nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/ManualTests/dont-create-invalid-watchpo...

46 lines
1.4 KiB
HTML
Raw Permalink Normal View History

Lazily create m_windowCloseWatchpoints so we don't mistakenly think we have a frame when re-associating a document to a given cached frame https://bugs.webkit.org/show_bug.cgi?id=221098 <rdar://72894454> Reviewed by Ryosuke Niwa and Mark Lam. .: * ManualTests/dont-create-invalid-watchpoint-when-going-back.html: Added. * ManualTests/resources/empty-text.txt: Added. * ManualTests/resources/full_results.json: Added. * ManualTests/resources/test-results-page.html: Added. Source/JavaScriptCore: * bytecode/AccessCase.cpp: (JSC::AccessCase::commit): * bytecode/Watchpoint.h: (JSC::WatchpointSet::isStillValidOnJSThread const): * runtime/PropertySlot.h: (JSC::PropertySlot::setWatchpointSet): Source/WebCore: There's a scenario when we go back while using the back forward cache, and we re-associate a cached frame with a document, that we were creating an already invalidated "frame cleared" watchpoint. There were a few things we were doing wrong: 1. In JSDOMWindowBase's constructor, we thought that we didn't have a frame, even though we did. It was because we hadn't finished the bookkeeping in `FrameLoader::open(CachedFrameBase& cachedFrame)` that associates a document with a frame. And DOMWindow relies on its document to get its frame. 2. When the watchpoint was invalidated, we were still telling the PropertySlot about it. This was breaking JSC's invariant that these had to be valid watchpoints. This patch resolves: 1. We now lazily create the watchpoint when we first need it. By that time, we would've already been associated with a frame in the above example. 2. We check if the watchpoint is still valid before telling the PropertySlot about it, instead of always assuming it's valid. I wasn't able to get this test to fail in WKTR/DRT, because it seems to be we're crashing when running some JS code from Safari's injected bundle. I've added a manual test instead. * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::JSDOMWindowBase): * bindings/js/JSDOMWindowBase.h: * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::getOwnPropertySlot): Canonical link: https://commits.webkit.org/233552@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272174 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-02-01 21:40:55 +00:00
<!DOCTYPE html>
<html>
<body>
<script>
function run() {
popupWindow = window.open("resources/test-results-page.html");
console.log("created popup window");
popupWindow.onload = () => {
setTimeout(() => {
let a = popupWindow.document.querySelectorAll("a[href='fast/multicol/crash-when-spanner-candidate-is-out-of-flow-crash-log.txt']")[0];
console.log(popupWindow.location.href);
a.href = "empty-text.txt";
let priorHistoryLength = popupWindow.history.length;
a.click();
console.log("called click()");
function checkNavigated() {
if (popupWindow.history.length !== (priorHistoryLength + 1)) {
setTimeout(checkNavigated, 100);
return;
}
setTimeout(() => {
console.log(popupWindow.location.href);
popupWindow.history.back();
console.log("setting timer to notifyDone");
setTimeout(() => {
console.log(popupWindow.location.href);
console.log("calling notifydone");
}, 2500);
}, 2500);
}
setTimeout(checkNavigated, 100);
}, 2000);
};
}
</script>
<a onclick="run()"> click me </a>
</body>
</html>