Mark methods of nsIPresShell and mozilla::PresShell as MOZ_CAN_RUN_SCRIPT (or at least MOZ_CAN_RUN_SCRIPT_BOUNDARY) if necessary
Categories
(Core :: Layout, task, P3)
Tracking
()
People
(Reporter: masayuki, Assigned: masayuki)
Details
Attachments
(21 files)
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review |
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 1•6 years ago
|
||
I'll create some patches for example. Then, you're welcome to post patches instead of me. At that time, please let me know which method will you mark.
Assignee | ||
Comment 2•6 years ago
|
||
First of all, we should mark nsIPresShell::FlushPendingNotifications()
as
MOZ_CAN_RUN_SCRIPT
as soon as possible. Therefore, I'll mark all its callers
in PresShell
as MOZ_CAN_RUN_SCRIPT
first.
Assignee | ||
Comment 3•6 years ago
|
||
They are debug build only methods. So, callers of them shouldn't be marked
as MOZ_CAN_RUN_SCRIPT
only for them. Therefore, MOZ_CAN_RUN_SCRIPT_BOUNDARY
must be better.
Assignee | ||
Comment 4•6 years ago
|
||
Assignee | ||
Comment 5•6 years ago
|
||
Assignee | ||
Comment 6•6 years ago
|
||
Assignee | ||
Comment 7•6 years ago
|
||
Assignee | ||
Comment 8•6 years ago
|
||
Assignee | ||
Comment 9•6 years ago
|
||
Assignee | ||
Comment 10•6 years ago
|
||
So, this patch makes all caller of it safe including its arguments unless
they come from other methods.
Comment 11•6 years ago
|
||
Comment 12•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/dfce19e74038
https://hg.mozilla.org/mozilla-central/rev/f1a796212f61
https://hg.mozilla.org/mozilla-central/rev/33a2dec4cfd3
https://hg.mozilla.org/mozilla-central/rev/10608c915cc5
https://hg.mozilla.org/mozilla-central/rev/4f65a6a58238
https://hg.mozilla.org/mozilla-central/rev/7bc3d65d627f
https://hg.mozilla.org/mozilla-central/rev/32c1716986d2
https://hg.mozilla.org/mozilla-central/rev/a25a14f7150d
https://hg.mozilla.org/mozilla-central/rev/a57a60c0278d
Updated•6 years ago
|
Assignee | ||
Comment 13•6 years ago
|
||
Next, we should mark PresShell::ScrollContentIntoView()
as
MOZ_CAN_RUN_SCRIPT
because it's used widely.
This patch marks its PresShell
users, GoToAnchor()
and ScrollToAnchor()
,
as MOZ_CAN_RUN_SCRIPT
. Additionally, this patch moves them from
nsIPresShell
to PresShell
because all callers refers PresShell
directly.
Assignee | ||
Comment 14•6 years ago
|
||
This patch marks ScrollContentIntoView()
as MOZ_CAN_RUN_SCRIPT
and changing
some callers of them to guarantee thar their parent callers are also safe.
Additionally, this patch moves it from nsIPresShell
to PresShell
because
all callers can refer PresShell
directly.
Unfortunately, this patch changes a lot of methods in autocomplete and satchel
since this patch needs to mark some interface methods as can_run_script
and
they are called each other. This means that autocomplete module is really
sensitive like editor module. Perhaps, autocomplete and satchel should do
scroll asynchronously and unmark some of them as MOZ_CAN_RUN_SCRIPT
again.
Assignee | ||
Comment 15•6 years ago
|
||
Now, we can mark DoScrollContentIntoView()
as MOZ_CAN_RUN_SCRIPT
and move
it from nsIPresShell
to PresShell
with a member.
Comment 16•6 years ago
|
||
Comment 17•6 years ago
|
||
bugherder |
Assignee | ||
Comment 18•6 years ago
|
||
Assignee | ||
Comment 19•6 years ago
|
||
Assignee | ||
Comment 20•6 years ago
|
||
Unfortunately, EventChainVisitor
does not grab the nsPresContext
with
RefPtr
by itself. Therefore, there is no guarantee of the lifetime without
checking the origin when its subclasses are instantiated. This patch changes
it and subclasses to MOZ_STACK_CLASS
since only EventDispatcher::Dispatch()
creates them in the stack with given nsPresContext
. Additionally, it's
already been marked as MOZ_CAN_RUN_SCRIPT_BOUNDARY. Therefore, the
nsPresContextinstance has already been guaranteed its lifetime by the caller. For making this fact stronger, this patch marks their constructors as
MOZ_CAN_RUN_SCRIPT. Therefore, nobody can create those instances without guaranteeing the lifetime of
nsPresContextand
dom::Event. Note that it may look like that
mPresContextof
EventChainPostVisitoris not guaranteed. However,
EventChainPreVisitorwhich gives
nsPresContextto it is also a stack only class. So, it won't be deleted before
EventChainPostVisitor` instance.
Assignee | ||
Comment 21•6 years ago
|
||
Comment 22•6 years ago
|
||
Comment 23•6 years ago
|
||
bugherder |
Assignee | ||
Comment 24•6 years ago
|
||
Comment 25•6 years ago
|
||
Comment 26•6 years ago
|
||
bugherder |
Comment 27•5 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:svoisen, maybe it's time to close this bug?
