144508 2015-05-01 16:00:46 -0700 [GTK] API tests crashing on debug builds due to extra unref 2015-05-03 02:56:01 -0700 1 1 1 Unclassified WebKit Tools / Tests 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 mario mario cgarcia gustavo mcatanzaro mrobinson oldest_to_newest 1090939 0 mario 2015-05-01 16:00:46 -0700 At the moment, the TestWebKitWebContext test suite is crashing on the GTK+ Debug but due to a problem caused by the URISchemeTest test suite: https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Debug%20%28Tests%29/builds/4430/steps/API%20tests/logs/stdio I reproduced the very same error locally, and this is the backtrace I got: ASSERTION FAILED: m_table ../../Source/WTF/wtf/HashTable.h(210) : void WTF::HashTableConstIterator<Key, Value, Extractor, HashFunctions, Traits, KeyTraits>::checkValidity() const [with Key = WebCore::FrameDestructionObserver*; Value = WebCore::FrameDestructionObserver*; Extractor = WTF::IdentityExtractor; HashFunctions = WTF::PtrHash<WebCore::FrameDestructionObserver*>; Traits = WTF::HashTraits<WebCore::FrameDestructionObserver*>; KeyTraits = WTF::HashTraits<WebCore::FrameDestructionObserver*>] 1 0x7f64062f50b9 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f64062f50b9] 2 0x7f640c548dfb /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK3WTF22HashTableConstIteratorIPN7WebCore24FrameDestructionObserverES3_NS_17IdentityExtractorENS_7PtrHashIS3_EENS_10HashTraitsIS3_EES8_E13checkValidityEv+0x3d) [0x7f640c548dfb] 3 0x7f640c54829c /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF22HashTableConstIteratorIPN7WebCore24FrameDestructionObserverES3_NS_17IdentityExtractorENS_7PtrHashIS3_EENS_10HashTraitsIS3_EES8_EppEv+0x18) [0x7f640c54829c] 4 0x7f640c546ea8 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF29HashTableConstIteratorAdapterINS_9HashTableIPN7WebCore24FrameDestructionObserverES4_NS_17IdentityExtractorENS_7PtrHashIS4_EENS_10HashTraitsIS4_EES9_EES4_EppEv+0x18) [0x7f640c546ea8] 5 0x7f640c5448e8 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore5Frame14willDetachPageEv+0xc4) [0x7f640c5448e8] 6 0x7f640c400392 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore11FrameLoader16detachFromParentEv+0x142) [0x7f640c400392] 7 0x7f640b88662e /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit7WebPage5closeEv+0x3c2) [0x7f640b88662e] 8 0x7f640ba44994 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC22callMemberFunctionImplIN6WebKit7WebPageEMS2_FvvESt5tupleIJEEJEEEvPT_T0_OT1_St14index_sequenceIJXspT2_EEE+0x65) [0x7f640ba44994] 9 0x7f640ba42a7c /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC18callMemberFunctionIN6WebKit7WebPageEMS2_FvvESt5tupleIIEESt19make_index_sequenceILm0EEEEvOT1_PT_T0_+0x41) [0x7f640ba42a7c] 10 0x7f640ba3ed5a /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC13handleMessageIN8Messages7WebPage5CloseEN6WebKit7WebPageEMS5_FvvEEEvRNS_14MessageDecoderEPT0_T1_+0x8f) [0x7f640ba3ed5a] 11 0x7f640ba39194 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit7WebPage24didReceiveWebPageMessageERN3IPC10ConnectionERNS1_14MessageDecoderE+0x1eba) [0x7f640ba39194] 12 0x7f640b89100f /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit7WebPage17didReceiveMessageERN3IPC10ConnectionERNS1_14MessageDecoderE+0x185) [0x7f640b89100f] 13 0x7f640b5252f8 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC18MessageReceiverMap15dispatchMessageERNS_10ConnectionERNS_14MessageDecoderE+0x120) [0x7f640b5252f8] 14 0x7f640b750870 