-
ap@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=21213 MessagePort crash when GC collects an object with a pending close event Test: fast/events/message-channel-gc-2.html fast/events/message-channel-listener-circular-ownership.html * bindings/DOMProtect.cpp: Added. (WebCore::gcProtectDOMObject): (WebCore::gcUnprotectDOMObject): * bindings/DOMProtect.h: Added. Added an abstraction for GC protection to avoid the need to call JS bindings code from DOM objects directly. * dom/MessagePort.cpp: (WebCore::CloseMessagePortTimer::fired): (WebCore::MessagePort::queueCloseEvent): GC protect MessagePort wrapper while there is a pending close event. This may be necessary for message events, too, but that case is not a crasher, and actually behaves to the letter of the current HTML5 text, so I'll consider it later. * xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::loadRequestAsynchronously): (WebCore::XMLHttpRequest::dropProtection): Use gcProtectDOMObject here, too. Unfortunately, XMLHttpRequest has more dependencies on JSC. * bindings/js/JSMessagePortCustom.cpp: (WebCore::JSMessagePort::addEventListener): (WebCore::JSMessagePort::removeEventListener): (WebCore::JSMessagePort::setOnmessage): (WebCore::JSMessagePort::setOnclose): Don't tell DOMWindowBase that MessagePort is a NodeEventTarget, this is not true. I do not know if this was causing any real issues, but we shouldn't lie to DOMWindowBase. * bindings/js/JSXMLHttpRequestUploadCustom.cpp: (WebCore::JSXMLHttpRequestUpload::mark): While at it, changed to use a typedef for event listeners from XMLHttpRequestUpload, not from XMLHttpRequest. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@37094 268f45cc-cd09-0410-ab3c-d52691b4dbfc
a0c037ca