[bindings] Attach after setting the listener object

Missing out on Attach after setting the listener reference to the JavaScript function means that a garbage collection can collect the Blink listener object. To avoid such errors we immediately call Attach in SetListener. Bug: chromium:843903 Change-Id: I2c2ec8b0942853ee7e6c29e8c4850b075a398c53 Reviewed-on: https://chromium-review.googlesource.com/1155586Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#579347}

[bindings] Attach after setting the listener object
Missing out on Attach after setting the listener reference to the JavaScript function means that a garbage collection can collect the Blink listener object. To avoid such errors we immediately call Attach in SetListener. Bug: chromium:843903 Change-Id: I2c2ec8b0942853ee7e6c29e8c4850b075a398c53 Reviewed-on: https://chromium-review.googlesource.com/1155586Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#579347}
e700f073 · Michael Lippautz · Commit Bot · 32f4d9ca · e700f073 · e700f073
Commit e700f073 authored Jul 31, 2018 by Michael Lippautz Committed by Commit Bot Jul 31, 2018
7 changed files
--- a/third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc
+++ b/third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc
@@ -122,7 +122,9 @@ void V8AbstractEventListener::HandleEvent(ScriptState* script_state,
 }

 void V8AbstractEventListener::SetListenerObject(
-    v8::Local<v8::Object> listener) {
+    ScriptState* script_state,
+    v8::Local<v8::Object> listener,
+    const V8PrivateProperty::Symbol& property) {
  DCHECK(listener_.IsEmpty());
  // Balanced in WrapperCleared xor ClearListenerObject.
  if (worker_or_worklet_global_scope_) {
@@ -131,6 +133,7 @@ void V8AbstractEventListener::SetListenerObject(
    keep_alive_ = this;
  }
  listener_.Set(GetIsolate(), listener, this, &WrapperCleared);
+  Attach(script_state, listener, property, this);
 }

 void V8AbstractEventListener::InvokeEventHandler(

--- a/third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.h
+++ b/third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.h
@@ -118,7 +118,9 @@ class CORE_EXPORT V8AbstractEventListener : public EventListener {
    return GetExistingListenerObject();
  }

-  void SetListenerObject(v8::Local<v8::Object>);
+  void SetListenerObject(ScriptState*,
+                         v8::Local<v8::Object>,
+                         const V8PrivateProperty::Symbol&);

  void InvokeEventHandler(ScriptState*, Event*, v8::Local<v8::Value>);


--- a/third_party/blink/renderer/bindings/core/v8/v8_error_handler.h
+++ b/third_party/blink/renderer/bindings/core/v8/v8_error_handler.h
@@ -43,10 +43,11 @@ class V8ErrorHandler final : public V8EventListener {
 public:
  static V8ErrorHandler* Create(v8::Local<v8::Object> listener,
                                bool is_inline,
-                                ScriptState* script_state) {
+                                ScriptState* script_state,
+                                const V8PrivateProperty::Symbol& property) {
    V8ErrorHandler* event_listener =
        new V8ErrorHandler(is_inline, script_state);
-    event_listener->SetListenerObject(listener);
+    event_listener->SetListenerObject(script_state, listener, property);
    return event_listener;
  }
  static void StoreExceptionOnErrorEventWrapper(

--- a/third_party/blink/renderer/bindings/core/v8/v8_event_listener.h
+++ b/third_party/blink/renderer/bindings/core/v8/v8_event_listener.h
@@ -46,10 +46,11 @@ class V8EventListener : public V8AbstractEventListener {
 public:
  static V8EventListener* Create(v8::Local<v8::Object> listener,
                                 bool is_attribute,
-                                 ScriptState* script_state) {
+                                 ScriptState* script_state,
+                                 const V8PrivateProperty::Symbol& property) {
    V8EventListener* event_listener =
        new V8EventListener(is_attribute, script_state);
-    event_listener->SetListenerObject(listener);
+    event_listener->SetListenerObject(script_state, listener, property);
    return event_listener;
  }


--- a/third_party/blink/renderer/bindings/core/v8/v8_event_listener_helper.cc
+++ b/third_party/blink/renderer/bindings/core/v8/v8_event_listener_helper.cc
@@ -54,11 +54,7 @@ ListenerType* GetEventListenerInternal(
  if (listener || lookup == kListenerFindOnly)
    return listener;

-  listener = listener_factory();
-  if (listener) {
-    listener->Attach(script_state, object, listener_property, listener);
-  }
-  return listener;
+  return listener_factory();
 }

 }  // namespace
@@ -83,12 +79,12 @@ V8EventListener* V8EventListenerHelper::GetEventListener(

  return GetEventListenerInternal<V8EventListener>(
      script_state, object, listener_property, lookup,
-      [object, is_attribute, script_state]() {
+      [object, is_attribute, script_state, listener_property]() {
        return script_state->World().IsWorkerWorld()
                   ? V8WorkerOrWorkletEventListener::Create(
-                         object, is_attribute, script_state)
-                   : V8EventListener::Create(object, is_attribute,
-                                             script_state);
+                         object, is_attribute, script_state, listener_property)
+                   : V8EventListener::Create(object, is_attribute, script_state,
+                                             listener_property);
      });
 }

@@ -105,9 +101,10 @@ V8ErrorHandler* V8EventListenerHelper::EnsureErrorHandler(

  return GetEventListenerInternal<V8ErrorHandler>(
      script_state, object, listener_property, kListenerFindOrCreate,
-      [object, script_state]() {
+      [object, script_state, listener_property]() {
        const bool is_attribute = true;
-        return V8ErrorHandler::Create(object, is_attribute, script_state);
+        return V8ErrorHandler::Create(object, is_attribute, script_state,
+                                      listener_property);
      });
 }


--- a/third_party/blink/renderer/bindings/core/v8/v8_lazy_event_listener.cc
+++ b/third_party/blink/renderer/bindings/core/v8/v8_lazy_event_listener.cc
@@ -203,7 +203,9 @@ void V8LazyEventListener::CompileScript(ScriptState* script_state,

  wrapped_function->SetName(V8String(GetIsolate(), function_name_));

-  SetListenerObject(wrapped_function);
+  SetListenerObject(
+      script_state, wrapped_function,
+      V8PrivateProperty::GetV8EventListenerListener(GetIsolate()));
 }

 void V8LazyEventListener::FireErrorEvent(v8::Local<v8::Context> v8_context,

--- a/third_party/blink/renderer/bindings/core/v8/v8_worker_or_worklet_event_listener.h
+++ b/third_party/blink/renderer/bindings/core/v8/v8_worker_or_worklet_event_listener.h
@@ -41,12 +41,14 @@ class Event;

 class V8WorkerOrWorkletEventListener final : public V8EventListener {
 public:
-  static V8WorkerOrWorkletEventListener* Create(v8::Local<v8::Object> listener,
-                                                bool is_inline,
-                                                ScriptState* script_state) {
+  static V8WorkerOrWorkletEventListener* Create(
+      v8::Local<v8::Object> listener,
+      bool is_inline,
+      ScriptState* script_state,
+      const V8PrivateProperty::Symbol& property) {
    V8WorkerOrWorkletEventListener* event_listener =
        new V8WorkerOrWorkletEventListener(is_inline, script_state);
-    event_listener->SetListenerObject(listener);
+    event_listener->SetListenerObject(script_state, listener, property);
    return event_listener;
  }