Chromium Code Reviews

Unified Diff: third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.h

Issue 2617733004: binding: Changes the association among global-proxy/global/window-instance. (Closed)
Patch Set: Addressed review comments. Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View side-by-side diff with in-line comments
« no previous file with comments | « third_party/WebKit/Source/bindings/core/v8/DOMWrapperMap.h ('k') | third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.h
diff --git a/third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.h b/third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.h
index fdbaa431aa9c2ce9b513e25cc71a0e5f398814ad..2f6db85055108ee4785b83fea0230388f30a7ddf 100644
--- a/third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.h
+++ b/third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.h
@@ -43,6 +43,7 @@
namespace blink {
class DOMDataStore;
+class DOMObjectHolderBase;
enum WorldIdConstants {
MainWorldId = 0,
@@ -54,8 +55,6 @@ enum WorldIdConstants {
TestingWorldId,
};
-class DOMObjectHolderBase;
-
// This class represent a collection of DOM wrappers for a specific world.
class CORE_EXPORT DOMWrapperWorld : public RefCounted<DOMWrapperWorld> {
public:
@@ -114,7 +113,6 @@ class CORE_EXPORT DOMWrapperWorld : public RefCounted<DOMWrapperWorld> {
int worldId() const { return m_worldId; }
DOMDataStore& domDataStore() const { return *m_domDataStore; }
- public:
template <typename T>
void registerDOMObjectHolder(v8::Isolate*, T*, v8::Local<v8::Value>);
@@ -126,6 +124,29 @@ class CORE_EXPORT DOMWrapperWorld : public RefCounted<DOMWrapperWorld> {
void registerDOMObjectHolderInternal(std::unique_ptr<DOMObjectHolderBase>);
void unregisterDOMObjectHolder(DOMObjectHolderBase*);
+ // Dissociates all wrappers in all worlds associated with |scriptWrappable|.
+ //
+ // Do not use this function except for DOMWindow. Only DOMWindow needs to
+ // dissociate wrappers from the ScriptWrappable because of the following two
+ // reasons.
+ //
+ // Reason 1) Case of the main world
+ // A DOMWindow may be collected by Blink GC *before* V8 GC collects the
+ // wrapper because the wrapper object associated with a DOMWindow is a global
+ // proxy object, which remains after navigations. We don't want V8 GC
+ // to reset the weak persistent handle within the DOMWindow *after* Blink GC
+ // collects the DOMWindow because it's use-after-free. Thus, we need to
+ // dissociate the wrapper in advance.
+ //
+ // Reason 2) Case of isolated worlds
+ // As same, a DOMWindow may be collected before the wrapper gets collected.
+ // A DOMWrapperMap supports mapping from ScriptWrappable* to v8::Global<T>,
+ // and we don't want to leave an entry of an already-dead DOMWindow* to the
+ // persistent handle for the global proxy object, especially considering that
+ // the address to the already-dead DOMWindow* may be re-used.
+ friend class DOMWindow;
+ static void dissociateDOMWindowWrappersInAllWorlds(ScriptWrappable*);
+
static unsigned isolatedWorldCount;
const int m_worldId;
« no previous file with comments | « third_party/WebKit/Source/bindings/core/v8/DOMWrapperMap.h ('k') | third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.cpp » ('j') | no next file with comments »

Powered by Google App Engine