[Webkit-unassigned] [Bug 178013] Regression(r220210?) Crash at com.apple.WebCore: WebCore::JSMutationCallback::handleEvent + 419
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 6 09:43:37 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=178013
--- Comment #2 from Chris Dumez <cdumez at apple.com> ---
Looks like the MutationObserver and its MutationCallback are alive. However, the underlying callback JSObject is dead. JSCallbackDataWeak stores the callback as:
JSC::Weak<JSC::JSObject> m_callback;
Since it is weak, it can in theory go away. I see we have visitors code (which I do not fully understand) marking the callback.
Sam, any idea?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171006/bbee5b2c/attachment.html>
More information about the webkit-unassigned
mailing list