[Webkit-unassigned] [Bug 18205] DOMNode objects are garbage collected although there are strong references
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 5 10:44:16 PST 2008
https://bugs.webkit.org/show_bug.cgi?id=18205
------- Comment #18 from kai at granus.net 2008-11-05 10:44 PDT -------
Created an attachment (id=24912)
--> (https://bugs.webkit.org/attachment.cgi?id=24912&action=view)
New, simpler and more reproducible test case
After joining the development of the WebKit-based application in question, I
hit this bug again in different circumstances.
We now have a new, much simpler and better reproducible test case (this
attachment) and we think we understand the reason.
The problem is a race condition in the management of the DOMWrapper cache in
WebCore/bindings/objc/DOMInternal.mm. In a garbage collected environment,
wrappers are removed from the cache in -[DOMObject finalize]. This is sometimes
too late, because garbage collection is done from a separate thread, but
finalization is queued at the main thread for all WebScriptObject objects (see
+[WebScriptObject initialize]). If a DOM wrapper object is collected and then a
wrapper for the same underlying object is requested again before the wrapper
object received its finalize message, it is resurrected via the DOMWrapper
cache.
I attach a patch which fixes the problem by replacing the HashMap with an
NSMapTable using zeroing weak memory for the wrapper value. Additionally I
removed the finalize method from DOMObject, since now the garbage collector
auto-removes the wrapper from the cache.
This fixes the crashes in the test case and in our application.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list