Bug 45309

Summary: ActiveDOMObjects::hasPendingActivity doesn't prevent element wrapper collection
Product: WebKit Reporter: Eric Carlson <eric.carlson>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: abarth, antonm, ap, ggaren, jorlow, vestbo
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
test case (may crash) none

Eric Carlson
Reported 2010-09-07 10:37:31 PDT
Created attachment 66738 [details] test case (may crash) Even with the changes for https://bugs.webkit.org/show_bug.cgi?id=45306, the attached test case asserts in JSEventListener::jsFunction when a media element tries to fire an event after the js wrapper has been collected. Those changes should prevent this because they make HTMLMediaElement inherit from ActiveDOMObject and 1) return true from hasPendingActivity when events are in the queue, and 2) flush pending events in suspend/stop. It doesn't prevent the object from being collected because when markActiveObjectsForContext sees that a media element has pending activity it calls markDOMObjectWrapper, but the media element has a DOMNodeWrapper so the mark never happens and the element is collected.
Attachments
test case (may crash) (4.94 KB, text/html)
2010-09-07 10:37 PDT, Eric Carlson 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-09-08 13:16:37 PDT
We're hitting this for media elements and with marquee.
Alexey Proskuryakov
Comment 2 2011-01-28 11:09:44 PST
<rdar://problem/8931194> ActiveDOMObjects::hasPendingActivity doesn't prevent element wrapper collection
Geoffrey Garen
Comment 3 2011-04-27 17:14:00 PDT
I believe that all we need to do to fix this bug is to mark these elements with the ActiveDOMObject IDL attribute.
Alexey Proskuryakov
Comment 4 2011-10-12 10:54:45 PDT
This test doesn't ASSERT in ToT, although there is no ActiveDOMObject IDL attribute on the elements. I'm not sure if this is just because of some unrelated behavior change that renders the test ineffective, or the problem is somehow fully fixed.
Adam Barth
Comment 5 2012-11-16 12:00:54 PST
This will likely be fixed when I fix bug 101428. It might actually be fixed on trunk currently given that we're using the ActiveDOMObject owner for HTMLMediaElement rather than the Node owner.
Note You need to log in before you can comment on or make changes to this bug.