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit10WebProcess17didReceiveMessageERN3IPC10ConnectionERNS1_14MessageDecoderE+0x4c) [0x7f640b750870] 15 0x7f640b5130f0 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC10Connection15dispatchMessageERNS_14MessageDecoderE+0x3a) [0x7f640b5130f0] 16 0x7f640b5131bc /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC10Connection15dispatchMessageESt10unique_ptrINS_14MessageDecoderESt14default_deleteIS2_EE+0xca) [0x7f640b5131bc] 17 0x7f640b51337f /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC10Connection18dispatchOneMessageEv+0xcd) [0x7f640b51337f] 18 0x7f640b512f36 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x4252f36) [0x7f640b512f36] 19 0x7f640b5144fe /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x42544fe) [0x7f640b5144fe] 20 0x7f640b52dac4 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x32) [0x7f640b52dac4] 21 0x7f640d4b6be9 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF7RunLoop11performWorkEv+0xdb) [0x7f640d4b6be9] 22 0x7f640d4ba712 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x61fa712) [0x7f640d4ba712] 23 0x7f640d4bac9a /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x61fac9a) [0x7f640d4bac9a] 24 0x7f640b52dac4 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x32) [0x7f640b52dac4] 25 0x7f640634106f /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3WTF15GMainLoopSource12voidCallbackEv+0x6d) [0x7f640634106f] 26 0x7f6406341773 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3WTF15GMainLoopSource18voidSourceCallbackEPS0_+0x23) [0x7f6406341773] 27 0x7f6401ee458d /home/mario/work/WebKit/WebKitBuild/DependenciesGTK/Root/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x13d) [0x7f6401ee458d] 28 0x7f6401ee4928 /home/mario/work/WebKit/WebKitBuild/DependenciesGTK/Root/lib64/libglib-2.0.so.0(+0x48928) [0x7f6401ee4928] 29 0x7f6401ee4c42 /home/mario/work/WebKit/WebKitBuild/DependenciesGTK/Root/lib64/libglib-2.0.so.0(g_main_loop_run+0xc2) [0x7f6401ee4c42] 30 0x7f640d4ba48c /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF7RunLoop3runEv+0x42) [0x7f640d4ba48c] 31 0x7f640b9b4b06 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit16ChildProcessMainINS_10WebProcessENS_14WebProcessMainEEEiiPPc+0x82) [0x7f640b9b4b06] 1090952 1 mario 2015-05-01 16:17:14 -0700 I debugged this extensively today, and found out that the problem seems to be that the hashtable holding the destruction observers for the Frame is being prematurely cleared due to a problem initiated when WebFrameLoaderClient::dispatchDidFinishDocumentLoad() is run, at the time it tries to notify the InjectedBundle: void WebFrameLoaderClient::dispatchDidFinishDocumentLoad() { [...] // Notify the bundle client. webPage->injectedBundleLoaderClient().didFinishDocumentLoadForFrame(webPage, m_frame, userData); [...] } This bit will end up getting the following callback in Tools/TestWebKitAPI/Tests/WebKit2Gtk/WebExtensionTest.cpp executed: static void documentLoadedCallback(WebKitWebPage* webPage, WebKitWebExtension* extension) { // FIXME: Too much code just to send a message, we need convenient custom API for this. WebKitDOMDocument* document = webkit_web_page_get_dom_document(webPage); GRefPtr<WebKitDOMDOMWindow> window = adoptGRef(webkit_dom_document_get_default_view(document)); if (WebKitDOMWebKitNamespace* webkit = webkit_dom_dom_window_get_webkit_namespace(window.get())) { WebKitDOMUserMessageHandlersNamespace* messageHandlers = webkit_dom_webkit_namespace_get_message_handlers(webkit); if (WebKitDOMUserMessageHandler* handler = webkit_dom_user_message_handlers_namespace_get_handler(messageHandlers, "dom")) webkit_dom_user_message_handler_post_message(handler, "DocumentLoaded"); } webkit_dom_dom_window_webkit_message_handlers_post_message(window.get(), "dom-convenience", "DocumentLoaded"); gpointer data = g_object_get_data(G_OBJECT(extension), "dbus-connection"); if (data) emitDocumentLoaded(G_DBUS_CONNECTION(data)); else delayedSignalsQueue.append(DelayedSignal(DocumentLoadedSignal)); } ...and this seems to be the problem: before r180214 [1], 'window' was just a raw pointer obtained as this: GRefPtr<WebKitDOMDOMWindow> window = adoptGRef(webkit_dom_document_get_default_view(document)); However, since r180214 it's now put in a GRefPtr<WebKitDOMDOMWindow>, meaning that its refcount will get decreased as soon as we live the scope of this function. And because we are using adoptGRef() here, that means that 'window' won't increase the refcount at all when getting the value from webkit_dom_document_get_default_view(), effectively being 1 at the time this callback finishes, causing the destruction of this 'window' object. And this would be probably ok if 'window' was not cached inside the DOMCache, but the truth is that it is cached (automatically on construction the first time time it's requested via webkit_dom_document_get_default_view()). So, we can't simply steal the reference from the cache and unref it freely afterwards or we will get the crash we are seeing. So, I believe we either drop the adoptGRef() usage and prevent the refcount of 'window' from getting to zero or, even simpler, we stop using GRefPtr<> and use a raw pointer as it used to be the case before r180214, which seems also to be the case everywhere else but here (which looks like a mistake): $ git grep webkit_dom_document_get_default_view Tests/WebKit2Gtk/DOMDOMWindowTest.cpp: WebKitDOMDOMWindow* domWindow = webkit_dom_document_get_default_view(document); Tests/WebKit2Gtk/DOMDOMWindowTest.cpp: WebKitDOMDOMWindow* domWindow = webkit_dom_document_get_default_view(document); Tests/WebKit2Gtk/DOMDOMWindowTest.cpp: WebKitDOMDOMWindow* domWindow = webkit_dom_document_get_default_view(document); Tests/WebKit2Gtk/WebExtensionTest.cpp: GRefPtr<WebKitDOMDOMWindow> window = adoptGRef(webkit_dom_document_get_default_view(document)); Doing either way will get the crash gone. [1] http://trac.webkit.org/changeset/180214 1090962 2 mario 2015-05-01 16:33:08 -0700 I just realized, both by checking the log in the buildbot and running locally the tests myself, that this crash is not exclusive to TestWebKitWebContext, but to all the following test suites: * TestWebKitWebContext * TestWebKitFaviconDatabase * TestWebKitUserContentManager * TestLoaderClient * TestResources Renaming the bug accordingly... 1090972 3 252196 mario 2015-05-01 16:42:29 -0700 Created attachment 252196 Patch proposal The following patch moves back to using a raw pointer here, which I think it's ok because I can't see anyway the point of stealing the only reference for an object that is supposed to be cached :). Please review, thanks! 