Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2530243002:
Crash in blink::getTypeExtension (Closed)
|
Created:
4 years ago by Anton Obzhirov Modified:
3 years, 10 months ago Reviewers:
dominicc (has gone to gerrit) CC:
blink-reviews, blink-reviews-dom_chromium.org, chromium-reviews, dglazkov+blink, eae+blinkwatch, rwlbuis, sof Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionCrash in blink::getTypeExtension
BUG=666610
Review-Url: https://codereview.chromium.org/2530243002
Cr-Commit-Position: refs/heads/master@{#447807}
Committed: https://chromium.googlesource.com/chromium/src/+/91ce1ab1209aaec1750eb1c1c3b77d606333abe1
Patch Set 1 #
Total comments: 4
Patch Set 2 : Updated after review #
Total comments: 4
Patch Set 3 : Updated test and removed extra use count after review. #
Total comments: 1
Patch Set 4 : Crash in blink::getTypeExtension #
Messages
Total messages: 20 (6 generated)
Description was changed from ========== Crash in blink::getTypeExtension BUG=666610 ========== to ========== Crash in blink::getTypeExtension BUG=666610 ==========
a.obzhirov@samsung.com changed reviewers: + dominicc@chromium.org
drive-by comments https://codereview.chromium.org/2530243002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/dom/Document.cpp (right): https://codereview.chromium.org/2530243002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/dom/Document.cpp:702: if (impl.hasIs()) Is |exceptionState| intentionally ignored here? https://codereview.chromium.org/2530243002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/dom/Document.cpp:705: v8::Local<v8::String> stringObject; The spec says "Let 'is' be the value of |is| member of 'options', or null if no such member exists", so the need for stringification of the dict is backward compat motivated, presumably..? Is that a common use of createElement(), why isn't it being use-counted? A comment explaining why this is done, would be helpful for someone looking at the code. (V8StringResource<> is useful for doing toString() conversions, but I don't yet fully understand the motivation for this case.)
https://codereview.chromium.org/2530243002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/dom/Document.cpp (right): https://codereview.chromium.org/2530243002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/dom/Document.cpp:702: if (impl.hasIs()) On 2016/11/26 07:36:30, sof wrote: > Is |exceptionState| intentionally ignored here? Previously getTypeExtension was called in createElement/createElementNS with unmodified state. Now it is not the case and it is better to do anyway so I will add the check, thanks for spotting. https://codereview.chromium.org/2530243002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/dom/Document.cpp:705: v8::Local<v8::String> stringObject; On 2016/11/26 07:36:30, sof wrote: > The spec says "Let 'is' be the value of |is| member of 'options', or null if no > such member exists", so the need for stringification of the dict is backward > compat motivated, presumably..? Is that a common use of createElement(), why > isn't it being use-counted? > > A comment explaining why this is done, would be helpful for someone looking at > the code. > > (V8StringResource<> is useful for doing toString() conversions, but I don't yet > fully understand the motivation for this case.) Yes, stringification of the dictionary is for backward compatibility only. Before introduction of the dictionary the second argument was converted to string for all cases automatically. I think I missed use-counting here because technically it wasn't a string argument but you are right, it has to be done here as well. For the code to be aligned with the spec the string argument should be deprecated first but plz correct me if I am wrong.
Hi Dominic, I started to make changes to update the patch and then I realized that since the code uses stringOrOptions.isDictionary() in createElement as V1 flag essentially there is no way for V0 to create custom element using stringified second argument. It might break compatibility for V0 elements but it is probably very rare case. Should we remove stringification completely from getTypeExtension?
On 2016/11/29 at 17:06:24, a.obzhirov wrote: > Hi Dominic, > > I started to make changes to update the patch and then I realized that since the code uses stringOrOptions.isDictionary() in createElement as V1 flag essentially there is no way for V0 to create custom element using stringified second argument. It might break compatibility for V0 elements but it is probably very rare case. > > Should we remove stringification completely from getTypeExtension? Really sorry for the slow reply. Could you clarify what will be broken? Stringified arguments, but not strings, for V0? That's probably fine--it sounds like an edge case of an edge case. Let me reiterate the goals we have here, it might help: - We want to remove stringifying the second argument, including taking an actual string parameter. - We want content to move from document.registerElement to customElements.define. - In general, we don't want to break content or churn APIs unnecessarily.
