Bug 21213 - MessagePort crash when GC collects an object with a pending close event
Summary: MessagePort crash when GC collects an object with a pending close event
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-29 07:53 PDT by Alexey Proskuryakov
Modified: 2008-09-30 08:52 PDT (History)
0 users

See Also:


Attachments
proposed fix (9.71 KB, patch)
2008-09-29 08:29 PDT, Alexey Proskuryakov
no flags Details | Formatted Diff | Diff
updated patch (21.26 KB, patch)
2008-09-30 04:31 PDT, Alexey Proskuryakov
sam: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2008-09-29 07:53:09 PDT
CloseMessagePortTimer retains MessagePort, but not its wrapper. As a result, event listeners can be garbage collected, and the close event will be dispatched using a stale listener object pointer.

Patch forthcoming.
Comment 1 Alexey Proskuryakov 2008-09-29 08:29:09 PDT
Created attachment 23908 [details]
proposed fix

It seems really ugly to control JS garbage collection from DOM code (if anything, this will fail when we enable non-JS bindings for MessageChannel/MessagePort), but looks like we don't have another mechanism.
Comment 2 Darin Adler 2008-09-29 09:01:01 PDT
(In reply to comment #1)
> It seems really ugly to control JS garbage collection from DOM code (if
> anything, this will fail when we enable non-JS bindings for
> MessageChannel/MessagePort), but looks like we don't have another mechanism.

I think we need to come up with a general way to tell the bindings that an object is "active" and therefore should not be subject to garbage collection until it becomes inactive. On the other hand, that doesn't seem much different from an explicit call to gcProtect, except for being a bit more language-independent. It would be a bit more elegant to make a call to the bindings machinery on the DOM object and let the helper function do the "map to a wrapper and a gcProtect".
Comment 3 Alexey Proskuryakov 2008-09-30 01:32:11 PDT
Comment on attachment 23908 [details]
proposed fix

Clearing review flag, going to investigate a better solution.
Comment 4 Alexey Proskuryakov 2008-09-30 04:31:54 PDT
Created attachment 23937 [details]
updated patch
Comment 5 Sam Weinig 2008-09-30 07:28:30 PDT
Comment on attachment 23937 [details]
updated patch

Nice.
Comment 6 Alexey Proskuryakov 2008-09-30 08:52:51 PDT
Committed revision 37094.