Descriptionv8binding: Makes Location's wrapper objects alive, really.
https://crbug.com/252482 demonstrates that
a) V8HTMLDocument's locationAttributeGetter is NOT using a private
property to keep the location's wrapper alive.
b) Location.idl does NOT specify [DependentLifetime].
c) V8 minor GC can collect a wrapper object of document.location
if author script has no reference to it.
d) V8Window::locationAttributeGetterCustom is using a private
property to keep it alive, but it may be too late. At c), V8
may have already collected the location's wrapper object, and
expandos may have been gone.
The direct cause is that
1) There are two paths to create a Location's wrapper object;
window.location and document.location.
2) document.location doesn't use a private property (keep_alive)
though window.location uses it.
This CL makes the following changes.
i) Uses the wrapper tracing in order to make Location's wrapper
objects alive.
ii) Makes Location [DependentLifetime] so that the wrapper tracing
works.
BUG=252482
Review-Url: https://codereview.chromium.org/2826393004
Cr-Commit-Position: refs/heads/master@{#467313}
Committed: https://chromium.googlesource.com/chromium/src/+/8e12aef305793ef5b7689939faa027ce3be906da
Patch Set 1 #
Total comments: 2
Patch Set 2 : Addressed a review comment. #Patch Set 3 : Added a layout test. #
Messages
Total messages: 23 (13 generated)
|