On 2016/12/07 07:50:45, dominicc wrote: > On 2016/11/29 at 17:06:24, a.obzhirov wrote: > > Hi Dominic, > > > > I started to make changes to update the patch and then I realized that since > the code uses stringOrOptions.isDictionary() in createElement as V1 flag > essentially there is no way for V0 to create custom element using stringified > second argument. It might break compatibility for V0 elements but it is probably > very rare case. > > > > Should we remove stringification completely from getTypeExtension? > > Really sorry for the slow reply. NP, was quite busy recently. > > Could you clarify what will be broken? Stringified arguments, but not strings, > for V0? That's probably fine--it sounds like an edge case of an edge case. > > Let me reiterate the goals we have here, it might help: > > - We want to remove stringifying the second argument, including taking an actual > string parameter. > - We want content to move from document.registerElement to > customElements.define. > - In general, we don't want to break content or churn APIs unnecessarily. Yes, I meant stringified second argument for V0. Makes sense, I will remove the stringification and update the patch today.
Updated, plz have a look.
Comments inline. https://codereview.chromium.org/2530243002/diff/20001/third_party/WebKit/Layo... File third_party/WebKit/LayoutTests/fast/dom/custom/crash-in-getTypeExtension.html (right): https://codereview.chromium.org/2530243002/diff/20001/third_party/WebKit/Layo... third_party/WebKit/LayoutTests/fast/dom/custom/crash-in-getTypeExtension.html:1: <!DOCTYPE html> Could you change the test in this file? - Register a v0 custom element which extends div and is called x-foo. - Add a TODO to switch to customElements.define when customized built-in elements are supported. - Add a test where toString returns x-foo. Assert that x-foo is NOT created, just an ordinary DIV is. Assert that toString is *not* called. (It's not called, right?) https://codereview.chromium.org/2530243002/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/core/dom/Document.cpp (right): https://codereview.chromium.org/2530243002/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/core/dom/Document.cpp:698: // Do not handle stringification, but count it as a string handling This changes behavior because we won't toString the argument now. I would not use count this path with this counter, because this path is already changed. If you want to count it at all, I would add a second counter.
https://codereview.chromium.org/2530243002/diff/20001/third_party/WebKit/Layo... File third_party/WebKit/LayoutTests/fast/dom/custom/crash-in-getTypeExtension.html (right): https://codereview.chromium.org/2530243002/diff/20001/third_party/WebKit/Layo... third_party/WebKit/LayoutTests/fast/dom/custom/crash-in-getTypeExtension.html:1: <!DOCTYPE html> On 2017/01/19 05:34:46, dominicc wrote: > Could you change the test in this file? > > - Register a v0 custom element which extends div and is called x-foo. > - Add a TODO to switch to customElements.define when customized built-in > elements are supported. > - Add a test where toString returns x-foo. Assert that x-foo is NOT created, > just an ordinary DIV is. Assert that toString is *not* called. (It's not called, > right?) Yes, with this change it will not be called at all. Will do. https://codereview.chromium.org/2530243002/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/core/dom/Document.cpp (right): https://codereview.chromium.org/2530243002/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/core/dom/Document.cpp:698: // Do not handle stringification, but count it as a string handling On 2017/01/19 05:34:46, dominicc wrote: > This changes behavior because we won't toString the argument now. I would not > use count this path with this counter, because this path is already changed. If > you want to count it at all, I would add a second counter. I think no need to count this case it should be very rare.
I had also to change the test after I realized we get now NotFoundError if create element with invalid dictionary. Plz have a look.
lgtm https://codereview.chromium.org/2530243002/diff/40001/third_party/WebKit/Layo... File third_party/WebKit/LayoutTests/fast/dom/custom/crash-in-getTypeExtension.html (right): https://codereview.chromium.org/2530243002/diff/40001/third_party/WebKit/Layo... third_party/WebKit/LayoutTests/fast/dom/custom/crash-in-getTypeExtension.html:12: assert_false(toStringCalled, "toString should not have been called."); Use single quotes for consistency here and on line 13.
Minor nit inline.
The CQ bit was checked by a.obzhirov@samsung.com
The patchset sent to the CQ was uploaded after l-g-t-m from dominicc@chromium.org Link to the patchset: https://codereview.chromium.org/2530243002/#ps60001 (title: "Crash in blink::getTypeExtension")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 60001, "attempt_start_ts": 1486053485761690,
"parent_rev": "0b2a5078b32cbed2cf7465073315d90356b3aa6c", "commit_rev":
"91ce1ab1209aaec1750eb1c1c3b77d606333abe1"}
Message was sent while issue was closed.
Description was changed from ========== Crash in blink::getTypeExtension BUG=666610 ========== to ========== Crash in blink::getTypeExtension BUG=666610 Review-Url: https://codereview.chromium.org/2530243002 Cr-Commit-Position: refs/heads/master@{#447807} Committed: https://chromium.googlesource.com/chromium/src/+/91ce1ab1209aaec1750eb1c1c3b7... ==========
Message was sent while issue was closed.
Committed patchset #4 (id:60001) as https://chromium.googlesource.com/chromium/src/+/91ce1ab1209aaec1750eb1c1c3b7... |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
