[webkit-changes] [WebKit/WebKit] b5c5cd: Use JSValueInWrappedObject::set() instead of setWe...

Chris Dumez Thu, 23 Apr 2026 03:20:47 -0700

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b5c5cdb996bdf3d80f21a280a555d709de46980b
      
https://github.com/WebKit/WebKit/commit/b5c5cdb996bdf3d80f21a280a555d709de46980b
  Author: Chris Dumez <[email protected]>
  Date:   2026-04-23 (Thu, 23 Apr 2026)


  Changed paths:
    M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
    M Source/WebCore/bindings/js/JSValueInWrappedObjectInlines.h
    M Source/WebCore/dom/AbortSignal.cpp
    M Source/WebCore/dom/CustomEvent.cpp
    M Source/WebCore/dom/InternalObserver.h
    M Source/WebCore/dom/InternalObserverLast.cpp
    M Source/WebCore/dom/InternalObserverReduce.cpp
    M Source/WebCore/dom/Subscriber.cpp
    M Source/WebCore/page/NavigateEvent.cpp

  Log Message:
  -----------
  Use JSValueInWrappedObject::set() instead of setWeakly() when value is 
visited during GC
https://bugs.webkit.org/show_bug.cgi?id=236353
rdar://89012493

Reviewed by Yusuke Suzuki.

JSValueInWrappedObject.h documents that setWeakly() must not be used when
the value will be visited via visitAdditionalChildrenInGCThread, because
the GC may prematurely collect the value without a write barrier. Use
set() instead, which calls setWeakly() followed by a write barrier.

For InternalObserverReduce and InternalObserverLast, added a
WeakPtr<Subscriber> back-reference on InternalObserver so the observer
can obtain the JSSubscriber wrapper to use as the write barrier owner.

* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::AudioWorkletProcessor::buildJSArguments):
* Source/WebCore/dom/AbortSignal.cpp:
(WebCore::AbortSignal::markAborted):
* Source/WebCore/dom/CustomEvent.cpp:
(WebCore::CustomEvent::initCustomEvent):
* Source/WebCore/dom/InternalObserver.h:
(WebCore::InternalObserver::setSubscriber):
(WebCore::InternalObserver::subscriber const):
* Source/WebCore/dom/InternalObserverLast.cpp:
* Source/WebCore/dom/InternalObserverReduce.cpp:
* Source/WebCore/dom/Subscriber.cpp:
(WebCore::Subscriber::Subscriber):
* Source/WebCore/page/NavigateEvent.cpp:
(WebCore::NavigateEvent::NavigateEvent):

Canonical link: https://commits.webkit.org/311842@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

[webkit-changes] [WebKit/WebKit] b5c5cd: Use JSValueInWrappedObject::set() instead of setWe...

Reply via email to