nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
haiku
review-overcommit
review-scrollbar
haiku_newservicekit
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'haiku'
${ noResults }
haikuwebkit/ManualTests
History
Saam Barati d3deffd302 Lazily create m_windowCloseWatchpoints so we don't mistakenly think we have a frame when re-associating a document to a given cached frame 
https://bugs.webkit.org/show_bug.cgi?id=221098
<rdar://72894454>

Reviewed by Ryosuke Niwa and Mark Lam.

.:

* ManualTests/dont-create-invalid-watchpoint-when-going-back.html: Added.
* ManualTests/resources/empty-text.txt: Added.
* ManualTests/resources/full_results.json: Added.
* ManualTests/resources/test-results-page.html: Added.

Source/JavaScriptCore:

* bytecode/AccessCase.cpp:
(JSC::AccessCase::commit):
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::isStillValidOnJSThread const):
* runtime/PropertySlot.h:
(JSC::PropertySlot::setWatchpointSet):

Source/WebCore:

There's a scenario when we go back while using the back forward cache, and
we re-associate a cached frame with a document, that we were creating an
already invalidated "frame cleared" watchpoint.
There were a few things we were doing wrong:
1. In JSDOMWindowBase's constructor, we thought that we didn't have a frame,
even though we did. It was because we hadn't finished the bookkeeping in
`FrameLoader::open(CachedFrameBase& cachedFrame)` that associates a document with a
frame. And DOMWindow relies on its document to get its frame.
2. When the watchpoint was invalidated, we were still telling the PropertySlot
about it. This was breaking JSC's invariant that these had to be valid
watchpoints.

This patch resolves:
1. We now lazily create the watchpoint when we first need it. By that time, we
would've already been associated with a frame in the above example.
2. We check if the watchpoint is still valid before telling the PropertySlot
about it, instead of always assuming it's valid.

I wasn't able to get this test to fail in WKTR/DRT, because it seems to be
we're crashing when running some JS code from Safari's injected bundle. I've
added a manual test instead.

* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::JSDOMWindowBase):
* bindings/js/JSDOMWindowBase.h:
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getOwnPropertySlot):


