d3deffd302
https://bugs.webkit.org/show_bug.cgi?id=221098 <rdar://72894454> Reviewed by Ryosuke Niwa and Mark Lam. .: * ManualTests/dont-create-invalid-watchpoint-when-going-back.html: Added. * ManualTests/resources/empty-text.txt: Added. * ManualTests/resources/full_results.json: Added. * ManualTests/resources/test-results-page.html: Added. Source/JavaScriptCore: * bytecode/AccessCase.cpp: (JSC::AccessCase::commit): * bytecode/Watchpoint.h: (JSC::WatchpointSet::isStillValidOnJSThread const): * runtime/PropertySlot.h: (JSC::PropertySlot::setWatchpointSet): Source/WebCore: There's a scenario when we go back while using the back forward cache, and we re-associate a cached frame with a document, that we were creating an already invalidated "frame cleared" watchpoint. There were a few things we were doing wrong: 1. In JSDOMWindowBase's constructor, we thought that we didn't have a frame, even though we did. It was because we hadn't finished the bookkeeping in `FrameLoader::open(CachedFrameBase& cachedFrame)` that associates a document with a frame. And DOMWindow relies on its document to get its frame. 2. When the watchpoint was invalidated, we were still telling the PropertySlot about it. This was breaking JSC's invariant that these had to be valid watchpoints. This patch resolves: 1. We now lazily create the watchpoint when we first need it. By that time, we would've already been associated with a frame in the above example. 2. We check if the watchpoint is still valid before telling the PropertySlot about it, instead of always assuming it's valid. I wasn't able to get this test to fail in WKTR/DRT, because it seems to be we're crashing when running some JS code from Safari's injected bundle. I've added a manual test instead. * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::JSDOMWindowBase): * bindings/js/JSDOMWindowBase.h: * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::getOwnPropertySlot): Canonical link: https://commits.webkit.org/233552@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272174 268f45cc-cd09-0410-ab3c-d52691b4dbfc |
||
---|---|---|
.. | ||
multiFileResources | ||
3dolph.gif | ||
200x100.png | ||
200x200.png | ||
Default-port-frame-contents.html | ||
alert-and-go-back.html | ||
animated-2x.gif | ||
animated-10x.gif | ||
animated-infinite.gif | ||
apple.jpg | ||
before-go-back.html | ||
big-page.html | ||
chrome-bidi-text-window.html | ||
containsAnimatedGif.html | ||
cur-hotspot.cur | ||
cursor-empty-url.css | ||
dispose-background.gif | ||
drag-image.png | ||
drop-in-empty-doc.xhtml | ||
empty-document-goes-back.html | ||
empty-file.js | ||
empty-text.txt | ||
favicon-loads-for-local-files.html | ||
favicon.png | ||
frame-textarea.html | ||
frame1.html | ||
frame2.html | ||
full_results.json | ||
hash-ref-test.html | ||
helpCursor.tiff | ||
hover-subframe-1.html | ||
hover-subframe-2.html | ||
iframe-reloaded-on-touch.html | ||
large-size-image-crash.gif | ||
load-deferrer-script-element.js | ||
lorem-text.html | ||
mouseevent-on-closeddoc.html | ||
named-window-blank-target-step2.html | ||
named-window-blank-target-step3.html | ||
named-window-blank-target-step4.html | ||
navigation-during-onload-container.html | ||
nested-plug-ins-inner-frame.html | ||
nested-plug-ins-outer-frame.html | ||
nestedframesets.html | ||
non-animated.gif | ||
open-after-close-popup.html | ||
open-close-tokenizer-crash.html | ||
orange.mov | ||
plain-text-paste.dmg | ||
plugin-in-iframe-scroll-iframe.html | ||
popup200x100.html | ||
popup200x200.html | ||
print-subframe.html | ||
redraw-page-cache-visited-links-2.html | ||
simple-iframe.html | ||
simple.pdf | ||
simple_image.png | ||
spinbox.swf | ||
test-results-page.html | ||
testframe-link_text.html | ||
testframeset.html | ||
textarea-form-back-on-submit.html | ||
touch-poster.png | ||
video-tab.html | ||
webkit-background.png | ||
will-go-back.html | ||
window-close-during-parsing-popup1.html | ||
window-close-during-parsing-popup2.html | ||
write-after-open-popup.html |