v8binding: Fixes wrapper tracing to follow: LocalDOMWindow => Document.

The root cause of https://crbug.com/745771 is that a listener object, stored in V8AbstractEventListener::listener_, is wrongly collected by V8 GC. Listener objects are expected to be wrapper-traced at DEFINE_TRACE_WRAPPERS(EventTarget) through DEFINE_TRACE_WRAPPERS(Node) and DEFINE_TRACE_WRAPPERS(ContainerNode), however, there seems no root object which kicks this path of wrapper- tracing. This CL adds a new path of wrapper-tracing from LocalDOMWindow to Document. Since LocalDOMWindow is a root object and Document is a ContainerNode which wrapper-traces all child nodes, this CL makes sure that all event listeners registered at any part of the document tree alive. (If an EventTarget is not attached to the DOM, such a case is not covered by this CL.) The fix was confirmed manually with using a test Chrome extension. Bug: 745771 Change-Id: I7c0d1fb766b78fd4d32ce813662c947ce5f7e819 Reviewed-on: https://chromium-review.googlesource.com/591728Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/master@{#490742}

v8binding: Fixes wrapper tracing to follow: LocalDOMWindow => Document.
The root cause of https://crbug.com/745771 is that a listener object, stored in V8AbstractEventListener::listener_, is wrongly collected by V8 GC. Listener objects are expected to be wrapper-traced at DEFINE_TRACE_WRAPPERS(EventTarget) through DEFINE_TRACE_WRAPPERS(Node) and DEFINE_TRACE_WRAPPERS(ContainerNode), however, there seems no root object which kicks this path of wrapper- tracing. This CL adds a new path of wrapper-tracing from LocalDOMWindow to Document. Since LocalDOMWindow is a root object and Document is a ContainerNode which wrapper-traces all child nodes, this CL makes sure that all event listeners registered at any part of the document tree alive. (If an EventTarget is not attached to the DOM, such a case is not covered by this CL.) The fix was confirmed manually with using a test Chrome extension. Bug: 745771 Change-Id: I7c0d1fb766b78fd4d32ce813662c947ce5f7e819 Reviewed-on: https://chromium-review.googlesource.com/591728Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/master@{#490742}
b8218917 · Yuki Shiino · Commit Bot · ae4202ed · b8218917 · b8218917
Commit b8218917 authored Jul 31, 2017 by Yuki Shiino Committed by Commit Bot Jul 31, 2017
2 changed files
--- a/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
+++ b/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
@@ -249,6 +249,7 @@ static void UntrackAllBeforeUnloadEventListeners(LocalDOMWindow* dom_window) {

 LocalDOMWindow::LocalDOMWindow(LocalFrame& frame)
    : DOMWindow(frame),
+      document_(this, nullptr),
      visualViewport_(DOMVisualViewport::Create(this)),
      unused_preloads_timer_(
          TaskRunnerHelper::Get(TaskType::kUnspecedTimer, &frame),
@@ -1646,6 +1647,7 @@ DEFINE_TRACE(LocalDOMWindow) {

 DEFINE_TRACE_WRAPPERS(LocalDOMWindow) {
  visitor->TraceWrappers(custom_elements_);
+  visitor->TraceWrappers(document_);
  visitor->TraceWrappers(modulator_);
  DOMWindow::TraceWrappers(visitor);
 }

--- a/third_party/WebKit/Source/core/frame/LocalDOMWindow.h
+++ b/third_party/WebKit/Source/core/frame/LocalDOMWindow.h
@@ -340,7 +340,7 @@ class CORE_EXPORT LocalDOMWindow final : public DOMWindow,
  void DispatchLoadEvent();
  void ClearDocument();

-  Member<Document> document_;
+  TraceWrapperMember<Document> document_;
  Member<DOMVisualViewport> visualViewport_;
  TaskRunnerTimer<LocalDOMWindow> unused_preloads_timer_;