if (!value.IsEmpty() && value->IsDirty())
-                        values.append(value);
-                }
-                if (!values.isEmpty())
-                    v8::V8::AddImplicitReferences(wrapper, values.data(), values.size());
-            }
-        }
    }

    void applyGrouping()