1090986 4 mcatanzaro 2015-05-01 17:10:13 -0700 Thanks for debugging this! I'm concerned about this patch because webkit_dom_document_get_default_view() is documented to be transfer full, so it really does need to be unreffed. I would expect the cache to ref it before returning it. 1090988 5 mcatanzaro 2015-05-01 17:10:36 -0700 *** Bug 141736 has been marked as a duplicate of this bug. *** 1091016 6 mario 2015-05-01 18:07:37 -0700 (In reply to comment #4) > Thanks for debugging this! > > I'm concerned about this patch because > webkit_dom_document_get_default_view() is documented to be transfer full, so > it really does need to be unreffed. I would expect the cache to ref it > before returning it. Actually, I'm concerned about the very same thing, but it's late here and forgot to mention it (I did mention it on IRC to Martin, though) before attaching the patch, which I wanted to do anyway because I'm unsure I will be able to devote much time to WK next week. Anyway, it might even be a bug in the documentation because everywhere I see this function used it's actually treating it like transfer-none, but of course I'm not 100% sure about it either. What I can say, though, is that I've checked a similar function that is documented to be transfer none (webkit_dom_document_get_document_element()) and to me they do look very similar: WebKitDOMElement* webkit_dom_document_get_document_element(WebKitDOMDocument* self) { WebCore::JSMainThreadNullState state; g_return_val_if_fail(WEBKIT_DOM_IS_DOCUMENT(self), 0); WebCore::Document* item = WebKit::core(self); RefPtr<WebCore::Element> gobjectResult = WTF::getPtr(item->documentElement()); return WebKit::kit(gobjectResult.get()); } WebKitDOMDOMWindow* webkit_dom_document_get_default_view(WebKitDOMDocument* self) { WebCore::JSMainThreadNullState state; g_return_val_if_fail(WEBKIT_DOM_IS_DOCUMENT(self), 0); WebCore::Document* item = WebKit::core(self); RefPtr<WebCore::DOMWindow> gobjectResult = WTF::getPtr(item->defaultView()); return WebKit::kit(gobjectResult.get()); } And if you check WebKitDOMDOMWindow.cpp, you'll see that indeed no extra reference is being added to the value returned, which is simply returned from the cache (if there) or created for the first time and returned as is (will be added to the cache from the GObject constructor), in a similar fashion to what is done in, for instance, WebKitDOMDOMSelection. So, all in all, I think you raised a very good point, because either there's a bug in the doc that needs to be fixed, or this patch I'm proposing would be wrong and there's some extra ref that needs to be added somewhere, probably in WebKit::kit() inside WebKitDOMDOMWindow.cpp, but I'd rather wait until next week, so that we give others a chance to comment too. 1091054 7 cgarcia 2015-05-02 00:51:51 -0700 (In reply to comment #1) > I debugged this extensively today, and found out that the problem seems to > be that the hashtable holding the destruction observers for the Frame is > being prematurely cleared due to a problem initiated when > WebFrameLoaderClient::dispatchDidFinishDocumentLoad() is run, at the time it > tries to notify the InjectedBundle: > > void WebFrameLoaderClient::dispatchDidFinishDocumentLoad() > { > [...] > > // Notify the bundle client. > > webPage->injectedBundleLoaderClient().didFinishDocumentLoadForFrame(webPage, > m_frame, userData); > > [...] > } > > This bit will end up getting the following callback in > Tools/TestWebKitAPI/Tests/WebKit2Gtk/WebExtensionTest.cpp executed: > > static void documentLoadedCallback(WebKitWebPage* webPage, > WebKitWebExtension* extension) > { > // FIXME: Too much code just to send a message, we need convenient > custom API for this. > WebKitDOMDocument* document = > webkit_web_page_get_dom_document(webPage); > GRefPtr<WebKitDOMDOMWindow> window = > adoptGRef(webkit_dom_document_get_default_view(document)); > if (WebKitDOMWebKitNamespace* webkit = > webkit_dom_dom_window_get_webkit_namespace(window.get())) { > WebKitDOMUserMessageHandlersNamespace* messageHandlers = > webkit_dom_webkit_namespace_get_message_handlers(webkit); > if (WebKitDOMUserMessageHandler* handler = > webkit_dom_user_message_handlers_namespace_get_handler(messageHandlers, > "dom")) > webkit_dom_user_message_handler_post_message(handler, > "DocumentLoaded"); > } > > > webkit_dom_dom_window_webkit_message_handlers_post_message(window.get(), > "dom-convenience", "DocumentLoaded"); > > gpointer data = g_object_get_data(G_OBJECT(extension), > "dbus-connection"); > if (data) > emitDocumentLoaded(G_DBUS_CONNECTION(data)); > else > delayedSignalsQueue.append(DelayedSignal(DocumentLoadedSignal)); > } > > > ...and this seems to be the problem: before r180214 [1], 'window' was just a > raw pointer obtained as this: > > GRefPtr<WebKitDOMDOMWindow> window = > adoptGRef(webkit_dom_document_get_default_view(document)); > > > However, since r180214 it's now put in a GRefPtr<WebKitDOMDOMWindow>, > meaning that its refcount will get decreased as soon as we live the scope of > this function. And because we are using adoptGRef() here, that means that > 'window' won't increase the refcount at all when getting the value from > webkit_dom_document_get_default_view(), effectively being 1 at the time this > callback finishes, causing the destruction of this 'window' object. This is the expected behaviour, the dom wrapper is destroyed, but that shouldn't affect the core object, since all wrapped objects are refed/unrefed. > And this would be probably ok if 'window' was not cached inside the > DOMCache, but the truth is that it is cached (automatically on construction > the first time time it's requested via > webkit_dom_document_get_default_view()). So, we can't simply steal the > reference from the cache and unref it freely afterwards or we will get the > crash we are seeing. We should be able. The problem might be that the core object is destroyed as well, and that shouldn't happen. > So, I believe we either drop the adoptGRef() usage and prevent the refcount > of 'window' from getting to zero or, even simpler, we stop using GRefPtr<> > and use a raw pointer as it used to be the case before r180214, which seems > also to be the case everywhere else but here (which looks like a mistake): > > $ git grep webkit_dom_document_get_default_view > Tests/WebKit2Gtk/DOMDOMWindowTest.cpp: WebKitDOMDOMWindow* > domWindow = webkit_dom_document_get_default_view(document); > Tests/WebKit2Gtk/DOMDOMWindowTest.cpp: WebKitDOMDOMWindow* > domWindow = webkit_dom_document_get_default_view(document); > Tests/WebKit2Gtk/DOMDOMWindowTest.cpp: WebKitDOMDOMWindow* > domWindow = webkit_dom_document_get_default_view(document); > Tests/WebKit2Gtk/WebExtensionTest.cpp: GRefPtr<WebKitDOMDOMWindow> > window = adoptGRef(webkit_dom_document_get_default_view(document)); DOMDOMWindowTest.cpp doesn't actually exist, I think it's a wip from quique that I ended up pushing by mistake at some point. > Doing either way will get the crash gone. I think that simply hides the actual problem by leaking the WebKitDOMDOMWindow object. Thanks a lot for the analysis, it'll definitely help to catch the real problem. I'm going to look at it. > [1] http://trac.webkit.org/changeset/180214 1091084 8 