Canonical link: https://commits.webkit.org/233552@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272174 268f45cc-cd09-0410-ab3c-d52691b4dbfc
 		2 years ago
..
NPN_Invoke
accessibility Unexpose obsolete HTMLAppletElement interface 3 years ago
animation [EFL] Disable REQUEST_ANIMATION_FRAME_TIMER to render a new animation frame. 10 years ago
autocorrection
compositing
dom
eventsource
filters
frames
fullscreen
gtk [GTK] Add support for rendering slider ticks 3 years ago
iframe_notifications
inspector
inspector-wrappers
ios
media-elements
memory
plugins
redirectHistory
regions
resources Lazily create m_windowCloseWatchpoints so we don't mistakenly think we have a frame when re-associating a document to a given cached frame 2 years ago
scrollbars
spatial-navigation
webaudio
win .: If select element in Windows is off screen horizontally, 11 years ago
wpe
.gitattributes
ATSU-bad-layout.html
DOMContextMenuEvent.html
Default-port-frame.html
DragInlinePDFImageDocument.html
JavaScript-bookmarklets.html
WebKitSite.webarchive
about-blank-xhr.html
accidental-strict-mode.html
animate-duration.html
animate-left.html
animate-none.html
animated-canvas-as-background.html
animated-gif-bfcache-crash.html
animated-gif-dispose-background.html
animated-gif-looping.html
animated-gif-on-compositing-layer.html
animation-with-transition.html
array-out-of-memory.html
arrow-key-events.html Move manual-tests out of WebCore. 12 years ago
audio-freed-during-reload.html
audio-volume.html
autocompletion-fire-onchange.html
autofill-popup-location.html
autofill-popup-width-and-item-direction.html
autofill_alignment.html
autoscroll-over-scrollbar.html
autoscroll-when-outside-window.html
autoscroll.html
back-forward-during-alert-1.html
back-forward-during-alert-2.html
back-from-document-with-scrollbar.html
back.html
background-image-change-in-page-cache.html
bad-clearTimeout-crash.html
bidi-parens.html
bidi-visible-control-characters.html
blur-filter-timing.html
bugzilla-3855.html
bugzilla-4840.html
bugzilla-5768.html
bugzilla-14899.html
bugzilla-48077.html
bugzilla-83979.svg
button-that-focuses-itself-on-click.html
canvas-cursor.html
canvas-font-speed.html
canvas-mask-redraw.html
caret-blink-during-forward-delete.html
caret-image.html
caret-in-columns-flipped.html
caret-in-columns.html
caretScrolling.html
chrome-bidi-text.html
clear-input-file.html
clearTimeout-crash-bug29832.html
close-on-closedWindow.html
computed-transform-value.html
containing-block-position-change.html
contenteditable-link.html
context-click-generated-content.html
context-click-unfocused-frame.html
context-menu-during-drag-selection.html Don't allow drags to start after a mouse press that creates a context menu 10 years ago
cookieSpeedTest.html
crash-and-no-repaint-after-wake-from-sleep.html
crash-on-accessing-domwindow-without-frame.html
crash-on-find-with-no-selection.html
css-grid-layout-item-with-huge-span-crash.html
css3-cursor-fallback-quirks.html
css3-cursor-fallback-strict.html
cur-hotspot.html
cursor-empty-url.html
cursor-max-size.html
cursor.html
cursorfallback.xml
custom-cursors.html
custom-scrollbar-renderer-removed-crash.html
data-transfer-items-file-dragout.html
database-callback-deferred.html
database-threading-stress-test-2.html
database-threading-stress-test.html
debugger-caught-uncaught-exceptions.html
deleteToEndOfLine.html
deviceorientation-child-frame.html Device motion and orientation should only be visible from the main frame's security origin 8 years ago
deviceorientation-main-frame-only.html
dictionary-scrolled-iframe.html
directory-drop-on-view.html
disable-javascript-reload.html
disabled-option-elements.html
display-none-option.html
divx-plugin-fails-to-draw.html
dom-manipulation-on-resize.html
dont-create-invalid-watchpoint-when-going-back.html Lazily create m_windowCloseWatchpoints so we don't mistakenly think we have a frame when re-associating a document to a given cached frame 2 years ago
drag-background-with-padding.html
drag-caret.html
drag-color-to-contenteditable.html WebKit editing throws exception when monochrome color dragged onto text 12 years ago
drag-cursor-notallowed.html
drag-enter-alert.html
drag-escape.html
drag-image-no-crash.html
drag-image-table-part-decorations.html
