[webkit-changes] [WebKit/WebKit] c9f7f8: [ New Test ] (256342 at main): [ macOS Debug ] fast/e...

Chris Dumez noreply at github.com
Wed Nov 30 08:00:32 PST 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c9f7f8272c109b646186c8081915367dd781e723
      https://github.com/WebKit/WebKit/commit/c9f7f8272c109b646186c8081915367dd781e723
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2022-11-30 (Wed, 30 Nov 2022)

  Changed paths:
    M Source/WebCore/bindings/js/JSCustomEventCustom.cpp
    M Source/WebCore/bindings/js/JSHistoryCustom.cpp
    M Source/WebCore/bindings/js/JSIDBCursorCustom.cpp
    M Source/WebCore/bindings/js/JSIDBCursorWithValueCustom.cpp
    M Source/WebCore/bindings/js/JSIDBRequestCustom.cpp
    M Source/WebCore/bindings/js/JSMessageEventCustom.cpp
    M Source/WebCore/bindings/js/JSPaymentMethodChangeEventCustom.cpp
    M Source/WebCore/bindings/js/JSPaymentResponseCustom.cpp
    M Source/WebCore/bindings/js/JSValueInWrappedObject.h
    M Source/WebCore/bindings/js/JSWebXRRigidTransformCustom.cpp
    M Source/WebCore/bindings/js/JSWebXRViewCustom.cpp

  Log Message:
  -----------
  [ New Test ] (256342 at main): [ macOS Debug ] fast/events/message-port-gc-after-removing-event-listener.html is a flaky crash
https://bugs.webkit.org/show_bug.cgi?id=248496
rdar://102784521

Reviewed by Alex Christensen.

The crash would occur when the dedicated would get terminated (because the page
is being navigated) while it is accessing messageEvent.ports).

JSMessageEvent::ports() would call cachedPropertyValue(), which in turn would
call the passed-in lambda to get the JSValue to cache. Because the worker is
getting terminated, the call to toJS<>() in the lambda would cause a
termination exception to be thrown and the lambda would return a default
constructed JSValue.

However, cachedPropertyValue() would fail to check for the exception case and
try to cache the default-constructed JSValue. To address the issue, we now
pass a throwScope to cachedPropertyValue() and cachedPropertyValue() checks
if there was an exception thrown after calling the lambda. If an exception
was thrown, it early returns instead of trying to cache the JSValue.

* Source/WebCore/bindings/js/JSCustomEventCustom.cpp:
(WebCore::JSCustomEvent::detail const):
* Source/WebCore/bindings/js/JSHistoryCustom.cpp:
(WebCore::JSHistory::state const):
* Source/WebCore/bindings/js/JSIDBCursorCustom.cpp:
(WebCore::JSIDBCursor::key const):
(WebCore::JSIDBCursor::primaryKey const):
* Source/WebCore/bindings/js/JSIDBCursorWithValueCustom.cpp:
(WebCore::JSIDBCursorWithValue::value const):
* Source/WebCore/bindings/js/JSIDBRequestCustom.cpp:
(WebCore::JSIDBRequest::result const):
* Source/WebCore/bindings/js/JSMessageEventCustom.cpp:
(WebCore::JSMessageEvent::ports const):
(WebCore::JSMessageEvent::data const):
* Source/WebCore/bindings/js/JSPaymentMethodChangeEventCustom.cpp:
(WebCore::JSPaymentMethodChangeEvent::methodDetails const):
* Source/WebCore/bindings/js/JSPaymentResponseCustom.cpp:
(WebCore::JSPaymentResponse::details const):
* Source/WebCore/bindings/js/JSValueInWrappedObject.h:
(WebCore::cachedPropertyValue):
* Source/WebCore/bindings/js/JSWebXRRigidTransformCustom.cpp:
(WebCore::JSWebXRRigidTransform::matrix const):
* Source/WebCore/bindings/js/JSWebXRViewCustom.cpp:
(WebCore::JSWebXRView::projectionMatrix const):

Canonical link: https://commits.webkit.org/257180@main

More information about the webkit-changes mailing list