[Webkit-unassigned] [Bug 123178] New: ScriptWrappable Interfaces inheriting from EventTarget but not ActiveDOMObject will cause a crash when finalized

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 22 15:43:37 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=123178

           Summary: ScriptWrappable Interfaces inheriting from EventTarget
                    but not ActiveDOMObject will cause a crash when
                    finalized
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Bindings
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jer.noble at apple.com


When creating a wrapper for a ScriptWrappable EventTarget subclass, the bindings code goes through the setInlineCachedWrapper() path.  But when unwrapping, it goes through the weakRemove() path, as there's no way for the bindings code to know whether a given EventTarget* pointer is ScriptWrappable or not.  The code will eventually ASSERT, but crash in release builds, with the following stack trace:


    frame #0: 0x0000000112222aea JavaScriptCore`WTFCrash + 42 at Assertions.cpp:342
    frame #1: 0x0000000113cee068 WebCore`void JSC::weakRemove<WTF::HashMap<void*, JSC::Weak<JSC::JSObject>, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<JSC::Weak<JSC::JSObject> > >, void*, WebCore::JSEventTarget*>(map=0x00007fbd7ae05d68, key=0x00007fff55594140, value=0x000000011e0ded70) + 168 at WeakInlines.h:136
    frame #2: 0x0000000113cedf64 WebCore`void WebCore::uncacheWrapper<WebCore::EventTarget, WebCore::JSEventTarget>(world=0x00007fbd7ae05d60, domObject=0x00007fbd7a820600, wrapper=0x000000011e0ded70) + 100 at JSDOMBinding.h:198
    frame #3: 0x0000000113cedbe5 WebCore`WebCore::JSEventTargetOwner::finalize(this=0x00007fbd7aa099e0, handle=Handle<JSC::Unknown> at 0x00007fff555941a0, context=0x00007fbd7ae05d60) + 101 at JSEventTarget.cpp:173
    frame #4: 0x00000001121e211d JavaScriptCore`JSC::WeakBlock::finalize(this=0x000000010f14e000, weakImpl=0x000000010f14e5b8) + 189 at WeakSetInlines.h:52
    frame #5: 0x00000001121e1ade JavaScriptCore`JSC::WeakBlock::sweep(this=0x000000010f14e000) + 158 at WeakBlock.cpp:76

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list