[webkit-changes] [WebKit/WebKit] 97721c: JSCustomElementInterface fails to visit m_connecte...

Fri, 12 Jun 2026 08:49:14 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 97721ca8c2a59ef7b9b3ad7bcf3b489fb767d34b
      
https://github.com/WebKit/WebKit/commit/97721ca8c2a59ef7b9b3ad7bcf3b489fb767d34b
  Author: Chris Dumez <[email protected]>
  Date:   2026-06-12 (Fri, 12 Jun 2026)

  Changed paths:
    A 
LayoutTests/fast/custom-elements/connectedMoveCallback-survives-gc-expected.txt
    A LayoutTests/fast/custom-elements/connectedMoveCallback-survives-gc.html
    M Source/WebCore/bindings/js/JSCustomElementInterface.cpp

  Log Message:
  -----------
  JSCustomElementInterface fails to visit m_connectedMoveCallback during GC
https://bugs.webkit.org/show_bug.cgi?id=316965

Reviewed by Anne van Kesteren.

JSCustomElementInterface stores each custom element reaction callback as a
JSC::Weak<JSObject> with no custom WeakHandleOwner, so the visitor.append()
calls in visitJSFunctionsInGCThread() are the only thing keeping those
functions alive across a garbage collection. That function appended every
callback except m_connectedMoveCallback, which was added later (in the
connectedMoveCallback() implementation) without updating the visit list.

As a result, once the only other reference to the connectedMoveCallback
function is dropped (e.g. the method is deleted off the constructor's
prototype), the function can be collected while its custom element definition
is still live and registered. After collection hasConnectedMoveCallback()
returns false, so a subsequent moveBefore() enqueues the
disconnected/connected reactions instead of connectedMove, silently changing
observable behavior.

Fix this by visiting m_connectedMoveCallback alongside the other callbacks,
in member-declaration order.

Test: fast/custom-elements/connectedMoveCallback-survives-gc.html

* 
LayoutTests/fast/custom-elements/connectedMoveCallback-survives-gc-expected.txt:
 Added.
* LayoutTests/fast/custom-elements/connectedMoveCallback-survives-gc.html: 
Added.
* Source/WebCore/bindings/js/JSCustomElementInterface.cpp:
(WebCore::JSCustomElementInterface::visitJSFunctionsInGCThread const):

Canonical link: https://commits.webkit.org/315105@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to