Bug 123178

Summary: ScriptWrappable Interfaces inheriting from EventTarget but not ActiveDOMObject will cause a crash when finalized
Product: WebKit Reporter: Jer Noble <jer.noble>
Component: BindingsAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: ap, ggaren, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Jer Noble 2013-10-22 15:42:23 PDT 
When creating a wrapper for a ScriptWrappable EventTarget subclass, the bindings code goes through the setInlineCachedWrapper() path.  But when unwrapping, it goes through the weakRemove() path, as there's no way for the bindings code to know whether a given EventTarget* pointer is ScriptWrappable or not.  The code will eventually ASSERT, but crash in release builds, with the following stack trace:


    frame #0: 0x0000000112222aea JavaScriptCore`WTFCrash + 42 at Assertions.cpp:342
    frame #1: 0x0000000113cee068 WebCore`void JSC::weakRemove<WTF::HashMap<void*, JSC::Weak<JSC::JSObject>, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<JSC::Weak<JSC::JSObject> > >, void*, WebCore::JSEventTarget*>(map=0x00007fbd7ae05d68, key=0x00007fff55594140, value=0x000000011e0ded70) + 168 at WeakInlines.h:136
    frame #2: 0x0000000113cedf64 WebCore`void WebCore::uncacheWrapper<WebCore::EventTarget, WebCore::JSEventTarget>(world=0x00007fbd7ae05d60, domObject=0x00007fbd7a820600, wrapper=0x000000011e0ded70) + 100 at JSDOMBinding.h:198
    frame #3: 0x0000000113cedbe5 WebCore`WebCore::JSEventTargetOwner::finalize(this=0x00007fbd7aa099e0, handle=Handle<JSC::Unknown> at 0x00007fff555941a0, context=0x00007fbd7ae05d60) + 101 at JSEventTarget.cpp:173
    frame #4: 0x00000001121e211d JavaScriptCore`JSC::WeakBlock::finalize(this=0x000000010f14e000, weakImpl=0x000000010f14e5b8) + 189 at WeakSetInlines.h:52
    frame #5: 0x00000001121e1ade JavaScriptCore`JSC::WeakBlock::sweep(this=0x000000010f14e000) + 158 at WeakBlock.cpp:76
Comment 1 Jer Noble 2013-10-22 15:43:52 PDT 
It looks like making the interface an ActiveDOMObject works because bindings generator will add a custom finalize method for that interface.
Comment 2 Radar WebKit Bug Importer 2014-10-27 11:04:30 PDT 
<rdar://problem/18782977>