RESOLVED FIXED 21213
MessagePort crash when GC collects an object with a pending close event
https://bugs.webkit.org/show_bug.cgi?id=21213
Summary MessagePort crash when GC collects an object with a pending close event
Alexey Proskuryakov
Reported 2008-09-29 07:53:09 PDT
CloseMessagePortTimer retains MessagePort, but not its wrapper. As a result, event listeners can be garbage collected, and the close event will be dispatched using a stale listener object pointer. Patch forthcoming.
Attachments
proposed fix (9.71 KB, patch)
2008-09-29 08:29 PDT, Alexey Proskuryakov
no flags
updated patch (21.26 KB, patch)
2008-09-30 04:31 PDT, Alexey Proskuryakov
sam: review+
Alexey Proskuryakov
Comment 1 2008-09-29 08:29:09 PDT
Created attachment 23908 [details] proposed fix It seems really ugly to control JS garbage collection from DOM code (if anything, this will fail when we enable non-JS bindings for MessageChannel/MessagePort), but looks like we don't have another mechanism.
Darin Adler
Comment 2 2008-09-29 09:01:01 PDT
(In reply to comment #1) > It seems really ugly to control JS garbage collection from DOM code (if > anything, this will fail when we enable non-JS bindings for > MessageChannel/MessagePort), but looks like we don't have another mechanism. I think we need to come up with a general way to tell the bindings that an object is "active" and therefore should not be subject to garbage collection until it becomes inactive. On the other hand, that doesn't seem much different from an explicit call to gcProtect, except for being a bit more language-independent. It would be a bit more elegant to make a call to the bindings machinery on the DOM object and let the helper function do the "map to a wrapper and a gcProtect".
Alexey Proskuryakov
Comment 3 2008-09-30 01:32:11 PDT
Comment on attachment 23908 [details] proposed fix Clearing review flag, going to investigate a better solution.
Alexey Proskuryakov
Comment 4 2008-09-30 04:31:54 PDT
Created attachment 23937 [details] updated patch
Sam Weinig
Comment 5 2008-09-30 07:28:30 PDT
Comment on attachment 23937 [details] updated patch Nice.
Alexey Proskuryakov
Comment 6 2008-09-30 08:52:51 PDT
Committed revision 37094.
Note You need to log in before you can comment on or make changes to this bug.