[webkit-reviews] review requested: [Bug 105495] [V8] More unstable NPObject* references for V8 script objects : [Attachment 180276] Additional WebKit LayoutTests demonstrating unstable NPObject* values for V8 script objects

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 19 21:40:18 PST 2012 

Matthew Dempsky <mdempsky at google.com> has asked  for review:
Bug 105495: [V8] More unstable NPObject* references for V8 script objects
https://bugs.webkit.org/show_bug.cgi?id=105495

Attachment 180276: Additional WebKit LayoutTests demonstrating unstable
NPObject* values for V8 script objects
https://bugs.webkit.org/attachment.cgi?id=180276&action=review

------- Additional Comments from Matthew Dempsky <mdempsky at google.com>
As a followup to https://bugs.webkit.org/show_bug.cgi?id=104921, attached is a
patch that adds two more LayoutTests to demonstrate further cases where objects
that are treated as equivalent by JavaScript (i.e., according to '===') end up
with distinct NPObject* values when passed to an NPAPI plugin.

The first test (embed-property-iframe-equality-2.html) tests where the same DOM
object is passed to an NPAPI plugin from two different contexts (the main page
and a child iframe).  Even though each reference is to the same DOM object,
they get converted to distinct NPObject* values.

  - I believe this is due to npCreateV8ScriptObject only returning saved
NPObject* values that match both v8Object and rootObject.  If I remove the
second half of the "v8npObject->v8Object == object && v8npObject->rootObject ==
root" test, then this test passes, but I'm not sure that's a complete or
correct fix.

The second test (embed-property-iframe-equality-3.html) tests where a DOM
object attached to a child iframe (the child iframe's 'window' object) is
stashed in the NPAPI plugin, the iframe is removed (so the creation context
goes away), and then two references to the same object are passed back into the
NPAPI plugin.  Again, even though the references are to the same DOM object,
they get converted to distinct NPObject* values.

  - I believe this is due to npCreateV8ScriptObject only saving NPObject*
values for V8 objects that still have a "V8PerContextData".  Once the iframe is
gone, there's no V8PerContextData anymore, so each reference gets a completely
new NPObject* value.  I suspect saving the data elsewhere or preventing the
V8PerContextData from getting deleted when there are still live references to
the CreationContext would fix this test, but I don't know for sure.

Both of these issues could adversely affect the GWT Developer Mode plugin just
like 104921 did, so I hope they can be fixed, but I don't know of any users
being affected by these issues at present.

More information about the webkit-reviews mailing list