[Webkit-unassigned] [Bug 142846] New: JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called

Wed Mar 18 16:18:11 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=142846

            Bug ID: 142846
           Summary: JSCallbackObject<JSGlobalObject> should not destroy
                    its JSCallbackObjectData before all its finalizers
                    have been called
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
1. JSCallbackObject<Parent>::init() registers a finalizer for all JSClassRef that a JSCallbackObject references.
2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via vm.heap.addFinalizer() which destroys the JSCallbackObject.

The first finalizer is implemented as a virtual function of a JSCallbackObjectData instance that will be destructed if the 2nd finalizer is called.  Hence, if the 2nd finalizer if called first, the later invocation of the 1st finalizer will result in a crash.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150318/f68d8b5a/attachment-0002.html>