Skip to content
  • commit-queue@webkit.org's avatar
    Source/WebCore: Event listener for active DOM object that is also DOM node can... · c38dddea
    commit-queue@webkit.org authored
    Source/WebCore: Event listener for active DOM object that is also DOM node can be garbage collected prematurely.
    https://bugs.webkit.org/show_bug.cgi?id=70421
    
    Patch by Eugene Nalimov <enal@google.com> on 2011-11-15
    Reviewed by Adam Barth.
    
    Problem demonstrated itself when HTMLAudioElement was changed to become active DOM object.
    Before that there were no DOM objects that simultaneously were nodes and active objects.
    DOM object could be held in one of 3 maps -- node map, active objects map, and all other
    objects map, and HTMLAudioElement should be in 2 maps simultaneously. When it was in the
    active DOM objects map only, its event listener could be garbage collected, because special
    code that groups listeners with wrappers could handle only wrappers for objects in the node
    map. If we put HTMLAudioElement into nodes map, it would not be active DOM node, and can be
    garbage collected prematurely itself (see https://bugs.webkit.org/show_bug.cgi?id=66878).
    Fix is to introduce 4th map -- active nodes map, and cha...
    c38dddea