[Webkit-unassigned] [Bug 64726] New: OpaqueJSClass could always lock the first page that uses the class

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 18 08:25:16 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=64726

           Summary: OpaqueJSClass could always lock the first page that
                    uses the class
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P3
         Component: Java
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: yong.li.webkit at gmail.com
                CC: oliver at apple.com


JSObject* OpaqueJSClass::prototype(ExecState* exec)
{
    /* Class (C++) and prototype (JS) inheritance are parallel, so:
     *     (C++)      |        (JS)
     *   ParentClass  |   ParentClassPrototype
     *       ^        |          ^
     *       |        |          |
     *  DerivedClass  |  DerivedClassPrototype
     */

    if (!prototypeClass)
        return 0;

    OpaqueJSClassContextData& jsClassData = contextData(exec);

    if (!jsClassData.cachedPrototype) {
        // Recursive, but should be good enough for our purposes
        jsClassData.cachedPrototype = new (exec) JSCallbackObject<JSObjectWithGlobalObject>(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), prototypeClass, &jsClassData); // set jsClassData as the object's private data, so it can clear our reference on destruction
        if (parentClass) {
            if (JSObject* prototype = parentClass->prototype(exec))
                jsClassData.cachedPrototype->setPrototype(prototype);
        }
    }
    return jsClassData.cachedPrototype.get();
}

    OpaqueJSClassContextData& jsClassData = contextData(exec);

Seems different "exec" should return different jsClassData, however they share one copy because they share one JSGlobalData.

Assume multiple pages share a same JSClassDef. "jsClassData.cachedPrototype" is created in the first page's ExecState, and shared by other pages, because they usually share one JSGlobalData. As long as the "cachedPrototype" is being used by other pages, the first page's global objects could always be locked by "cachedPrototype", which could also hold the entire DOM tree in memory.

Oliver, do you think it is a problem or not?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list