Bug 85152
| Summary: | [V8] An event listener object can be reclaimed by GC even if it is still alive | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Kentaro Hara <haraken> |
| Component: | WebCore JavaScript | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | Normal | CC: | abarth, andersca, arv, haraken, ojan |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Kentaro Hara
This is a bug detected in bug 84908. In a nutshell, an onresize event handler in the popup window can be non-deterministically reclaimed by GC. For more details, please look at the chromium issue 123642: http://code.google.com/p/chromium/issues/detail?id=123642
The patch for bug 84908 fixes V8LazyEventListner.cpp so that an event listener object is re-created if the event listener object is already reclaimed. This is just a temporary fix. We should fix the code so that an alive event listener object is never reclaimed. Please look at bug 84908 and chromium issue 123642 for more details.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Anders Carlsson
V8 is gone.