[Webkit-unassigned] [Bug 208642] REGRESSION: (r257905) [ Mac wk2 Debug ] ASSERTION FAILED: !m_isolatedWorld->isNormal() || m_wrapper || !m_jsFunction
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 6 00:25:43 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=208642
--- Comment #18 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Yusuke Suzuki from comment #17)
> (In reply to Yusuke Suzuki from comment #16)
> > 2. So far, this looks like an existing bug due to
> > https://bugs.webkit.org/show_bug.cgi?id=165713. By using IsoSubspace, we
> > start putting some lower-tier cells in PreciseAllocation, and reuse them.
> > This makes GC behavior different, and exposing the existing bug: we should
> > re-register root if we changed the root after we register the root. I could
> > create a test case which reproduces this assertion failure without my patch.
>
> Let's describe what is happening.
>
> 1. HTMLVideoElement is created in the test under the current Document. So
> root is Document.
> 2. Concurrent GC starts working.
> 3. Marking (1)'s HTMLVideoElement and registering Document as a root.
> 4. The executed code removes HTMLVideoElement from Document.
> 5. HTMLVideoTrackList in HTMLVideoElement queries the opaque root. Since the
> root of HTMLVideoElement is changed to itself, HTMLVideoTrackList says "I'm
> live if the root set includes HTMLVideoElement". But this is not included
> since HTMLVideoElement registers Document as a root. And after the root is
> changed, it is not re-registering the new root.
> 6. HTMLVideoTrackList is saying I'm not reachable.
In this scenario, HTMLVideoElement needs to have a pending activity in ActiveDOMObjet while HTMLVideoTrackList/HTMLVideoElement sits in GenericEventQueue. That would prevent GC from collecting the JS wrapper since it would be reachableFromOpaqueRoot regardless of where it is.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200306/6058656a/attachment.htm>
More information about the webkit-unassigned
mailing list