<rdar://problem/24314027>

Created attachment 368981 [details] Patch

Comment on attachment 368981 [details] Patch Clearing flags on attachment: 368981 Committed r244926: <https://trac.webkit.org/changeset/244926>

All reviewed patches have been landed. Closing bug.

Comment on attachment 368981 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368981&action=review > Source/WebCore/ChangeLog:3 > + Use WeakPtr for JSLazyEventListener::m_originalNode for safety Is this the correct behavior though? Seems like the node needs to be kept alive, and reference cycle needs to be broken in some other way. I think that it warrants a FIXME and assertion at least.

(In reply to Alexey Proskuryakov from comment #5) > Comment on attachment 368981 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=368981&action=review > > > Source/WebCore/ChangeLog:3 > > + Use WeakPtr for JSLazyEventListener::m_originalNode for safety > > Is this the correct behavior though? Seems like the node needs to be kept > alive, and reference cycle needs to be broken in some other way. No, I do not think we want to keep the original node alive. When we crash (rdar://problem/24314027), the lazy event listener is for a Window object. Lazy event listener for a Window are supposed to have a m_originalNode that is nullptr. So either a lazy event listener was somehow transferred from an element/document to a Window or something else is going on. > > I think that it warrants a FIXME and assertion at least. I am planning on adding assertions to help find the underlying cause of <rdar://problem/24314027>. I'll add the FIXME with the assertions.