[Fetch API] Fix a memory leak with a Response constructed with a ReadableStream

third_party/WebKit/Source/modules/fetch/ReadableStreamDataConsumerHandle.cpp

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "modules/fetch/ReadableStreamDataConsumerHandle.h"
 
 #include "bindings/core/v8/ExceptionState.h"
 #include "bindings/core/v8/ReadableStreamOperations.h"
+#include "bindings/core/v8/ScopedPersistent.h"
 #include "bindings/core/v8/ScriptFunction.h"
 #include "bindings/core/v8/ScriptState.h"
 #include "bindings/core/v8/ScriptValue.h"
 #include "bindings/core/v8/V8BindingMacros.h"
 #include "bindings/core/v8/V8IteratorResultValue.h"
 #include "bindings/core/v8/V8RecursionScope.h"
 #include "bindings/core/v8/V8Uint8Array.h"
 #include "core/dom/DOMTypedArray.h"
 #include "public/platform/Platform.h"
 #include "public/platform/WebTaskRunner.h"
 #include "public/platform/WebThread.h"
 #include "public/platform/WebTraceLocation.h"
 #include "wtf/Assertions.h"
 #include "wtf/Functional.h"
 #include "wtf/RefCounted.h"
-#include "wtf/WeakPtr.h"
 #include <algorithm>
 #include <string.h>
 #include <v8.h>
 
 namespace blink {
 
 using Result = WebDataConsumerHandle::Result;
 using Flags = WebDataConsumerHandle::Flags;
 
 // This context is not yet thread-safe.
 class ReadableStreamDataConsumerHandle::ReadingContext final : public RefCounted<ReadingContext> {
     WTF_MAKE_NONCOPYABLE(ReadingContext);
 public:
     class OnFulfilled final : public ScriptFunction {
     public:
-        static v8::Local<v8::Function> createFunction(ScriptState* scriptState, WeakPtr<ReadingContext> context)
+        static v8::Local<v8::Function> createFunction(ScriptState* scriptState, PassRefPtr<ReadingContext> context)
         {
             return (new OnFulfilled(scriptState, context))->bindToV8Function();
         }
 
         ScriptValue call(ScriptValue v) override
         {
-            RefPtr<ReadingContext> readingContext(m_readingContext.get());
+            RefPtr<ReadingContext> readingContext(m_readingContext);
             if (!readingContext)
                 return v;
             bool done;
             v8::Local<v8::Value> item = v.v8Value();
             ASSERT(item->IsObject());
             v8::Local<v8::Value> value = v8CallOrCrash(v8UnpackIteratorResult(v.scriptState(), item.As<v8::Object>(), &done));
             if (done) {
                 readingContext->onReadDone();
                 return v;
             }
             if (!V8Uint8Array::hasInstance(value, v.isolate())) {
                 readingContext->onRejected();
                 return ScriptValue();
             }
             readingContext->onRead(V8Uint8Array::toImpl(value.As<v8::Object>()));
             return v;
         }
 
     private:
-        OnFulfilled(ScriptState* scriptState, WeakPtr<ReadingContext> context)
+        OnFulfilled(ScriptState* scriptState, PassRefPtr<ReadingContext> context)
             : ScriptFunction(scriptState), m_readingContext(context) {}
 
-        WeakPtr<ReadingContext> m_readingContext;
+        RefPtr<ReadingContext> m_readingContext;
     };
 
     class OnRejected final : public ScriptFunction {
     public:
-        static v8::Local<v8::Function> createFunction(ScriptState* scriptState, WeakPtr<ReadingContext> context)
+        static v8::Local<v8::Function> createFunction(ScriptState* scriptState, PassRefPtr<ReadingContext> context)
         {
             return (new OnRejected(scriptState, context))->bindToV8Function();
         }
 
