Bug 186360

Summary: Do some hardening in JSLazyEventListener
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED WONTFIX    
Severity: Normal CC: bfulgham, darin, ggaren, koivisto, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Chris Dumez
Reported 2018-06-06 12:13:17 PDT
Do some hardening in JSLazyEventListener.
Attachments
Patch (17.69 KB, patch)
2018-06-06 12:21 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2018-06-06 12:13:31 PDT
<rdar://problem/34297947>
Chris Dumez
Comment 2 2018-06-06 12:21:54 PDT
Created attachment 342071 [details] Patch
Geoffrey Garen
Comment 3 2018-06-06 12:30:27 PDT
Comment on attachment 342071 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=342071&action=review > Source/WebCore/dom/NodeRareData.cpp:41 > struct SameSizeAsNodeRareData { > unsigned m_bitfields : 20; > - void* m_pointer[3]; > + void* m_pointer[4]; > }; > > COMPILE_ASSERT(sizeof(NodeRareData) == sizeof(SameSizeAsNodeRareData), NodeRareDataShouldStaySmall); It looks like Ryosuke at one point believed it was important to performance for this class to stay small: <https://trac.webkit.org/changeset/137003/webkit>. Are we sure it's OK to get bigger, especially just for hardening? I believe that only elements can have inline event listeners. Maybe we reduce the pain by putting the weak pointer factory on element?
Chris Dumez
Comment 4 2018-06-06 12:34:40 PDT
(In reply to Geoffrey Garen from comment #3) > Comment on attachment 342071 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=342071&action=review > > > Source/WebCore/dom/NodeRareData.cpp:41 > > struct SameSizeAsNodeRareData { > > unsigned m_bitfields : 20; > > - void* m_pointer[3]; > > + void* m_pointer[4]; > > }; > > > > COMPILE_ASSERT(sizeof(NodeRareData) == sizeof(SameSizeAsNodeRareData), NodeRareDataShouldStaySmall); > > It looks like Ryosuke at one point believed it was important to performance > for this class to stay small: > <https://trac.webkit.org/changeset/137003/webkit>. I will let Ryosuke comment on this. > > Are we sure it's OK to get bigger, especially just for hardening? Well, hardening against a very valid crash (see radar). > > I believe that only elements can have inline event listeners. Maybe we > reduce the pain by putting the weak pointer factory on element? In this class, m_originalNode can either be an Element or a Document, so I don't think I can move it to Element / ElementRareData. Note that until fairly recently, we had a WeakPtrFactory in ElementRareData. I killed recently because there were no more users for it. That said, we never saw a regression when I added this WeakPtrFactory in ElementRareData in the past.
Geoffrey Garen
Comment 5 2018-06-06 12:39:00 PDT
> > Are we sure it's OK to get bigger, especially just for hardening? > > Well, hardening against a very valid crash (see radar). Yeah, I guess it's a distraction to question the value of hardening. Let's focus on whether it's OK to grow this data structure, and what alternatives to consider if it's not OK.
Ryosuke Niwa
Comment 6 2018-06-06 22:35:15 PDT
Comment on attachment 342071 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=342071&action=review >>> Source/WebCore/dom/NodeRareData.cpp:41 >>> COMPILE_ASSERT(sizeof(NodeRareData) == sizeof(SameSizeAsNodeRareData), NodeRareDataShouldStaySmall); >> >> It looks like Ryosuke at one point believed it was important to performance for this class to stay small: <https://trac.webkit.org/changeset/137003/webkit>. >> >> Are we sure it's OK to get bigger, especially just for hardening? >> >> I believe that only elements can have inline event listeners. Maybe we reduce the pain by putting the weak pointer factory on element? > > I will let Ryosuke comment on this. I don't think this is okay. We make zillions of Text nodes with whitespaces in any given page. We should limit this to only Element and also run Speedometer, PLT, & our internal memory tests to ensure there is no regression.
Chris Dumez
Comment 7 2018-06-07 08:51:41 PDT
(In reply to Ryosuke Niwa from comment #6) > Comment on attachment 342071 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=342071&action=review > > >>> Source/WebCore/dom/NodeRareData.cpp:41 > >>> COMPILE_ASSERT(sizeof(NodeRareData) == sizeof(SameSizeAsNodeRareData), NodeRareDataShouldStaySmall); > >> > >> It looks like Ryosuke at one point believed it was important to performance for this class to stay small: <https://trac.webkit.org/changeset/137003/webkit>. > >> > >> Are we sure it's OK to get bigger, especially just for hardening? > >> > >> I believe that only elements can have inline event listeners. Maybe we reduce the pain by putting the weak pointer factory on element? > > > > I will let Ryosuke comment on this. > > I don't think this is okay. We make zillions of Text nodes with whitespaces > in any given page. > We should limit this to only Element and also run Speedometer, PLT, & our > internal memory tests to ensure there is no regression. As I previously explained, I did not limit this to Element because m_originalNode is a ContainerNode (can be an Element or a Document).
Chris Dumez
Comment 8 2018-06-08 11:16:30 PDT
WONTFIX for now, even though this seems power-neutral on Speedometer. I'll try and get better repro-steps for the crash to fix the underlying issue instead.
Lucas Forschler
Comment 9 2019-02-06 09:19:09 PST
Mass move bugs into the DOM component.
Note You need to log in before you can comment on or make changes to this bug.