Bug 197576 - Use WeakPtr for JSLazyEventListener::m_originalNode for safety
Summary: Use WeakPtr for JSLazyEventListener::m_originalNode for safety
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-05-03 13:53 PDT by Chris Dumez
Modified: 2019-05-06 10:56 PDT (History)
6 users (show)

See Also:


Attachments
Patch (5.93 KB, patch)
2019-05-03 13:57 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2019-05-03 13:53:46 PDT
Use WeakPtr for JSLazyEventListener::m_originalNode for safety.
Comment 1 Chris Dumez 2019-05-03 13:54:03 PDT
<rdar://problem/24314027>
Comment 2 Chris Dumez 2019-05-03 13:57:02 PDT
Created attachment 368981 [details]
Patch
Comment 3 Chris Dumez 2019-05-03 15:01:23 PDT
Comment on attachment 368981 [details]
Patch

Clearing flags on attachment: 368981

Committed r244926: <https://trac.webkit.org/changeset/244926>
Comment 4 Chris Dumez 2019-05-03 15:01:24 PDT
All reviewed patches have been landed.  Closing bug.
Comment 5 Alexey Proskuryakov 2019-05-05 13:35:50 PDT
Comment on attachment 368981 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=368981&action=review

> Source/WebCore/ChangeLog:3
> +        Use WeakPtr for JSLazyEventListener::m_originalNode for safety

Is this the correct behavior though? Seems like the node needs to be kept alive, and reference cycle needs to be broken in some other way. 

I think that it warrants a FIXME and assertion at least.
Comment 6 Chris Dumez 2019-05-06 08:58:29 PDT
(In reply to Alexey Proskuryakov from comment #5)
> Comment on attachment 368981 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=368981&action=review
> 
> > Source/WebCore/ChangeLog:3
> > +        Use WeakPtr for JSLazyEventListener::m_originalNode for safety
> 
> Is this the correct behavior though? Seems like the node needs to be kept
> alive, and reference cycle needs to be broken in some other way. 

No, I do not think we want to keep the original node alive. When we crash (rdar://problem/24314027), the lazy event listener is for a Window object. Lazy event listener for a Window are supposed to have a m_originalNode that is nullptr. So either a lazy event listener was somehow transferred from an element/document to a Window or something else is going on.

> 
> I think that it warrants a FIXME and assertion at least.

I am planning on adding assertions to help find the underlying cause of <rdar://problem/24314027>. I'll add the FIXME with the assertions.