drag-image-to-address-bar.html
drag-image-to-desktop.html
drag-image.html
drag-move-in-search-field.html
drag-out-of-background-window.html
drag-with-div-or-image-as-data-image.html
drag_select_highlighting.html
drag_with_opacity.html Move manual-tests out of WebCore. 12 years ago
drop-in-empty-doc.html
drop-text-acquires-style.html
editing-disabled-node-replace-crash.html
empty-inline-as-line-break-position.html
empty-link-target.html
empty-script-crash.html
empty-title-popup.html
find-count-matches-after-text-control.html
first-line-style-crash.html
fixed-position-no-z-index.html
fixed-position.html
flash-unload-tab.html
flipped-text-rendering.html
focus-change-between-key-events.html
focus-select-when-clicked.html
focusringcolor-change-on-theme-change.html
form-control-madness.html
form-element-spelling.html
form-value-restore.html
frame-hover.html
frame-layout-on-back.html
full-screen-keypress.html
go-back-after-alert.html
goBack-blank-tab-page.html
harfbuzz-mouse-selection-crash.html
hash-ref.html
image-prefetch-stress.html
ime-keydown-preventdefault.html
indexeddb-persists.html Move manual-tests out of WebCore. 12 years ago
inline-input-marking.html
inline-repaint-container.html
input-empty-on-focus.html
input-file-hidden-open-dialog-on-click.html
input-number-localization.html
input-starved-by-timers.html
input-type-datetime-default-value.html
input-type-file-autocomplete-frame-1.html
input-type-file-autocomplete-frame-2.html
input-type-file-autocomplete-refresh.html
input-type-file-drag-drop.html
input-type-text-unconfirmed-inline-input.html
inspector-document-methods-override.html
interrupted-compound-transform.html
invalid-mouse-event.html
item-background.html
js-timers-beneath-modal-dialog.html
keep_spelling_markers.html
keyboard-menukey-event.html
keyboard_select_elements_with_same_beginning.html
keyboard_select_non_english.html
korean-input-space.html
large-size-image-crash.html
layoutroot_detach.xml
layouts-on-renderwidgets-while-scrolling.html
leak-cycle-observer-wrapper.html
leak-observer-nonmain-world.html
left-overflow-repaint.html
link-activation-fails-after-double-tap-gesture.html
link-cursor-auto.html
linkjump-1.html
linkjump-2.html
linkjump-3.html
linkjump-4.html
linkjump-5.html
load-deferrer-resume-crash.html
load-deferrer-script-element.html
localstorage-empty-database.html
localstorage-value-truncation.html
location-host-canonicalization.html
log-keypress-events.html
mail-attachments.html
mask-composite-missing-images.html
match-marker-rects.html
media-controls-when-javascript-disabled.html
media-controls.html
media-default-playback-rate.html
media-muted.html
media-players-are-dropped-on-error.html
modal-dialog-arguments.html
modal-dialog-blur-selfclose.html
modal-dialog-blur.html
modal-dialog.html
mouseevent-on-closeddoc.html
mouseevents-on-textnodes.html
mutate-unfocused-text-with-selection.html Move manual-tests out of WebCore. 12 years ago
mutation-observer-leaks-nodes.html
named-window-blank-target.html
navigation-during-onload-triggered-by-back.html
nested-fixed-position.html
nested-plug-ins.html
new-window-subresource-crash.html
no-listbox-rendering.html
no-repaint-after-wake-from-sleep.html
non-bmp.html
notification-in-multiple-windows.html
onbeforeunload-close_with_javascript.html
onclick_in_noncontent.html
onfocus-alert-blinking-caret.html
onsearch-enter.html
onunload-form-submit-crash.html
open-after-close.html
open-close-tokenizer-crash.html Move manual-tests out of WebCore. 12 years ago
open-url-undefined.html
optgroup-empty-and-nested.html
overlappingTableSpans.html
paint-during-plugin-attach.html
panScroll.html
partially-opaque-form-elements.html
partially-opaque-text-input.html
password-caps-lock-should-not-show-in-read-only-field.html
password-caps-lock-should-not-show-when-field-becomes-disabled.html
password-caps-lock-should-not-show-when-field-becomes-read-only.html
password-caps-lock.html
password-ctrl-click-lose-focus.html
paste-crash.html
plain-text-paste.html
plug-in-mutates-NSView-hierarchy-during-resize.html
plugin-controller-datasource.html
plugin-in-iframe-scroll.html
plugin-visible-rect-change.html
pointer-events.html
pop-up-alignment-and-direction.html
popup-width-restriction-within-screen.html
