[webkit-changes] [WebKit/WebKit] 8ee685: `ASSERTION FAILED: m_wrapper` when visiting pages ...

Wed, 06 May 2026 01:55:32 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8ee6856c51be9aa6874fac8bee521ae6c9c891dc
      
https://github.com/WebKit/WebKit/commit/8ee6856c51be9aa6874fac8bee521ae6c9c891dc
  Author: Chris Dumez <[email protected]>
  Date:   2026-05-06 (Wed, 06 May 2026)

  Changed paths:
    M Source/WebCore/bindings/js/DOMWrapperWorld.cpp
    M Source/WebCore/bindings/js/DOMWrapperWorld.h
    M Source/WebCore/bindings/js/JSEventListener.cpp
    M Source/WebCore/bindings/js/JSEventListener.h
    M Source/WebCore/platform/Logging.h
    M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
    A Tools/TestWebKitAPI/Tests/WebKit/WKWebView/ClearWrappersNavigatePlugIn.mm
    M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/NavigationAPI.mm

  Log Message:
  -----------
  `ASSERTION FAILED: m_wrapper` when visiting pages in Safari in Debug
https://bugs.webkit.org/show_bug.cgi?id=314051
rdar://173442940

Reviewed by Ben Nham.

When a JSEventListener is created in an isolated world and that world's
wrappers are subsequently cleared via WKBundleScriptWorldClearWrappers(),
the listener's weak wrapper reference becomes stale after GC. If an event
then fires, ensureJSFunction() hits ASSERT(m_wrapper) because
m_isInitialized is true but the wrapper has been collected.

Fix this by introducing a DOMWrapperWorldClient interface that allows
objects to be notified before a world's wrappers are cleared.
JSEventListener now registers as a client and invalidates itself
(clearing its wrapper, function, and world references) in response,
causing ensureJSFunction() to return early via the null m_isolatedWorld
check.

Tests: Tools/TestWebKitAPI/Tests/WebKit/WKWebView/ClearWrappersNavigatePlugIn.mm
       Tools/TestWebKitAPI/Tests/WebKit/WKWebView/NavigationAPI.mm

* Source/WebCore/bindings/js/DOMWrapperWorld.cpp:
(WebCore::DOMWrapperWorld::clearWrappers):
(WebCore::DOMWrapperWorld::addEventListener):
(WebCore::DOMWrapperWorld::removeEventListener):
* Source/WebCore/bindings/js/DOMWrapperWorld.h:
* Source/WebCore/bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::JSEventListener):
(WebCore::eventHandlerAttribute):
(WebCore::JSEventListener::handleEvent):
(WebCore::JSEventListener::functionName const):
(WebCore::JSEventListener::invalidate):
(WebCore::JSEventListener::willDestroyVM):
* Source/WebCore/bindings/js/JSEventListener.h:
(WebCore::JSEventListener::isolatedWorld const):
(WebCore::JSEventListener::ensureJSFunction const):
* Source/WebCore/platform/Logging.h:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/ClearWrappersNavigatePlugIn.mm: 
Added.
(-[ClearWrappersNavigatePlugIn 
webProcessPlugIn:didCreateBrowserContextController:]):
(-[ClearWrappersNavigatePlugIn 
webProcessPlugInBrowserContextController:didFinishLoadForFrame:]):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/NavigationAPI.mm:
(TestWebKitAPI::TEST(NavigationAPI, ClearWrappersWithNavigateEventListener)):

Canonical link: https://commits.webkit.org/312677@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to