The ScheduledTask object is ref counted. There are two main owners, RunLoop::TimerBase m_scheduledTask and RunLoop::m_schedules vector. When new timer is scheduled while current one is active but not fired, it is marked as inactive to make it not fired in the future, and new one is created with active state. The old one will be removed eventually when original timing come to fire. But when JSRun loop cancel running timer, it just set a new timer (to cancel the running one) with the value of long interval (it is 10 years). Then invalidated timers with those long interval has no chance to be removed from the task list. With a simple application with using repeating timer, it is easily observed that we see tens of thousands of inactive objects in the list in just a few minutes.
<rdar://problem/95890501>
Note: Apple ports do not use this code, so this is not relevant to specific iOS or macOS releases.
JSCOnly port and PlayStation port are using RunLoopGeneric.cpp.
Basuke already has a fix (he is on PTO).
https://github.com/WebKit/WebKit/pull/2869
Committed 253065@main (cef910fdba39): <https://commits.webkit.org/253065@main> Reviewed commits have been landed. Closing PR #2869 and removing active labels.