         ScriptValue call(ScriptValue v) override
         {
-            RefPtr<ReadingContext> readingContext(m_readingContext.get());
+            RefPtr<ReadingContext> readingContext(m_readingContext);
             if (!readingContext)
                 return v;
             readingContext->onRejected();
             return v;
         }
 
     private:
-        OnRejected(ScriptState* scriptState, WeakPtr<ReadingContext> context)
+        OnRejected(ScriptState* scriptState, PassRefPtr<ReadingContext> context)
             : ScriptFunction(scriptState), m_readingContext(context) {}
 
-        WeakPtr<ReadingContext> m_readingContext;
+        RefPtr<ReadingContext> m_readingContext;
     };
 
     class ReaderImpl final : public FetchDataConsumerHandle::Reader {
     public:
         ReaderImpl(PassRefPtr<ReadingContext> context, Client* client)
             : m_readingContext(context)
         {
             m_readingContext->attachReader(client);
         }
         ~ReaderImpl() override
@@ skipping 39 matching lines @@
             return WebDataConsumerHandle::UnexpectedError;
         if (m_isDone)
             return WebDataConsumerHandle::Done;
 
         if (m_pendingBuffer) {
             ASSERT(m_pendingOffset < m_pendingBuffer->length());
             *buffer = m_pendingBuffer->data() + m_pendingOffset;
             *available = m_pendingBuffer->length() - m_pendingOffset;
             return WebDataConsumerHandle::Ok;
         }
-        ASSERT(!m_reader.isEmpty());
         m_isInRecursion = true;
         if (!m_isReading) {
             m_isReading = true;
-            ScriptState::Scope scope(m_reader.scriptState());
-            V8RecursionScope recursionScope(m_reader.isolate());
-            ReadableStreamOperations::read(m_reader.scriptState(), m_reader).then(
-                OnFulfilled::createFunction(m_reader.scriptState(), m_weakPtrFactory.createWeakPtr()),
-                OnRejected::createFunction(m_reader.scriptState(), m_weakPtrFactory.createWeakPtr()));
+            ScriptState::Scope scope(m_scriptState.get());
+            ScriptValue reader(m_scriptState.get(), m_reader.newLocal(m_scriptState->isolate()));
+            if (reader.isEmpty()) {
+                // The reader was collected.
+                m_hasError = true;
+                m_isReading = false;
+                return WebDataConsumerHandle::UnexpectedError;
+            }
+            V8RecursionScope recursionScope(m_scriptState->isolate());
+            ReadableStreamOperations::read(m_scriptState.get(), reader).then(

[haraken, 2016/01/30 15:35:53]

Would you create a helper function in V8ScriptRunner for this one?

I want to encapsulate all the complexity about V8RecursionScope, Microtask etc
into the helper functions in V8ScriptRunner.

[yhirano, 2016/02/02 10:59:28]

Do you have an idea how to encapsulate these calls without loss of generality?

[haraken, 2016/02/02 12:23:06]

Maybe can we introduce V8CallPromiseScope to V8ScriptRunner.h so that we can
write this as:

  V8CallPromiseScope scope(m_scriptState);
  ReadableStreamOperations::read(...).then();

All V8 calls that may run MicroTasks should be unified into V8ScriptRunner.h.

[yhirano, 2016/02/05 14:52:04]

As we talked at https://codereview.chromium.org/1167343002/#msg45, I was wrong
and we don't need V8RecursionScope here.

+                OnFulfilled::createFunction(m_scriptState.get(), this),
+                OnRejected::createFunction(m_scriptState.get(), this));
             // Note: Microtasks may run here.
         }
         m_isInRecursion = false;
         return WebDataConsumerHandle::ShouldWait;
     }
 