Assignee | ||
Comment 28•5 years ago
|
||
There are some methods which must be marked as MOZ_CAN_RUN_SCRIPT
before closing this bug. I don't have much time for now, but I'll come back here.
Assignee | ||
Comment 29•5 years ago
|
||
smaug:
I have a question, I try to mark PresShell::MaybeReleaseCapturingContent()
because it calls nsFrameSelection::SetDragState(false)
and if it actually changes the state to false (i.e., drag state was true), it notifies selection listeners. However, it causes PresShell::Freeze()
and PresShell::Destroy()
also unsafe methods and that causes too many callers being also MOZ_CAN_RUN_SCRIPT
even though it's rare case.
I wonder, it must be reasonable to change SetDragState(false)
in this case as using NS_DispatchToCurrentThread()
if it's okay. Although, I don't know whether notifying selection listeners at that time is actually required or not. WDYT?
Assignee | ||
Comment 30•5 years ago
|
||
- https://hg.mozilla.org/try/rev/417a9a73b356dab0ce1f288da3a92640bf492588 (If we mark
Freeze()
asMOZ_CAN_RUN_SCRIPT
) - https://hg.mozilla.org/try/rev/853b4b06b7c6e70dcfa30bedc9ee81b49f3e467a (If we mark
Destroy()
asMOZ_CAN_RUN_SCRIPT
)
Comment 31•5 years ago
•
|
||
That sounds scary. We'd be in drag state and although we really aren't, and we could process some more user input events before handling
SetDragState(false).
Could we make only some parts of the code inside SetDragState() asynchronous?
Assignee | ||
Comment 32•5 years ago
|
||
It dispatches a DOM event so that it should be marked as MOZ_CAN_RUN_SCRIPT
.
Assignee | ||
Comment 33•5 years ago
|
||
It calls Document::FlushPendingNotification()
so that we should mark it
as MOZ_CAN_RUN_SCRIPT
.
And the method calls it of mDocument
and mDocument
is never modified
after it's initialized. Therefore, we can move the initializer to the
constructor and make RefPtr<Document>
to RefPtr<Document> const
. Thus,
we can avoid unnecessary auto RefPtr
.
Depends on D55801
Assignee | ||
Comment 34•5 years ago
|
||
While it calls RestyleManager::ContentStateChanged()
, it blocks script
with nsAutoCauseReflowNotifier
. Therefore, it should be marked as
MOZ_CAN_RUN_SCRIPT_BOUNDARY
at least (looks like the other override,
DocAccessible::ContentStateChanged()
does not run script).
I'm not sure about the lifetime of RestyleManager
. It's destroyed when
nsPresContext::DetachPresShell()
is called. It's called by
PresShell::Destroy()
and destructor of nsPresContext
. The latter is
safe since PresShell
owns mPresContext
. However, I'm not sure about
the former. It might be better to create blocker of synchronous handling of
PresShell::Destroy()
.
And also this does not make Document::ContentStateChanged()
use
RefPtr<PresShell>
at calling it because it might cause performance
regression, but it does not do anything after destroying
nsAutoCauseReflowNotifier
.
Depends on D55803
Assignee | ||
Comment 35•5 years ago
|
||
It removes a script blocker. Therefore, although it depends on the caller
whether it causes running script or not. However, we should mark it as
MOZ_CAN_RUN_SCRIPT
for safer code.
It's called only by the destructor of nsAutoCauseReflowNotifier
. Therefore,
this patch also marks its constructor as MOZ_CAN_RUN_SCRIPT
for making
each creator method marked as MOZ_CAN_RUN_SCRIPT
or
MOZ_CAN_RUN_SCRIPT_BOUNDARY
.
Most of the creators is mutation listener methods. However, PresShell
does nothing after destroying nsAutoCauseReflowNotifier
. Therefore,
this patch does not change the callers in MutationObserver.cpp to use
RefPtr<PresShell>
at calling them because changing it may cause performance
regression.
Perhaps, we should create another methods of WillCauseReflow()
and
DidCauseReflow()
to avoid unnecessary MOZ_CAN_RUN_SCRIPT
marking.
However, I'm not sure whether most callers may run script or not because
of outside of my knowledge.
Depends on D55804
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 36•5 years ago
|
||
Comment 37•5 years ago
|
||
bugherder |
Comment 38•5 years ago
|
||
Comment 39•5 years ago
|
||
bugherder |
Comment 40•5 years ago
|
||
Comment 41•5 years ago
|
||
bugherder |
Comment 42•5 years ago
|
||
Comment 43•5 years ago
|
||
bugherder |
Comment 44•4 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:svoisen, maybe it's time to close this bug?
Comment 45•4 years ago
|
||
Hi Masayuki, Do you still want this left open?
Assignee | ||
Comment 46•4 years ago
|
||
Well, still there are some methods which should be marked as MOZ_CAN_RUN_SCRIPT
. But I don't have much time to work on this at least next several months. So, I'd like to keep this open, but it make bug management harder, cloning this bug without assignee is also fine to me.
Assignee | ||
Comment 47•4 years ago
|
||
Okay, I'll mark this as fixed and when I'm back this issue, I'll file new bugs which blocks this bug.
Description
•