chromium中脚本执行的代码路径

webkit中脚本执行代码路径：

void HTMLDocumentParser::pumpTokenizer(SynchronousMode mode)
{。。。
bool HTMLDocumentParser::runScriptsForPausedTreeBuilder()
{。。。    
bool HTMLScriptRunner::execute(PassRefPtr<Element> scriptElement, const TextPosition1& scriptStartPosition)
{。。。          
void HTMLScriptRunner::runScript(Element* script, const TextPosition1& scriptStartPosition)
{。。。               
void ScriptElement::executeScript(const ScriptSourceCode& sourceCode)
{。。。                    
ScriptValue ScriptController::executeScript(const ScriptSourceCode& sourceCode, ShouldAllowXSS shouldAllowXSS)
{。。。                           
ScriptValue ScriptController::evaluate(const ScriptSourceCode& sourceCode, ShouldAllowXSS shouldAllowXSS)
{。。。

影子对象和DOMWindow实例

// Create a new environment and setup the global object. // // The global object corresponds to a DOMWindow instance. However, to // allow properties of the JS DOMWindow instance to be shadowed, we // use a shadow object as the global object and use the JS DOMWindow // instance as the prototype for that shadow object. The JS DOMWindow // instance is undetectable from javascript code because the __proto__ // accessors skip that object. // // The shadow object and the DOMWindow instance are seen as one object // from javascript. The javascript object that corresponds to a // DOMWindow instance is the shadow object. When mapping a DOMWindow // instance to a V8 object, we return the shadow object. // ……… bool V8DOMWindowShell::initContextIfNeeded() {………if (!installDOMWindow(v8Context, m_frame->domWindow())) { disposeContextHandles(); return false; }………

initContextIfNeeded这个函数非常关键，它调用了installDOMWindow完成了window对象和dom对象绑定到V8中。



函数上面的注释也不容忽略：







JavaScript中的全局对象和DOMWindow实例相对应。但为了隐藏DOMWindow中的某些属性，chromium用了一种影子对象作为javascript中的全局对象，



并且使用DOMWindow实例作为这个影子对象的原型。在Javascript空间中是无法察觉DOMWindow实例的，因为__proto__ 的访问器会直接跳过它。







影子对象和DOMWindow实例在javascript环境中被看做是同一个对象。对应于DOMWindow实例的javascript对象其实是影子对象。当映射DOMWindow实例



为V8对象时，返回的是影子对象。