252196 cgarcia 2015-05-02 08:13:34 -0700 Comment on attachment 252196 Patch proposal This is indeed leaking the DOMWindow and hiding the actual bug 1091086 9 252230 cgarcia 2015-05-02 08:28:21 -0700 Created attachment 252230 Patch This fixes the crashes for me. 1091100 10 252230 mrobinson 2015-05-02 09:15:37 -0700 Comment on attachment 252230 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=252230&action=review > Source/WebCore/ChangeLog:13 > + created, the DOM object cache was notified about the previous > + DOMWindow being destroyed before objects for the new DOMWindow are > + added to the cache. However, that's not always the case and we > + only create a DOMWindowObserver for the first DOMWindow. We need > + to keep a pointer to the DOMWindow being observed to clear() the Does this mean the cache is leaking in some cases? 1091192 11 cgarcia 2015-05-03 00:44:32 -0700 (In reply to comment #10) > Comment on attachment 252230 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=252230&action=review > > > Source/WebCore/ChangeLog:13 > > + created, the DOM object cache was notified about the previous > > + DOMWindow being destroyed before objects for the new DOMWindow are > > + added to the cache. However, that's not always the case and we > > + only create a DOMWindowObserver for the first DOMWindow. We need > > + to keep a pointer to the DOMWindow being observed to clear() the > > Does this mean the cache is leaking in some cases? Not exactly, but objects are released a bit later, when the first DOMwindow object is destroyed, or when the page is detached. 1091196 12 252230 mario 2015-05-03 01:16:19 -0700 Comment on attachment 252230 Patch I'm so happy you found the actual bug and wrote the right patch! Now I might even find time to finish my work on bug 144262, which is what I actually intented to work on when I got sucked by this other problem :). Patch looks great to me, btw. Thanks, 1091198 13 cgarcia 2015-05-03 02:56:01 -0700 Committed r183729: <http://trac.webkit.org/changeset/183729> 252196 2015-05-01 16:42:29 -0700 2015-05-02 08:28:21 -0700 Patch proposal bug-144508-20150502004116.patch text/plain 2763 mario U3VidmVyc2lvbiBSZXZpc2lvbjogMTgzNjk1CmRpZmYgLS1naXQgYS9Ub29scy9DaGFuZ2VMb2cg Yi9Ub29scy9DaGFuZ2VMb2cKaW5kZXggNmVhM2MyOGEyMTRlODM0YTU5OGJhOGYxYzM0MzIyOWNm NzgxOTk2Yi4uMGI0ZmQ0MmYzZmZhZmYxNWYxZGM4OTQwMjk5NTU0N2M5MzgwNzQzNSAxMDA2NDQK LS0tIGEvVG9vbHMvQ2hhbmdlTG9nCisrKyBiL1Rvb2xzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE5 IEBACisyMDE1LTA1LTAxICBNYXJpbyBTYW5jaGV6IFByYWRhICA8bWFyaW9AZW5kbGVzc20uY29t PgorCisgICAgICAgIFtHVEtdIEFQSSB0ZXN0cyBjcmFzaGluZyBvbiBkZWJ1ZyBidWlsZHMgZHVl IHRvIGV4dHJhIHVucmVmCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xNDQ1MDgKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKwor ICAgICAgICBCZSBjYXJlZnVsIG5vdCB0byB1bnJlZiB0aGUgbGFzdCByZWZlcmVuY2UgdG8gdGhl IERPTSBkZWZhdWx0IHZpZXcKKyAgICAgICAgYWZ0ZXIgY2FsbGluZyB3ZWJraXRfZG9tX2RvY3Vt ZW50X2dldF9kZWZhdWx0X3ZpZXcoKSwgYXMgaXQgYmVsb25ncworICAgICAgICB0byB0aGUgRE9N Q2FjaGUuIFVzZSBhIHJhdyBwb2ludGVyIGluc3RlYWQsIGluIHRoZSBzYW1lIHdheSBpdCdzCisg ICAgICAgIGFscmVhZHkgYmVpbmcgdXNlZCBpbnNpZGUgRE9NRE9NV2luZG93VGVzdC5jcHAuCisK KyAgICAgICAgKiBUZXN0V2ViS2l0QVBJL1Rlc3RzL1dlYktpdDJHdGsvV2ViRXh0ZW5zaW9uVGVz dC5jcHA6CisgICAgICAgIChkb2N1bWVudExvYWRlZENhbGxiYWNrKTogVXNlIGEgcmF3IHBvaW50 ZXIgZm9yIHRoZSBkZWZhdWx0IHdpbmRvdworICAgICAgICByZXRyaWV2ZWQgdmlhIHdlYmtpdF9k b21fZG9jdW1lbnRfZ2V0X2RlZmF1bHRfdmlldygpLgorCiAyMDE1LTA1LTAxICBCYXNpbGUgQ2xl