188722 2018-08-18 12:56:54 -0700 Many textarea tests leak documents because Document::removeFocusNavigationNodeOfSubtree() can trigger a Document retain cycle 2018-09-10 14:43:02 -0700 1 1 1 Unclassified WebKit HTML Editing WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 simon.fraser simon.fraser ap cdumez dbates esprehn+autocc ews-watchlist kangil.han n_wang rniwa sam simon.fraser webkit-bug-importer wenson_hsieh oldest_to_newest 1451404 0 simon.fraser 2018-08-18 12:56:54 -0700 Various textarea tests cause abandoned documents. I looked at fast/forms/textarea-paste-newline.html. Under this stack: * frame #0: 0x000000061788cc74 WebCore`WebCore::Document::removeFocusNavigationNodeOfSubtree(this=0x0000000632f01200, node=0x0000000632f01200, amongChildrenOnly=true) at Document.cpp:4230 frame #1: 0x000000061788c82a WebCore`WebCore::Document::nodeChildrenWillBeRemoved(this=0x0000000632f01200, container=0x0000000632f01200) at Document.cpp:4164 frame #2: 0x00000006178252de WebCore`WebCore::ContainerNode::removeAllChildrenWithScriptAssertion(this=0x0000000632f01200, source=API, deferChildrenChanged=No) at ContainerNode.cpp:107 frame #3: 0x0000000617828d49 WebCore`WebCore::ContainerNode::removeChildren(this=0x0000000632f01200) at ContainerNode.cpp:658 frame #4: 0x0000000617882aef WebCore`WebCore::Document::implicitOpen(this=0x0000000632f01200) at Document.cpp:2691 frame #5: 0x0000000617878043 WebCore`WebCore::Document::open(this=0x0000000632f01200, responsibleDocument=0x0000000632f01200) at Document.cpp:2660 frame #6: 0x0000000617884062 WebCore`WebCore::Document::write(this=0x0000000632f01200, responsibleDocument=0x0000000632f01200, text=0x00007ffee6a2fbb8) at Document.cpp:2984 frame #7: 0x000000061788432b WebCore`WebCore::Document::write(this=0x0000000632f01200, responsibleDocument=0x0000000632f01200, strings={ size = 1, capacity = 1 }) at Document.cpp:2999 frame #8: 0x000000061609d242 WebCore`WebCore::jsDocumentPrototypeFunctionWriteBody(state=0x00007ffee6a2fe30, castedThis=0x000000062d063ea0, throwScope=0x00007ffee6a2fdb8) at JSDocument.cpp:4890 removeFocusNavigationNodeOfSubtree() is called with node == |this|, so the document stores a pointer to itself in a RefPtr, and this is never cleared. 1451407 1 simon.fraser 2018-08-18 13:17:06 -0700 Also affects dom/html/level2/html/HTMLAnchorElement14.html and probably others. 