[Webkit-unassigned] [Bug 208642] REGRESSION: (r257905) [ Mac wk2 Debug ] ASSERTION FAILED: !m_isolatedWorld->isNormal() || m_wrapper || !m_jsFunction

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 6 01:44:34 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=208642

--- Comment #23 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Yusuke Suzuki from comment #22)
> I think this is more fundamental problem which is not tied to
> HTMLVideoElement case.
> For any node, this race condition happens if,
> 
> 1. Node (A) is attached to the tree (TA).
> 2. (A)'s wrapper is marked and (TA) is registered as an opaque root.
> 3. The user code removes (A) from (TA).
> 4. Node (B), which is under (A), is invoking is-reachable-from-opaque-root query.
> 5. Node (B)'s root is (A) since (A) is detached from the tree (TA).
> 6. (4) cannot find the (A) from the set of opaque roots.

That indeed sounds like a real bug.

> Let's consider about the fundamental fix. Every time we change the root, we
> need to emit "write-barrier" to this node.
> Then, GC rescans it, re-register the updated root. So, the problem is how to
> emit "write-barrier" while we only have C++ node.
> 
> So the question is how to achieve this effect. One idea I have right now is,
> (1) when changing the root,

This would be ContainerNode::removeAllChildrenWithScriptAssertion, ContainerNode::removeNodeWithScriptAssertion, and executeNodeInsertionWithScriptAssertion.

> (2) if GC is not running right now, noop, (2)
> otherwise, let's check the old root is included in the opaque root, (3) if
> it is included, we put the new root into the opaque root as something like
> remember-set mechanism.

Hm... I'm thinking if we can re-use something like GCReachableRefMap or add more logic to isReachableFromDOM in JSNodeCustom.cpp but I don't think we could because the issue isn't so much about the root node, which is an opaque root but rather anyone which uses a node has an opaque root.

For that matter, this seems like an issue with anything that can dynamically change its opaque root, not just Node.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200306/f03b1297/attachment-0001.htm>

More information about the webkit-unassigned mailing list