Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(233)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1674273004: Do not re-register cached id-name HTMLCollection at same invalidation type (Closed)

Created:
4 years, 10 months ago by sof
Modified:
4 years, 10 months ago
CC:
chromium-reviews, blink-reviews, dglazkov+blink, blink-reviews-html_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Do not re-register cached id-name HTMLCollection at same invalidation type. An HTMLCollection creates an id-name cache for namedItem()/item() lookups. To handle document tree invalidations following id-name mutations, the HTMLCollection must then register with the document has having such a cached collection. This is done "by proxy", registering the HTMLCollection as being dependent on id-name invalidation. This registration for the cache being quite possibly in addition to the collection invalidation type that the HTMLCollection is already registered at. The HTMLCollection implementation then naturally taking care to unregister if the cache is invalidated and cleared. With Oilpan, the document keeps a weak set of references to these live collections. So in the event that the HTMLCollection is already an id-name collection and it registers its id-name cache (by proxy) with the document, it will re-register the same collection object. Upon invalidation of the id-name cache the unregistration will then remove the HTMLCollection entirely as being dependent on id-name related invalidation notifications. That lack of invalidations can in certain circumstances lead to failure (see test.) Address the problem by having id-name HTMLCollections not bother with (un)registering the id-name cache as (another) live collection. It adds no value, the collection object is already registered. (This worked out non-Oilpan as the document there keeps bin counts per collection invalidation type, allowing "duplicates" from the same object.) R=haraken BUG=585054 Committed: https://crrev.com/48691755ab42b61dc11ec20cd70f2bfb0100eb8a Cr-Commit-Position: refs/heads/master@{#374385}

Patch Set 1 #

Patch Set 2 : added test #

Unified diffs Side-by-side diffs Delta from patch set Stats (+38 lines, -3 lines) Patch
A third_party/WebKit/LayoutTests/fast/dom/HTMLCollection/HTMLCollection-namedItem-invalidate-no-crash.html View 1 1 chunk +30 lines, -0 lines 0 comments Download
A + third_party/WebKit/LayoutTests/fast/dom/HTMLCollection/HTMLCollection-namedItem-invalidate-no-crash-expected.txt View 1 1 chunk +1 line, -1 line 0 comments Download
M third_party/WebKit/Source/core/dom/Document.cpp View 1 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/html/HTMLCollection.h View 2 chunks +6 lines, -2 lines 0 comments Download

Messages

Total messages: 11 (6 generated)
sof
please take a look. Took quite a while to pin down a testcase which would ...
4 years, 10 months ago (2016-02-09 14:03:43 UTC) #3
haraken
Nice detective work! LGTM.
4 years, 10 months ago (2016-02-09 14:38:43 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1674273004/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1674273004/20001
4 years, 10 months ago (2016-02-09 15:47:52 UTC) #7
commit-bot: I haz the power
Committed patchset #2 (id:20001)
4 years, 10 months ago (2016-02-09 15:53:54 UTC) #9
commit-bot: I haz the power
4 years, 10 months ago (2016-02-09 15:54:58 UTC) #11
Message was sent while issue was closed. 
Patchset 2 (id:??) landed as
https://crrev.com/48691755ab42b61dc11ec20cd70f2bfb0100eb8a
Cr-Commit-Position: refs/heads/master@{#374385}

Powered by Google App Engine
This is Rietveld 408576698