[Webkit-unassigned] [Bug 70421] New: V8 bindings: event listener can be garbage collected, causing events loss
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 19 08:18:21 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=70421
Summary: V8 bindings: event listener can be garbage collected,
causing events loss
Product: WebKit
Version: 420+
Platform: All
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: HTML DOM
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: enal at google.com
CC: abarth at webkit.org, antonm at chromium.org
Moved from https://bugs.webkit.org/show_bug.cgi?id=66878 because it is separate issue. For all the details and repro cases see discussion there.
Bug was in V8 binding forever. If type is subtype of Node (e.g. Node itself) then there is only weak reference from object to event listener, and event listener can be collected even when event source is alive and can send events in the future. Code generator emits special code for types that are not subtypes of Node, establishing hidden dependency. Fix can do something similar for subtypes of Node as well. Not sure if hidden dependency is right thing (it requires extra slot, and we don't want to increase size of lot of types, when absolute majority of objects would never have event listeners attached). Maybe we should use hidden value mechanism, or object groups.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list