[Fetch API] Fix a memory leak with a Response constructed with a ReadableStream

third_party/WebKit/Source/modules/fetch/ReadableStreamDataConsumerHandle.cpp

Index: third_party/WebKit/Source/modules/fetch/ReadableStreamDataConsumerHandle.cpp
diff --git a/third_party/WebKit/Source/modules/fetch/ReadableStreamDataConsumerHandle.cpp b/third_party/WebKit/Source/modules/fetch/ReadableStreamDataConsumerHandle.cpp
index ace6a73db1f2ed353f1f11822294bbc6cee899c2..babdafe10724c5617805894f0d63cb31e9367d62 100644
--- a/third_party/WebKit/Source/modules/fetch/ReadableStreamDataConsumerHandle.cpp
+++ b/third_party/WebKit/Source/modules/fetch/ReadableStreamDataConsumerHandle.cpp
@@ -7,6 +7,7 @@
 
 #include "bindings/core/v8/ExceptionState.h"
 #include "bindings/core/v8/ReadableStreamOperations.h"
+#include "bindings/core/v8/ScopedPersistent.h"
 #include "bindings/core/v8/ScriptFunction.h"
 #include "bindings/core/v8/ScriptState.h"
 #include "bindings/core/v8/ScriptValue.h"
@@ -22,7 +23,6 @@
 #include "wtf/Assertions.h"
 #include "wtf/Functional.h"
 #include "wtf/RefCounted.h"
-#include "wtf/WeakPtr.h"
 #include <algorithm>
 #include <string.h>
 #include <v8.h>
@@ -38,14 +38,14 @@ class ReadableStreamDataConsumerHandle::ReadingContext final : public RefCounted
 public:
     class OnFulfilled final : public ScriptFunction {
     public:
-        static v8::Local<v8::Function> createFunction(ScriptState* scriptState, WeakPtr<ReadingContext> context)
+        static v8::Local<v8::Function> createFunction(ScriptState* scriptState, PassRefPtr<ReadingContext> context)
         {
             return (new OnFulfilled(scriptState, context))->bindToV8Function();
         }
 
         ScriptValue call(ScriptValue v) override
         {
-            RefPtr<ReadingContext> readingContext(m_readingContext.get());
+            RefPtr<ReadingContext> readingContext(m_readingContext);
             if (!readingContext)
                 return v;
             bool done;
@@ -65,22 +65,22 @@ public:
         }
 
     private:
-        OnFulfilled(ScriptState* scriptState, WeakPtr<ReadingContext> context)
+        OnFulfilled(ScriptState* scriptState, PassRefPtr<ReadingContext> context)
             : ScriptFunction(scriptState), m_readingContext(context) {}
 
-        WeakPtr<ReadingContext> m_readingContext;
+        RefPtr<ReadingContext> m_readingContext;
     };
 
     class OnRejected final : public ScriptFunction {
     public:
-        static v8::Local<v8::Function> createFunction(ScriptState* scriptState, WeakPtr<ReadingContext> context)
+        static v8::Local<v8::Function> createFunction(ScriptState* scriptState, PassRefPtr<ReadingContext> context)
         {
             return (new OnRejected(scriptState, context))->bindToV8Function();
         }
 
         ScriptValue call(ScriptValue v) override
         {
-            RefPtr<ReadingContext> readingContext(m_readingContext.get());
+            RefPtr<ReadingContext> readingContext(m_readingContext);
             if (!readingContext)
                 return v;
             readingContext->onRejected();
@@ -88,10 +88,10 @@ public:
         }
 
     private:
-        OnRejected(ScriptState* scriptState, WeakPtr<ReadingContext> context)
+        OnRejected(ScriptState* scriptState, PassRefPtr<ReadingContext> context)
             : ScriptFunction(scriptState), m_readingContext(context) {}
 
-        WeakPtr<ReadingContext> m_readingContext;
+        RefPtr<ReadingContext> m_readingContext;
     };
 
     class ReaderImpl final : public FetchDataConsumerHandle::Reader {
@@ -133,7 +133,7 @@ public:
         RefPtr<ReadingContext> m_readingContext;
     };
 
-    static PassRefPtr<ReadingContext> create(ScriptState* scriptState, v8::Local<v8::Value> stream)
+    static PassRefPtr<ReadingContext> create(ScriptState* scriptState, v8::Local<v8::Object> stream)

[tyoshino (SeeGerritForStatus), 2016/02/12 07:24:21]

streamReader

[tyoshino (SeeGerritForStatus), 2016/02/12 07:25:05]

Sorry. It's already fixed in the latest ps. Please ignore.

[yhirano, 2016/02/12 07:33:54]

Done.

     {
         return adoptRef(new ReadingContext(scriptState, stream));
     }
@@ -164,15 +164,21 @@ public:
             *available = m_pendingBuffer->length() - m_pendingOffset;
             return WebDataConsumerHandle::Ok;
         }
-        ASSERT(!m_reader.isEmpty());
         m_isInRecursion = true;
         if (!m_isReading) {
             m_isReading = true;
-            ScriptState::Scope scope(m_reader.scriptState());
-            V8RecursionScope recursionScope(m_reader.isolate());
-            ReadableStreamOperations::read(m_reader.scriptState(), m_reader.v8Value()).then(
-                OnFulfilled::createFunction(m_reader.scriptState(), m_weakPtrFactory.createWeakPtr()),
-                OnRejected::createFunction(m_reader.scriptState(), m_weakPtrFactory.createWeakPtr()));
+            ScriptState::Scope scope(m_scriptState);
+            v8::Local<v8::Object> reader = m_reader.newLocal(m_scriptState->isolate());
+            if (reader.IsEmpty()) {
+                // The reader was collected.
+                m_hasError = true;
+                m_isReading = false;
+                return WebDataConsumerHandle::UnexpectedError;
+            }
+            V8RecursionScope recursionScope(m_scriptState->isolate());
+            ReadableStreamOperations::read(m_scriptState, reader).then(
+                OnFulfilled::createFunction(m_scriptState, this),
+                OnRejected::createFunction(m_scriptState, this));
             // Note: Microtasks may run here.
         }
         m_isInRecursion = false;
@@ -240,33 +246,42 @@ public:
     }
 
