[Webkit-unassigned] [Bug 135211] ScriptController::updateDocument ASSERT mutating map while iterating map
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 25 11:31:15 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=135211
--- Comment #15 from Joseph Pecoraro <joepeck at webkit.org> 2014-07-25 11:31:27 PST ---
(In reply to comment #14)
> (From update of attachment 235386 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=235386&action=review
>
> > Source/WebCore/bindings/js/ScriptCachedFrameData.cpp:54
> > + Vector<JSC::Strong<JSDOMWindowShell>> windowShells = scriptController.windowShells();
>
> Can a new window shell be added to m_windowShells during iteration? If this happens, will it remain in a broken state forever, not being subject to the below processing?
Not currently, otherwise I would have expected to see a crash/assert here before. I also don't think we ever want mutation of a Hash* during iteration, even if it is additive. I believe that in HashMap/HashSet iteration order is not guaranteed; so depending on that behavior would be bad. Please correct me if I'm wrong!
We need to prevent against a removal of a window shell in m_windowShells during iteration because that can now happen at any time (GC of a media element). Creating a window shell still happens in only a few places.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list