bindings: Use CreateDataProperty() instead of ForceSet()
We use ForceSet() to avoid executing user-provided JS while running
callbacks, but ForceSet() is deprecated because it is difficult to
use properly. Use CreateDataProperty() instead. It is a safer way to
do that.
BUG=475206
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=197156
Toon, what should we do about the remaining ForceSet(). Apparently we can't DefineOwnProperty on the ...
4 years, 11 months ago
(2015-06-05 12:12:58 UTC)
#12
Toon, what should we do about the remaining ForceSet(). Apparently we can't
DefineOwnProperty on the global proxy.
jochen (gone - plz use gerrit)
bashi@ after talking to Toon I still thing defineOwnProperty() *should* work. Can you post a ...
4 years, 10 months ago
(2015-06-08 11:36:06 UTC)
#13
bashi@ after talking to Toon I still thing defineOwnProperty() *should* work.
Can you post a full stack trace where you've hit the assertion?
bashi
On 2015/06/08 11:36:06, jochen wrote: > bashi@ after talking to Toon I still thing defineOwnProperty() ...
4 years, 10 months ago
(2015-06-08 23:38:40 UTC)
#14
On 2015/06/08 11:36:06, jochen wrote:
> bashi@ after talking to Toon I still thing defineOwnProperty() *should* work.
>
> Can you post a full stack trace where you've hit the assertion?
Sure.
--- Stack trace ---
#0 v8::base::OS::Abort () at ../../v8/src/base/platform/platform-posix.cc:229
#1 0x0000000002146edc in V8_Fatal (file=<optimized out>, line=0,
format=<optimized out>) at ../../v8/src/base/logging.cc:116
#2 0x0000000001d4056a in v8::internal::JSObject::MigrateFastToSlow (
object=..., new_map=..., expected_additional_properties=0)
at ../../v8/src/objects.cc:4429
#3 0x0000000001d3e45b in v8::internal::JSObject::MigrateToMap (object=...,
new_map=..., expected_additional_properties=0)
at ../../v8/src/objects.cc:1881
#4 0x0000000001d53fe8 in v8::internal::JSObject::SetPropertyCallback (
object=..., name=..., structure=..., attributes=FROZEN)
at ../../v8/src/objects.cc:6352
#5 0x0000000001d4f729 in v8::internal::JSObject::SetOwnPropertyIgnoreAttributes
(object=..., name=..., value=..., attributes=FROZEN,
handling=<optimized out>) at ../../v8/src/objects.cc:4210
#6 0x0000000001e10613 in __RT_impl_Runtime_DefineDataPropertyUnchecked (
isolate=<optimized out>, args=...)
at ../../v8/src/runtime/runtime-object.cc:1384
#7 v8::internal::Runtime_DefineDataPropertyUnchecked (
args_length=<optimized out>, args_object=<optimized out>,
isolate=0x920c6e38020) at ../../v8/src/runtime/runtime-object.cc:1362
--- V8 stack trace ---
Security context: 0xbeda03a43d9 <JS Object>
1: DefineObjectProperty(aka DefineObjectProperty) [native v8natives.js:577]
(this=0xbeda0304179 <undefined>,H=0xb770e004391 <JS Global
Object>,U=0xbeda0383119 <String[8]: doc\
ument>,D=0xb770e0d9509 <a PropertyDescriptor with map
0x6619cc077a9>,X=0xbeda0304251 <false>)
2: DefineOwnProperty(aka DefineOwnProperty) [native v8natives.js:693]
(this=0xbeda0304179 <undefined>,H=0xb770e004391 <JS Global
Object>,U=0xbeda0383119 <String[8]: document>\
,D=0xb770e0d9509 <a PropertyDescriptor with map 0x6619cc077a9>,X=0xbeda0304251
<false>)
3: DefineOwnPropertyFromAPI(aka DefineOwnPropertyFromAPI) [native
v8natives.js:697] (this=0xbeda0304179 <undefined>,H=0xb770e004391 <JS Global
Object>,U=0xbeda0383119 <String\
[8]: document>,L=0xb770e0d9229 <an HTMLDocument with map
0x6619cc07179>,D=0xb770e0d9331 <JS Array[3]>)
--- V8 Entry point ---
#0 0x0000000001b57337 in v8::internal::Invoke (is_construct=<optimized out>,
function=..., receiver=..., argc=<optimized out>, args=<optimized out>)
at ../../v8/src/execution.cc:128
#1 0x0000000001a77226 in CallV8HeapFunction (recv=..., argc=4,
isolate=<optimized out>, name=<optimized out>, argv=<optimized out>)
at ../../v8/src/api.cc:2292
#2 v8::Object::DefineOwnProperty (this=<optimized out>, context=..., key=...,
value=..., attributes=<optimized out>) at ../../v8/src/api.cc:3619
#3 0x0000000003627ba5 in blink::WindowProxy::updateDocumentProperty (
this=0x920c6af53a0)
at ../../third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp:379
#4 0x0000000003627193 in blink::WindowProxy::updateDocument (
this=0x920c6af53a0)
at ../../third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp:442
#5 0x00000000036264b8 in blink::WindowProxy::initialize (this=0x920c6af53a0)
at ../../third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp:244
#6 0x00000000036261d0 in blink::WindowProxy::initializeIfNeeded (
this=0x920c6af53a0)
at ../../third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp:207
#7 0x00000000035b228a in blink::ScriptController::windowProxy (
this=0x920c6af5480, world=...)