 private:
-    ReadingContext(ScriptState* scriptState, v8::Local<v8::Value> stream)
-        : m_client(nullptr)
-        , m_weakPtrFactory(this)
+    ReadingContext(ScriptState* scriptState, v8::Local<v8::Object> streamReader)
+        : m_reader(scriptState->isolate(), streamReader)
+        , m_scriptState(scriptState)
+        , m_client(nullptr)
         , m_pendingOffset(0)
         , m_isReading(false)
         , m_isDone(false)
         , m_hasError(false)
         , m_isInRecursion(false)
     {
-        if (!ReadableStreamOperations::isLocked(scriptState, stream)) {
-            // Here the stream implementation must not throw an exception.
-            NonThrowableExceptionState es;
-            m_reader = ReadableStreamOperations::getReader(scriptState, stream, es);
-        }
-        m_hasError = m_reader.isEmpty();
+        m_reader.setWeak(this, &ReadingContext::onCollected);
+    }
+
+    void onCollected()
+    {
+        m_reader.clear();
+        if (m_isDone || m_hasError)
+            return;
+        m_hasError = true;
+        if (m_client)
+            notifyLater();
+    }
+
+    static void onCollected(const v8::WeakCallbackInfo<ReadableStreamDataConsumerHandle::ReadingContext>& data)
+    {
+        data.GetParameter()->onCollected();

[haraken, 2016/01/06 05:49:06]

ReadableStreamDataConsumerHandle.cpp uses a bunch of V8 APIs. We want to limit
direct V8 API usage only to bindings/, so consider moving (a part of)
ReadableStreamDataConsumerHandle.cpp to bindings/. You don't need to address it
in this CL though.

[yhirano, 2016/01/26 05:09:32]

Is this point affected by the policy change currently discussed?

==

Let me confirm:

1. Regarding OnFulfilled::call, I can move the code to
   ReadableStreamOperations.{cpp,h}.
2. Regarding ScopedPersistent, All we need is weak ScriptValue and there are
   several solutions.
 a. I can implement makeWeak on ScriptValue and use it in this file.
 b. I can implement a custom wrapper class for this specific use-case, but I
    don't like it.
 c. I have a plan to make this class on-heap. IIRC in the future an on-heap
    object can hold a ScriptValue, right? Then we will not need
    weak-related code.

Are there other part you want to move to bindings? If so, I think I need to move
the entire file to bindings/.

[haraken, 2016/01/26 06:09:06]

Yes, I think our new policy is going to allow V8 APIs in core/. I'll start the
thread in blink-dev@ today.

     }
 
-    // This ScriptValue is leaky because it stores a strong reference to a
-    // JavaScript object.
-    // TODO(yhirano): Fix it.
-    //
-    // Holding a ScriptValue here is safe in terms of cross-world wrapper
+    // |m_reader| is a weak persistent. It should be kept alive by someone
+    // outside of ReadableStreamDataConsumerHandle.
+    // Holding a ScopedPersistent here is safe in terms of cross-world wrapper
     // leakage because we read only Uint8Array chunks from the reader.
-    ScriptValue m_reader;
+    ScopedPersistent<v8::Object> m_reader;

[haraken, 2016/01/06 05:49:06]

Instead of holding a weak reference, how about holding a pointer to the Response
object and retrieve the V8 object from the Response object's wrapper?

[yhirano, 2016/01/26 05:09:32]

I would keep that a Response is constructed from a WebDataConsumerHandle. That
means we cannot have a Response here because it doesn't exist when constructed
(and after that we can call only WebDataConsumerHandle methods).

+    ScriptState* m_scriptState;

[haraken, 2016/01/06 05:49:06]

This must be RefPtr<ScriptState>.

[yhirano, 2016/01/26 05:09:32]

Done.

     WebDataConsumerHandle::Client* m_client;
     RefPtr<DOMUint8Array> m_pendingBuffer;
-    WeakPtrFactory<ReadingContext> m_weakPtrFactory;
     size_t m_pendingOffset;
     bool m_isReading;
     bool m_isDone;
@@ -274,8 +289,8 @@ private:
     bool m_isInRecursion;
 };
 
-ReadableStreamDataConsumerHandle::ReadableStreamDataConsumerHandle(ScriptState* scriptState, v8::Local<v8::Value> stream)
-    : m_readingContext(ReadingContext::create(scriptState, stream))
+ReadableStreamDataConsumerHandle::ReadableStreamDataConsumerHandle(ScriptState* scriptState, v8::Local<v8::Object> streamReader)
+    : m_readingContext(ReadingContext::create(scriptState, streamReader))
 {
 }
 ReadableStreamDataConsumerHandle::~ReadableStreamDataConsumerHandle() = default;