Bug 85152

Summary:	[V8] An event listener object can be reclaimed by GC even if it is still alive
Product:	WebKit	Reporter:	Kentaro Hara <haraken>
Component:	WebCore JavaScript	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED WONTFIX
Severity:	Normal	CC:	abarth, andersca, arv, haraken, ojan
Priority:	P2
Version:	528+ (Nightly build)
Hardware:	Unspecified
OS:	Unspecified

Description Kentaro Hara 2012-04-28 23:10:56 PDT

This is a bug detected in bug 84908. In a nutshell, an onresize event handler in the popup window can be non-deterministically reclaimed by GC. For more details, please look at the chromium issue 123642: http://code.google.com/p/chromium/issues/detail?id=123642

The patch for bug 84908 fixes V8LazyEventListner.cpp so that an event listener object is re-created if the event listener object is already reclaimed. This is just a temporary fix. We should fix the code so that an alive event listener object is never reclaimed. Please look at bug 84908 and chromium issue 123642 for more details.

Comment 1 Anders Carlsson 2013-09-12 22:33:08 PDT

V8 is gone.