post-multi-file-upload.html Move manual-tests out of WebCore. 12 years ago
pre-tab-selection-rect.html
preload-scanner-entities.html
print-after-window-close.html
print-before-load.html
print-onload-with-image.html
print-with-height-transition-in-screen-stylesheet.html
programmatic-scroll-flicker.html
property-map-save-crash.html
quit-inside-unload.html
redirect.html
redirection-target.html
redraw-page-cache-visited-links.html
remove-add-fixed-position.html
remove-fixed-position-but-keep-compositing.html
remove-form-node-with-radio-buttons-crash.html
remove-input-file-onchange.html
remove-on-drop-crash.html
remove-select-onchange.html
reset-initiatedDrag.html
resize-events.html
resize-repaint.html
retina-cursors.html
right-click-crash.html
screen-availLeft.html
scrollIntoView-horizontal.html
scrollIntoView-vertical.html
scrollable-positioned-frame.html
scrollable-positioned-nested-frame.html
scrollbar-crash-on-hide-scrolled-area.html
scrollbar-hittest.html
scrollbar-hittest2.html
scrollbar-hover-active.html
scrolling-coordinator-viewport-constrained-crash.html
scrolling-nestedframesets.html
search-cancel-button.html
search-select-all-with-focus-style.html
secure-keyboard-enabled-after-submit.html
select-delete-item.html
select-element-type-select.html
select-menu-list-wrongly-positioned.html
select-narrow-width.html
select-onchange-after-js.html Move manual-tests out of WebCore. 12 years ago
select-option-in-onload.html
select-page-scroll.html
select-popup-on-spacebar.html
select-popup-tooltip-test.html
select-scroll.html
select-webkit-appearance-off-narrow-select.html
select_alignment.html
select_dropdown_box_alignment.html
select_hr.html
select_webkit_appearance_off_popup_alignment.html
selection-drag-crash.html
selection-start-after-inserting-line-break-in-textarea.html
shift-alt-key-event.html
show-hide-object.html
show-modal-dialog-test.html
showModalDialog-returnValue.html
simple-image-compositing.html
slider-thumb-tracking.html
stale-currentEvent.html
stale-scrollbar-client-crash.html
state-objects-time-limit.html
style-keypress-events.html
submit-form-with-target-twice.html
subview-click-assertion.html
svg-animateTransform-calcMode-discrete.svg
svg-animated-gifs.svg
svg-animation-css-transform.html
svg-animation-parseValues.svg
svg-crash-hovering-use.svg
svg-css-animate-compound.html
svg-css-transition-compound.html
svg-cursor-changes.svg
svg-deep-clone-to-new-doc.html
svg-filter-animation.svg
svg-link-hover-use.svg
svg-links.svg
svg-modify-deleted-selection.svg
svg-node-count-vs-scroll.xhtml
svg-repaint-foreignObject.svg
svg-repaint-group.svg
svg-repaint-image.svg
svg-repaint-path.svg
svg-text-float-not-removed-crash.html
svg-text-selection.svg
system-color-change.html
tabbing-input-google.html
tap-gesture-in-iframe-with-tap-highlight-crash.html
tap-gesture-on-em-link-tap-highlight-assert.html
target-test.html
target_new-1.html
target_new.html
targeted.html
template.html
test-iframes-loading-the-same-resource.html
text-field-autoscroll.html
textarea-after-stylesheet-link.html
textarea-caret-position-after-auto-spell-correct.html
textarea-focus.html
textarea-iframe-navigation.html
textarea-iframe-navigation2.html
textarea-onpaste.html
textarea-reset-default-value.html
textfield-onblur.html
timeout-test.html
timeout-test.php
title-internal-whitespace.html
tooltip-when-mouse-not-directly-over-hyperlink.html
touch-stale-iframe-crash.html
transition-accelerated.html
transition-delay.html
transition-events.html
transition-left.html
transition-timing-functions.html
transitions.html
transitions2.html
typed-array-memory.html
update-empty-popup.html
user-drag-with-decorations.html
user-media-request-crash.html
video-in-non-frontmost-tab.html
video-player.html
video-rtsp.html
video-statistics.html
video-waiting-seeking.html
viewport-width-test-after-history-navigation.html
visited-link-new-window.html
webarchive-test.html
webgl-preferLowPowerToHighPerformance.html
webrtc-one-tab-p2p.html
whitespace-pre-affinity.html
window-close-during-parsing.html
window-geometry.html
window-open-features-parsing.html
window-print-subframe.html
window-sizing.html
word-spacing-highlight.html
wordXML-selectall.xml
write-after-open.html
xhr-failure-behind-alert.html