at ../../third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:211
#8 0x0000000002f27f2f in blink::LocalFrame::windowProxy (this=0x2e95cfe44610,
world=...) at ../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:233
#9 0x00000000035e43ba in blink::toV8Context (frame=0x2e95cfe44610, world=...)
at ../../third_party/WebKit/Source/bindings/core/v8/V8Binding.cpp:777
#10 0x000000000215a79a in blink::WebLocalFrameImpl::mainWorldScriptContext (
this=0x2e95cfe50010)
at ../../third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:942
#11 0x00000000052d6580 in blink::WebTestingSupport::resetInternalsObject (
frame=0x2e95cfe50010)
at ../../third_party/WebKit/Source/web/WebTestingSupport.cpp:46
#12 0x00000000004b6531 in content::BlinkTestRunner::Reset (this=0x920c64a7e20)
at ../../content/shell/renderer/layout_test/blink_test_runner.cc:766
#13 0x000000000047cb01 in
content::LayoutTestContentRendererClient::RenderViewCreated (this=0x920c60b0e60,
render_view=0x920c63d3428)
at
../../content/shell/renderer/layout_test/layout_test_content_renderer_client.cc:103
#14 0x0000000004bb5efc in content::RenderViewImpl::Initialize (
this=0x920c63d3020, params=..., compositor_deps=0x920c6342210,
was_created_by_renderer=false)
at ../../content/renderer/render_view_impl.cc:816
...
jochen (gone - plz use gerrit)
Ah, I guess what happens is that "document" is already defined in Window.idl as an ...
4 years, 10 months ago
(2015-06-09 08:11:33 UTC)
#15
Ah, I guess what happens is that "document" is already defined in Window.idl as
an unforgeable read-only attribute, so what we can't overwrite it.
Maybe "document" should not be in window.idl since we'll programmatically set it
(or it should be marked as not set by generated bindings or something)
Toon Verwaest
I've fixed the issue underlying the assert, so you will be able to try this ...
4 years, 10 months ago
(2015-06-11 19:23:26 UTC)
#16
I've fixed the issue underlying the assert, so you will be able to try this
again in the future. I tried it locally by making ForceSet do the right thing,
but there are still some issues in blink. E.g., MessageEventCustom>>data relies
on accessors + ForceSet to lazily initialize itself. This won't work anymore...
After the changes I want to do, the accessor will stay there forever; on
ForceSet to non-writable I just remove the setter (if writable the setter
stays). It should instead cache the value as a hidden property, and the getter
should retrieve that value.
I think there were also worker-typed-array-related failures, iirc.
jochen (gone - plz use gerrit)
lgtm
4 years, 10 months ago
(2015-06-12 09:49:31 UTC)
#17
lgtm
bashi
I'm going to land this. We will address WindowProxy issue separately.
4 years, 10 months ago
(2015-06-16 03:13:36 UTC)
#18
I'm going to land this. We will address WindowProxy issue separately.
bashi
The CQ bit was checked by bashi@chromium.org
4 years, 10 months ago
(2015-06-16 03:13:44 UTC)
#19
Issue 1153613007: bindings: Use CreateDataProperty() instead of ForceSet()
(Closed)
Created 4 years, 11 months ago by bashi
Modified 4 years, 10 months ago
Reviewers: jochen (gone - plz use gerrit), haraken, jsbell, Toon Verwaest
Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Comments: 11
Chromium Code Reviews