bWVudCAgPGJhc2lsZV9jbGVtZW50QGFwcGxlLmNvbT4KIAogICAgICAgICBVbnJldmlld2VkLiBB ZGQgbXlzZWxmIGFzIGEgY29tbWl0ZXIgaW4gY29udHJpYnV0b3JzLmpzb24uCmRpZmYgLS1naXQg YS9Ub29scy9UZXN0V2ViS2l0QVBJL1Rlc3RzL1dlYktpdDJHdGsvV2ViRXh0ZW5zaW9uVGVzdC5j cHAgYi9Ub29scy9UZXN0V2ViS2l0QVBJL1Rlc3RzL1dlYktpdDJHdGsvV2ViRXh0ZW5zaW9uVGVz dC5jcHAKaW5kZXggNTY2N2ZhOGIzODQwOWM4YjBiZmMwYjRmNjkyODM4NGNkZTc4ZTQ5MS4uZWQ5 ODcyNjI4OGE5YzZmZDU0NGM0Y2M1NDQ2ZWI0ZDIzZWU1MDBkNyAxMDA2NDQKLS0tIGEvVG9vbHMv VGVzdFdlYktpdEFQSS9UZXN0cy9XZWJLaXQyR3RrL1dlYkV4dGVuc2lvblRlc3QuY3BwCisrKyBi L1Rvb2xzL1Rlc3RXZWJLaXRBUEkvVGVzdHMvV2ViS2l0Mkd0ay9XZWJFeHRlbnNpb25UZXN0LmNw cApAQCAtMTAwLDE0ICsxMDAsMTQgQEAgc3RhdGljIHZvaWQgZG9jdW1lbnRMb2FkZWRDYWxsYmFj ayhXZWJLaXRXZWJQYWdlKiB3ZWJQYWdlLCBXZWJLaXRXZWJFeHRlbnNpb24qIGUKIHsKICAgICAv LyBGSVhNRTogVG9vIG11Y2ggY29kZSBqdXN0IHRvIHNlbmQgYSBtZXNzYWdlLCB3ZSBuZWVkIGNv bnZlbmllbnQgY3VzdG9tIEFQSSBmb3IgdGhpcy4KICAgICBXZWJLaXRET01Eb2N1bWVudCogZG9j dW1lbnQgPSB3ZWJraXRfd2ViX3BhZ2VfZ2V0X2RvbV9kb2N1bWVudCh3ZWJQYWdlKTsKLSAgICBH UmVmUHRyPFdlYktpdERPTURPTVdpbmRvdz4gd2luZG93ID0gYWRvcHRHUmVmKHdlYmtpdF9kb21f ZG9jdW1lbnRfZ2V0X2RlZmF1bHRfdmlldyhkb2N1bWVudCkpOwotICAgIGlmIChXZWJLaXRET01X ZWJLaXROYW1lc3BhY2UqIHdlYmtpdCA9IHdlYmtpdF9kb21fZG9tX3dpbmRvd19nZXRfd2Via2l0 X25hbWVzcGFjZSh3aW5kb3cuZ2V0KCkpKSB7CisgICAgV2ViS2l0RE9NRE9NV2luZG93KiB3aW5k b3cgPSB3ZWJraXRfZG9tX2RvY3VtZW50X2dldF9kZWZhdWx0X3ZpZXcoZG9jdW1lbnQpOworICAg IGlmIChXZWJLaXRET01XZWJLaXROYW1lc3BhY2UqIHdlYmtpdCA9IHdlYmtpdF9kb21fZG9tX3dp bmRvd19nZXRfd2Via2l0X25hbWVzcGFjZSh3aW5kb3cpKSB7CiAgICAgICAgIFdlYktpdERPTVVz ZXJNZXNzYWdlSGFuZGxlcnNOYW1lc3BhY2UqIG1lc3NhZ2VIYW5kbGVycyA9IHdlYmtpdF9kb21f d2Via2l0X25hbWVzcGFjZV9nZXRfbWVzc2FnZV9oYW5kbGVycyh3ZWJraXQpOwogICAgICAgICBp ZiAoV2ViS2l0RE9NVXNlck1lc3NhZ2VIYW5kbGVyKiBoYW5kbGVyID0gd2Via2l0X2RvbV91c2Vy X21lc3NhZ2VfaGFuZGxlcnNfbmFtZXNwYWNlX2dldF9oYW5kbGVyKG1lc3NhZ2VIYW5kbGVycywg ImRvbSIpKQogICAgICAgICAgICAgd2Via2l0X2RvbV91c2VyX21lc3NhZ2VfaGFuZGxlcl9wb3N0 X21lc3NhZ2UoaGFuZGxlciwgIkRvY3VtZW50TG9hZGVkIik7CiAgICAgfQogCi0gICAgd2Via2l0 X2RvbV9kb21fd2luZG93X3dlYmtpdF9tZXNzYWdlX2hhbmRsZXJzX3Bvc3RfbWVzc2FnZSh3aW5k b3cuZ2V0KCksICJkb20tY29udmVuaWVuY2UiLCAiRG9jdW1lbnRMb2FkZWQiKTsKKyAgICB3ZWJr aXRfZG9tX2RvbV93aW5kb3dfd2Via2l0X21lc3NhZ2VfaGFuZGxlcnNfcG9zdF9tZXNzYWdlKHdp bmRvdywgImRvbS1jb252ZW5pZW5jZSIsICJEb2N1bWVudExvYWRlZCIpOwogCiAgICAgZ3BvaW50 ZXIgZGF0YSA9IGdfb2JqZWN0X2dldF9kYXRhKEdfT0JKRUNUKGV4dGVuc2lvbiksICJkYnVzLWNv bm5lY3Rpb24iKTsKICAgICBpZiAoZGF0YSkK 252230 2015-05-02 08:28:21 -0700 2015-05-03 01:16:19 -0700 Patch wk-dom-object-cache-crash.diff text/plain 3284 cgarcia ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCBjNDA0MWJjLi5iNzkyZWE0IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDUgKzEsMjUg QEAKIDIwMTUtMDUtMDIgIENhcmxvcyBHYXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2FsaWEuY29t PgogCisgICAgICAgIFtHVEtdIEFQSSB0ZXN0cyBjcmFzaGluZyBvbiBkZWJ1ZyBidWlsZHMgZHVl IHRvIGV4dHJhIHVucmVmCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xNDQ1MDgKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKwor ICAgICAgICBUaGUgcHJvYmxlbSBpcyB0aGF0IHdlIHdlcmUgYXNzdW1pbmcgdGhhdCB3aGVuIGEg bmV3IERPTVdpbmRvdyBpcworICAgICAgICBjcmVhdGVkLCB0aGUgRE9NIG9iamVjdCBjYWNoZSB3 YXMgbm90aWZpZWQgYWJvdXQgdGhlIHByZXZpb3VzCisgICAgICAgIERPTVdpbmRvdyBiZWluZyBk ZXN0cm95ZWQgYmVmb3JlIG9iamVjdHMgZm9yIHRoZSBuZXcgRE9NV2luZG93IGFyZQorICAgICAg ICBhZGRlZCB0byB0aGUgY2FjaGUuIEhvd2V2ZXIsIHRoYXQncyBub3QgYWx3YXlzIHRoZSBjYXNl IGFuZCB3ZQorICAgICAgICBvbmx5IGNyZWF0ZSBhIERPTVdpbmRvd09ic2VydmVyIGZvciB0aGUg