haikuwebkit/ManualTests/resources
Saam Barati d3deffd302 Lazily create m_windowCloseWatchpoints so we don't mistakenly think we have a frame when re-associating a document to a given cached frame
https://bugs.webkit.org/show_bug.cgi?id=221098
<rdar://72894454>

Reviewed by Ryosuke Niwa and Mark Lam.

.:

* ManualTests/dont-create-invalid-watchpoint-when-going-back.html: Added.
* ManualTests/resources/empty-text.txt: Added.
* ManualTests/resources/full_results.json: Added.
* ManualTests/resources/test-results-page.html: Added.

Source/JavaScriptCore:

* bytecode/AccessCase.cpp:
(JSC::AccessCase::commit):
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::isStillValidOnJSThread const):
* runtime/PropertySlot.h:
(JSC::PropertySlot::setWatchpointSet):

Source/WebCore:

There's a scenario when we go back while using the back forward cache, and
we re-associate a cached frame with a document, that we were creating an
already invalidated "frame cleared" watchpoint.
There were a few things we were doing wrong:
1. In JSDOMWindowBase's constructor, we thought that we didn't have a frame,
even though we did. It was because we hadn't finished the bookkeeping in
`FrameLoader::open(CachedFrameBase& cachedFrame)` that associates a document with a
frame. And DOMWindow relies on its document to get its frame.
2. When the watchpoint was invalidated, we were still telling the PropertySlot
about it. This was breaking JSC's invariant that these had to be valid
watchpoints.

This patch resolves:
1. We now lazily create the watchpoint when we first need it. By that time, we
would've already been associated with a frame in the above example.
2. We check if the watchpoint is still valid before telling the PropertySlot
about it, instead of always assuming it's valid.

I wasn't able to get this test to fail in WKTR/DRT, because it seems to be
we're crashing when running some JS code from Safari's injected bundle. I've
added a manual test instead.

* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::JSDOMWindowBase):
* bindings/js/JSDOMWindowBase.h:
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getOwnPropertySlot):


Canonical link: https://commits.webkit.org/233552@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272174 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-02-01 21:40:55 +00:00
..
multiFileResources
3dolph.gif
200x100.png
200x200.png
Default-port-frame-contents.html
alert-and-go-back.html
animated-2x.gif
animated-10x.gif
animated-infinite.gif
apple.jpg
before-go-back.html
big-page.html
chrome-bidi-text-window.html
containsAnimatedGif.html
cur-hotspot.cur
cursor-empty-url.css
dispose-background.gif
drag-image.png
drop-in-empty-doc.xhtml
empty-document-goes-back.html
empty-file.js
empty-text.txt
favicon-loads-for-local-files.html
favicon.png
frame-textarea.html
frame1.html
frame2.html
full_results.json
hash-ref-test.html
helpCursor.tiff
hover-subframe-1.html
hover-subframe-2.html
iframe-reloaded-on-touch.html
large-size-image-crash.gif
load-deferrer-script-element.js
lorem-text.html
mouseevent-on-closeddoc.html
named-window-blank-target-step2.html
named-window-blank-target-step3.html
named-window-blank-target-step4.html
navigation-during-onload-container.html
nested-plug-ins-inner-frame.html
nested-plug-ins-outer-frame.html
nestedframesets.html
non-animated.gif
open-after-close-popup.html
open-close-tokenizer-crash.html
orange.mov
plain-text-paste.dmg
plugin-in-iframe-scroll-iframe.html
popup200x100.html
popup200x200.html
print-subframe.html
redraw-page-cache-visited-links-2.html
simple-iframe.html
simple.pdf
simple_image.png
spinbox.swf
test-results-page.html
testframe-link_text.html
testframeset.html
textarea-form-back-on-submit.html
touch-poster.png
video-tab.html
webkit-background.png
will-go-back.html
window-close-during-parsing-popup1.html
window-close-during-parsing-popup2.html
write-after-open-popup.html