Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 80cc99fb32cb5757aad6ff9c4f816c09d1e1dae0
https://github.com/WebKit/WebKit/commit/80cc99fb32cb5757aad6ff9c4f816c09d1e1dae0
Author: David Kilzer <[email protected]>
Date: 2026-04-28 (Tue, 28 Apr 2026)
Changed paths:
M Source/WebCore/workers/WorkerMessagingProxy.cpp
Log Message:
-----------
WorkerMessagingProxy objects leak after calling worker.terminate() from
JavaScript
<https://bugs.webkit.org/show_bug.cgi?id=313389>
<rdar://175652847>
Reviewed by Chris Dumez.
Handle the case in `workerObjectDestroyed()` where
`workerGlobalScopeDestroyedInternal()` has already run. When
that happens, the proxy's thread, context, and identifier are
already cleaned up -- the only remaining work is releasing the
initial construction ref via `deref()`. Without this,
`workerObjectDestroyed()` returns early on the nullopt
identifier, leaving the ref permanently held.
Also clear `m_queuedEarlyTasks` in
`workerGlobalScopeDestroyedInternal()` because tasks queued
before the worker thread is created capture `Ref { *this }`,
forming a retain cycle through the proxy's own member vector
that prevents destruction even after `deref()` is called.
The leak was introduced in Bug 22723 (254597@main) which added
the null-context early return to `workerObjectDestroyed()` and
added `m_scriptExecutionContext = nullptr` to
`workerGlobalScopeDestroyedInternal()` as part of implementing
nested dedicated workers.
Test using `run-webkit-tests --leaks` with:
- workers/worker-set-delete-terminate-crash.html
- workers/worker-terminate-crash.html
* Source/WebCore/workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::workerObjectDestroyed):
(WebCore::WorkerMessagingProxy::workerGlobalScopeDestroyedInternal):
Canonical link: https://commits.webkit.org/312256@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
