If we finalize weak handles and call RootObject::finalize(), it calls invalidate() on the object that it's finalizing and then removes it from its map of RuntimeObjects. However, invalidate() derefs that RuntimeObject which can call its destructor. In turn, it will deref its member RefPtr to the RootObject. If that RootObject's ref count then hits 0, its destructor will be called, which will then call invalidate() on all its objects in its map. This causes invalidate() to be called on that RuntimeObject twice, which causes a crash.
Removing the object from the map first and then calling invalidate() on it should alleviate the crash because invalidate() can't be called a second time if the RootObject's destructor gets called since it will no longer be in the map.
Created attachment 127067 [details]
Comment on attachment 127067 [details]
This looks good, but I think an even better fix would be "RefPtr<T> protect(this);"
Created attachment 127083 [details]
Comment on attachment 127083 [details]
Committed r107837: <http://trac.webkit.org/changeset/107837>