[Webkit-unassigned] [Bug 208642] REGRESSION: (r257905) [ Mac wk2 Debug ] ASSERTION FAILED: !m_isolatedWorld->isNormal() || m_wrapper || !m_jsFunction
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 6 00:12:15 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=208642
--- Comment #17 from Yusuke Suzuki <ysuzuki at apple.com> ---
(In reply to Yusuke Suzuki from comment #16)
> 2. So far, this looks like an existing bug due to
> https://bugs.webkit.org/show_bug.cgi?id=165713. By using IsoSubspace, we
> start putting some lower-tier cells in PreciseAllocation, and reuse them.
> This makes GC behavior different, and exposing the existing bug: we should
> re-register root if we changed the root after we register the root. I could
> create a test case which reproduces this assertion failure without my patch.
Let's describe what is happening.
1. HTMLVideoElement is created in the test under the current Document. So root is Document.
2. Concurrent GC starts working.
3. Marking (1)'s HTMLVideoElement and registering Document as a root.
4. The executed code removes HTMLVideoElement from Document.
5. HTMLVideoTrackList in HTMLVideoElement queries the opaque root. Since the root of HTMLVideoElement is changed to itself, HTMLVideoTrackList says "I'm live if the root set includes HTMLVideoElement". But this is not included since HTMLVideoElement registers Document as a root. And after the root is changed, it is not re-registering the new root.
6. HTMLVideoTrackList is saying I'm not reachable.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200306/e6e51b37/attachment.htm>
More information about the webkit-unassigned
mailing list