Bug 123178 - ScriptWrappable Interfaces inheriting from EventTarget but not ActiveDOMObject will cause a crash when finalized
Summary: ScriptWrappable Interfaces inheriting from EventTarget but not ActiveDOMObjec...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Bindings (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2013-10-22 15:42 PDT by Jer Noble
Modified: 2014-10-27 11:04 PDT (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jer Noble 2013-10-22 15:42:23 PDT
When creating a wrapper for a ScriptWrappable EventTarget subclass, the bindings code goes through the setInlineCachedWrapper() path.  But when unwrapping, it goes through the weakRemove() path, as there's no way for the bindings code to know whether a given EventTarget* pointer is ScriptWrappable or not.  The code will eventually ASSERT, but crash in release builds, with the following stack trace:

    frame #0: 0x0000000112222aea JavaScriptCore`WTFCrash + 42 at Assertions.cpp:342
    frame #1: 0x0000000113cee068 WebCore`void JSC::weakRemove<WTF::HashMap<void*, JSC::Weak<JSC::JSObject>, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<JSC::Weak<JSC::JSObject> > >, void*, WebCore::JSEventTarget*>(map=0x00007fbd7ae05d68, key=0x00007fff55594140, value=0x000000011e0ded70) + 168 at WeakInlines.h:136
    frame #2: 0x0000000113cedf64 WebCore`void WebCore::uncacheWrapper<WebCore::EventTarget, WebCore::JSEventTarget>(world=0x00007fbd7ae05d60, domObject=0x00007fbd7a820600, wrapper=0x000000011e0ded70) + 100 at JSDOMBinding.h:198
    frame #3: 0x0000000113cedbe5 WebCore`WebCore::JSEventTargetOwner::finalize(this=0x00007fbd7aa099e0, handle=Handle<JSC::Unknown> at 0x00007fff555941a0, context=0x00007fbd7ae05d60) + 101 at JSEventTarget.cpp:173
    frame #4: 0x00000001121e211d JavaScriptCore`JSC::WeakBlock::finalize(this=0x000000010f14e000, weakImpl=0x000000010f14e5b8) + 189 at WeakSetInlines.h:52
    frame #5: 0x00000001121e1ade JavaScriptCore`JSC::WeakBlock::sweep(this=0x000000010f14e000) + 158 at WeakBlock.cpp:76
Comment 1 Jer Noble 2013-10-22 15:43:52 PDT
It looks like making the interface an ActiveDOMObject works because bindings generator will add a custom finalize method for that interface.
Comment 2 Radar WebKit Bug Importer 2014-10-27 11:04:30 PDT