[Webkit-unassigned] [Bug 208642] REGRESSION: (r257905) [ Mac wk2 Debug ] ASSERTION FAILED: !m_isolatedWorld->isNormal() || m_wrapper || !m_jsFunction
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 6 00:48:45 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=208642
--- Comment #20 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Yusuke Suzuki from comment #19)
> (In reply to Ryosuke Niwa from comment #18)
>
> > In this scenario, HTMLVideoElement needs to have a pending activity in
> > ActiveDOMObjet while HTMLVideoTrackList/HTMLVideoElement sits in
> > GenericEventQueue. That would prevent GC from collecting the JS wrapper
> > since it would be reachableFromOpaqueRoot regardless of where it is.
>
> No, it does not fix the issue unfortunately :(
> Even if HTMLVideoElement is live, HTMLVideoTrackList goes away since
> HTMLVideoTrackList is live only if it can find an opaque root, which is not
> properly registered by HTMLVideoElement due to race condition.
Okay, so VideoTrackList needs to be an ActiveDOMObject itself and have a pending activity whenever it's in HTMLVideoElement's m_asyncEventQueue.
> Fundamental fix should be, in some way, re-registering an root & saying
> "Marking" happens if the root is changed. This is some form of write-barrier.
Hm... that sounds like a brittle approach but if that's what we need to do, then dispatchChildRemovalEvents in ContainerNode.cpp has a code to force creating JS wrapper on the removed node so perhaps we can emit a write barrier there.
Alternatively, can we use MarkingConstraint to relate these objects?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200306/2b777394/attachment.htm>
More information about the webkit-unassigned
mailing list