     Result endRead(size_t readSize)
     {
         ASSERT(m_pendingBuffer);
         ASSERT(m_pendingOffset + readSize <= m_pendingBuffer->length());
@@ skipping 47 matching lines @@
         m_client->didGetReadable();
     }
 
     void notifyLater()
     {
         ASSERT(m_client);
         Platform::current()->currentThread()->taskRunner()->postTask(BLINK_FROM_HERE, bind(&ReadingContext::notify, PassRefPtr<ReadingContext>(this)));
     }
 
 private:
-    ReadingContext(ScriptState* scriptState, ScriptValue stream)
-        : m_client(nullptr)
-        , m_weakPtrFactory(this)
+    ReadingContext(ScriptState* scriptState, ScriptValue streamReader)
+        : m_reader(scriptState->isolate(), streamReader.v8Value())
+        , m_scriptState(scriptState)
+        , m_client(nullptr)
         , m_pendingOffset(0)
         , m_isReading(false)
         , m_isDone(false)
         , m_hasError(false)
         , m_isInRecursion(false)
     {
-        if (!ReadableStreamOperations::isLocked(scriptState, stream)) {
-            // Here the stream implementation must not throw an exception.
-            NonThrowableExceptionState es;
-            m_reader = ReadableStreamOperations::getReader(scriptState, stream, es);
-        }
-        m_hasError = m_reader.isEmpty();
+        m_reader.setWeak(this, &ReadingContext::onCollected);
     }
 
-    // This ScriptValue is leaky because it stores a strong reference to a
-    // JavaScript object.
-    // TODO(yhirano): Fix it.
-    //
-    // Holding a ScriptValue here is safe in terms of cross-world wrapper
+    void onCollected()
+    {
+        m_reader.clear();
+        if (m_isDone || m_hasError)
+            return;
+        m_hasError = true;
+        if (m_client)
+            notifyLater();
+    }
+
+    static void onCollected(const v8::WeakCallbackInfo<ReadableStreamDataConsumerHandle::ReadingContext>& data)
+    {
+        data.GetParameter()->onCollected();
+    }
+
+    // |m_reader| is a weak persistent. It should be kept alive by someone
+    // outside of ReadableStreamDataConsumerHandle.

[haraken, 2016/01/30 15:35:53]

Just to confirm: Are you assuming that ReadableStreamDataConsumerHandle can be
kept alive even after the Reader's wrapper is collected, right? Then it makes
sense to use a weak persistent here.

[yhirano, 2016/02/02 10:59:28]

A typical object graph:

Response wrapper -> Response -> BodyStreamBuffer ->
ReadableStreamDataConsumerHandle -> |m_reader|.

The JS object referenced by |m_reader| can reference the Response wrapper  and
hence I want to make the last reference link weak.

+    // Holding a ScopedPersistent here is safe in terms of cross-world wrapper
     // leakage because we read only Uint8Array chunks from the reader.
-    ScriptValue m_reader;
+    ScopedPersistent<v8::Value> m_reader;
+    RefPtr<ScriptState> m_scriptState;
     WebDataConsumerHandle::Client* m_client;
     RefPtr<DOMUint8Array> m_pendingBuffer;
-    WeakPtrFactory<ReadingContext> m_weakPtrFactory;
     size_t m_pendingOffset;
     bool m_isReading;
     bool m_isDone;
     bool m_hasError;
     bool m_isInRecursion;
 };
 
-ReadableStreamDataConsumerHandle::ReadableStreamDataConsumerHandle(ScriptState* scriptState, ScriptValue stream)
-    : m_readingContext(ReadingContext::create(scriptState, stream))
+ReadableStreamDataConsumerHandle::ReadableStreamDataConsumerHandle(ScriptState* scriptState, ScriptValue streamReader)
+    : m_readingContext(ReadingContext::create(scriptState, streamReader))
 {
 }
 ReadableStreamDataConsumerHandle::~ReadableStreamDataConsumerHandle() = default;
 
 FetchDataConsumerHandle::Reader* ReadableStreamDataConsumerHandle::obtainReaderInternal(Client* client)
 {
     return new ReadingContext::ReaderImpl(m_readingContext, client);
 }
 
 } // namespace blink