Finalizers are not guaranteed to run for a Weak if its WeakImpl has been replaced by another (through use of Weak::operator=(Weak&&)) before the GC's incremental sweeper has swept the containing WeakBlock. Let's settle on a single way of invoking deref() on the DOM object.
Created attachment 251609 [details] Proposed patch
Comment on attachment 251609 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=251609&action=review > Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:1089 > + push(@headerContent, " void releaseImpl() { m_impl->deref(); m_impl = nullptr; }\n\n"); Could consider the suggestion Oliver Hunt made for the smart pointer classes: void releaseImpl() { std::exchange(m_impl, nullptr)->deref(); } That would mean that m_impl would be null if something happened to run in the destructor and turn around and see this object.
Created attachment 251899 [details] Patch for landing With std::exchange like darin suggested.
Comment on attachment 251899 [details] Patch for landing Holding cq+ while I check on a potential issue locally.
Comment on attachment 251899 [details] Patch for landing Local issue was something else entirely. Resuming commit queue.
Comment on attachment 251899 [details] Patch for landing Clearing flags on attachment: 251899 Committed r183523: <http://trac.webkit.org/changeset/183523>
All reviewed patches have been landed. Closing bug.