Zmlyc3QgRE9NV2luZG93LiBXZSBuZWVkCisgICAgICAgIHRvIGtlZXAgYSBwb2ludGVyIHRvIHRo ZSBET01XaW5kb3cgYmVpbmcgb2JzZXJ2ZWQgdG8gY2xlYXIoKSB0aGUKKyAgICAgICAgY2FjaGUg YW5kIGNyZWF0ZSBhIG5ldyBET01XaW5kb3dPYnNlcnZlciB3aGVuIGl0IGNoYW5nZXMgaW4gdGhl CisgICAgICAgIEZyYW1lLgorCisgICAgICAgIEZpeGVzIGNyYXNoZXMgaW4gc2V2ZXJhbCB1bml0 IHRlc3RzIGluIGRlYnVnIGJ1aWxkcy4KKworICAgICAgICAqIGJpbmRpbmdzL2dvYmplY3QvRE9N T2JqZWN0Q2FjaGUuY3BwOgorCisyMDE1LTA1LTAyICBDYXJsb3MgR2FyY2lhIENhbXBvcyAgPGNn YXJjaWFAaWdhbGlhLmNvbT4KKwogICAgICAgICBbWDExXSBBZGQgWFVuaXF1ZVB0ciBhbmQgWFVu aXF1ZVJlc291cmNlIHRvIGF1dG9tYXRpY2FsbHkgZnJlZSBYIHJlc291cmNlcwogICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTQ0NTIxCiAKZGlmZiAtLWdp dCBhL1NvdXJjZS9XZWJDb3JlL2JpbmRpbmdzL2dvYmplY3QvRE9NT2JqZWN0Q2FjaGUuY3BwIGIv U291cmNlL1dlYkNvcmUvYmluZGluZ3MvZ29iamVjdC9ET01PYmplY3RDYWNoZS5jcHAKaW5kZXgg MDE3OGRiYi4uYWNiNmY2OCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvYmluZGluZ3MvZ29i amVjdC9ET01PYmplY3RDYWNoZS5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvYmluZGluZ3MvZ29i amVjdC9ET01PYmplY3RDYWNoZS5jcHAKQEAgLTEwMCw4ICsxMDAsMTIgQEAgcHVibGljOgogICAg IHsKICAgICAgICAgQVNTRVJUKCFtX29iamVjdHMuY29udGFpbnMoJmRhdGEpKTsKIAotICAgICAg ICBpZiAoIW1fZG9tV2luZG93T2JzZXJ2ZXIgJiYgbV9mcmFtZS0+ZG9jdW1lbnQoKS0+ZG9tV2lu ZG93KCkpCi0gICAgICAgICAgICBtX2RvbVdpbmRvd09ic2VydmVyID0gc3RkOjptYWtlX3VuaXF1 ZTxET01XaW5kb3dPYnNlcnZlcj4oKm1fZnJhbWUsICp0aGlzKTsKKyAgICAgICAgV2ViQ29yZTo6 RE9NV2luZG93KiBkb21XaW5kb3cgPSBtX2ZyYW1lLT5kb2N1bWVudCgpLT5kb21XaW5kb3coKTsK KyAgICAgICAgaWYgKGRvbVdpbmRvdyAmJiAoIW1fZG9tV2luZG93T2JzZXJ2ZXIgfHwgbV9kb21X aW5kb3dPYnNlcnZlci0+ZG9tV2luZG93KCkgIT0gZG9tV2luZG93KSkgeworICAgICAgICAgICAg Ly8gTmV3IERPTVdpbmRvdywgY2xlYXIgdGhlIGNhY2hlIGFuZCBjcmVhdGUgYSBuZXcgRE9NV2lu ZG93T2JzZXJ2ZXIuCisgICAgICAgICAgICBjbGVhcigpOworICAgICAgICAgICAgbV9kb21XaW5k b3dPYnNlcnZlciA9IHN0ZDo6bWFrZV91bmlxdWU8RE9NV2luZG93T2JzZXJ2ZXI+KCptX2ZyYW1l LCAqdGhpcywgZG9tV2luZG93KTsKKyAgICAgICAgfQogCiAgICAgICAgIG1fb2JqZWN0cy5hcHBl bmQoJmRhdGEpOwogICAgICAgICBnX29iamVjdF93ZWFrX3JlZihkYXRhLm9iamVjdCwgRE9NT2Jq ZWN0Q2FjaGVGcmFtZU9ic2VydmVyOjpvYmplY3RGaW5hbGl6ZWRDYWxsYmFjaywgdGhpcyk7CkBA IC0xMTEsMTYgKzExNSwyMCBAQCBwcml2YXRlOgogICAgIGNsYXNzIERPTVdpbmRvd09ic2VydmVy IGZpbmFsOiBwdWJsaWMgV2ViQ29yZTo6RE9NV2luZG93UHJvcGVydHkgewogICAgICAgICBXVEZf TUFLRV9GQVNUX0FMTE9DQVRFRDsKICAgICBwdWJsaWM6Ci0gICAgICAgIERPTVdpbmRvd09ic2Vy dmVyKFdlYkNvcmU6OkZyYW1lJiBmcmFtZSwgRE9NT2JqZWN0Q2FjaGVGcmFtZU9ic2VydmVyJiBm cmFtZU9ic2VydmVyKQorICAgICAgICBET01XaW5kb3dPYnNlcnZlcihXZWJDb3JlOjpGcmFtZSYg ZnJhbWUsIERPTU9iamVjdENhY2hlRnJhbWVPYnNlcnZlciYgZnJhbWVPYnNlcnZlciwgV2ViQ29y ZTo6RE9NV2luZG93KiB3aW5kb3cpCiAgICAgICAgICAgICA6IERPTVdpbmRvd1Byb3BlcnR5KCZm cmFtZSkKICAgICAgICAgICAgICwgbV9mcmFtZU9ic2VydmVyKGZyYW1lT2JzZXJ2ZXIpCisgICAg ICAgICAgICAsIG1fZG9tV2luZG93KHdpbmRvdykKICAgICAgICAgeworICAgICAgICAgICAgQVNT RVJUKG1fZG9tV2luZG93KTsKICAgICAgICAgfQogCiAgICAgICAgIHZpcnR1YWwgfkRPTVdpbmRv d09ic2VydmVyKCkKICAgICAgICAgewogICAgICAgICB9CiAKKyAgICAgICAgV2ViQ29yZTo6RE9N V2luZG93KiBkb21XaW5kb3coKSBjb25zdCB7IHJldHVybiBtX2RvbVdpbmRvdzsgfQorCiAgICAg cHJpdmF0ZToKICAgICAgICAgdmlydHVhbCB2b2lkIHdpbGxEZXRhY2hHbG9iYWxPYmplY3RGcm9t RnJhbWUoKSBvdmVycmlkZQogICAgICAgICB7CkBAIC0xMzAsNiArMTM4LDcgQEAgcHJpdmF0ZToK ICAgICAgICAgfQogCiAgICAgICAgIERPTU9iamVjdENhY2hlRnJhbWVPYnNlcnZlciYgbV9mcmFt ZU9ic2VydmVyOworICAgICAgICBXZWJDb3JlOjpET01XaW5kb3cqIG1fZG9tV2luZG93OwogICAg IH07CiAKICAgICBzdGF0aWMgdm9pZCBvYmplY3RGaW5hbGl6ZWRDYWxsYmFjayhncG9pbnRlciB1 c2VyRGF0YSwgR09iamVjdCogZmluYWxpemVkT2JqZWN0KQo=