Bug 301334
| Summary: | Dereferenced WeakRef's are not strongified | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | olivf |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | keith_miller, olivf, omerkatz, syg, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
olivf
While discussing a user reported OOM exception in V8 (http://crbug.com/42202112) we noticed that JSC does not behave spec compliant with regards to weak refs. Namely it seems to either not implement `9.11 AddToKeptObjects` or call `9.10 ClearKeptObjects` earlier than allowed.
Quoting (https://tc39.es/ecma262/#sec-weakref-invariants) "When WeakRef.prototype.deref is called, the referent (if undefined is not returned) is kept alive so that subsequent, synchronous accesses also return the same value".
In other words a dereferenced weak ref temporarily makes it strong until the end of the current microtask.
Here is a repro which prints "not defined" but is supposed to print "defined".
```
let o = {};
let wr1;
let wr2;
(function() {
wr1 = new WeakRef(o);
wr2 = new WeakRef(o);
})();
o = null;
setTimeout(function() {
(function () { wr1.deref(); })();
wr1 = null;
gc();
if (typeof wr2.deref() === 'undefined') {
print("undefined");
} else {
print("not undefined");
}
}, 0);
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/163702155>
Keith Miller
Oh, interesting, I guess either I misunderstood the spec or it changed at some point.
We basically make the WeakRef a strong pointer when it gets derefed until the next event loop turn. From an our implementation perspective that's certainly a lot easier (and more performant), that said, it does seem like we don't implement the spec.