1457895 2 webkit-bug-importer 2018-09-08 08:09:45 -0700 <rdar://problem/44258638> 1457921 3 349260 simon.fraser 2018-09-08 14:06:27 -0700 Created attachment 349260 Patch 1457937 4 349260 rniwa 2018-09-08 15:54:09 -0700 Comment on attachment 349260 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=349260&action=review > Source/WebCore/dom/Document.cpp:4275 > + m_focusNavigationStartingNode = newNode; I would have preferred to use a ternary operator here instwad 1458238 5 simon.fraser 2018-09-10 14:43:02 -0700 https://trac.webkit.org/r235863 349260 2018-09-08 14:06:27 -0700 2018-09-08 15:54:09 -0700 Patch bug-188722-20180908140626.patch text/plain 2930 simon.fraser U3VidmVyc2lvbiBSZXZpc2lvbjogMjM1ODMwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYzVhMzgwN2YyMTJkZTA3 YWE3OThlZTUzZjEzOTcyZDExMTdkNjAzNS4uMTVkMGY5ZmIxNGI1MWUzOGY3ODkwYmE3YTA1MGI0 OTk5YzdhNDYzNiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI4IEBACisyMDE4LTA5LTA4ICBTaW1v biBGcmFzZXIgIDxzaW1vbi5mcmFzZXJAYXBwbGUuY29tPgorCisgICAgICAgIE1hbnkgdGV4dGFy ZWEgdGVzdHMgbGVhayBkb2N1bWVudHMgYmVjYXVzZSBEb2N1bWVudDo6cmVtb3ZlRm9jdXNOYXZp Z2F0aW9uTm9kZU9mU3VidHJlZSgpIGNhbiB0cmlnZ2VyIGEgRG9jdW1lbnQgcmV0YWluIGN5Y2xl CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xODg3MjIK KworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBGaXggYSBy ZXRhaW4gY3ljbGUgY3JlYXRlZCB3aGVuIERvY3VtZW50OjphZGp1c3RGb2N1c05hdmlnYXRpb25O b2RlT25Ob2RlUmVtb3ZhbCgpIHNldHMKKyAgICAgICAgbV9mb2N1c05hdmlnYXRpb25TdGFydGlu Z05vZGUgdG8gaXRzZWxmLiBtX2ZvY3VzTmF2aWdhdGlvblN0YXJ0aW5nTm9kZSBpcyBhIE5vZGUq IChub3Qgc3VyZSB3aHkgaXQncyBub3QgYW4gRWxlbWVudCopLAorICAgICAgICBtYWtpbmcgaXQg cG9zc2libGUgdG8gYXNzaWduIHRoZSBEb2N1bWVudCB0byBpdCwgd2hpY2ggY3JlYXRlcyBhIHJl ZmVyZW5jZSB0byB0aGUgZG9jdW1lbnQgd2hpY2ggcHJldmVudHMKKyAgICAgICAgRG9jdW1lbnQ6 OnJlbW92ZWRMYXN0UmVmKCkgZXZlciBydW5uaW5nIGFuZCBkb2luZyB0aGUgbmVjZXNzYXJ5IGNs ZWFudXAuCisgICAgICAgIAorICAgICAgICBGaXggYnkgc2V0dGluZyBtX2ZvY3VzTmF2aWdhdGlv blN0YXJ0aW5nTm9kZSB0byBudWxsIGlmIGNvZGUgdHJpZXMgdG8gc2V0IGl0IHRvIHRoZSBEb2N1 bWVudC4gVGhpcyBjYW4gaGFwcGVuCisgICAgICAgIHdoZW4gYW4gZWxlbWVudCBpcyBmb2N1c2Vk IGFuZCB0aGUgcGFnZSBjYWxscyBkb2N1bWVudC53cml0ZSgpLCB3aGljaCByZW1vdmVzIGFsbCBj aGlsZHJlbi4KKyAgICAgICAgCisgICAgICAgIFdpbGwgYmUgdGVzdGVkIGJ5IGZ1dHVyZSBsZWFr IHRlc3RpbmcuIEZpeGVzIHRoZSBkb2N1bWVudCBsZWFrIGluIGF0IGxlYXN0IHRoZSBmb2xsb3dp bmcgdGVzdHM6CisgICAgICAgICAgZmFzdC9mb3Jtcy9hcHBlbmQtY2hpbGRyZW4tZHVyaW5nLWZv cm0tc3VibWlzc2lvbi5odG1sCisgICAgICAgICAgZmFzdC9mb3Jtcy9lbXB0eS10ZXh0YXJlYS10 b2dnbGUtZGlzYWJsZWQuaHRtbAorICAgICAgICAgIGZhc3QvZm9ybXMvdGV4dGFyZWEtcGFzdGUt bmV3bGluZS5odG1sCisgICAgICAgICAgZmFzdC9mb3Jtcy90ZXh0YXJlYS10cmFpbGluZy1uZXds aW5lLmh0bWwKKworICAgICAgICAqIGRvbS9Eb2N1bWVudC5jcHA6CisgICAgICAgIChXZWJDb3Jl OjpEb2N1bWVudDo6c2V0Rm9jdXNOYXZpZ2F0aW9uU3RhcnRpbmdOb2RlKToKKyAgICAgICAgKFdl YkNvcmU6OkRvY3VtZW50OjphZGp1c3RGb2N1c05hdmlnYXRpb25Ob2RlT25Ob2RlUmVtb3ZhbCk6 CisKIDIwMTgtMDktMDggIFNpbW9uIEZyYXNlciAgPHNpbW9uLmZyYXNlckBhcHBsZS5jb20+CiAK ICAgICAgICAgQ2xlYW4gdXAgY29kZSByZWxhdGVkIHRvIERvY3VtZW50IG5vZGUgcmVtb3ZhbApk aWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvZG9tL0RvY3VtZW50LmNwcCBiL1NvdXJjZS9XZWJD b3JlL2RvbS9Eb2N1bWVudC5jcHAKaW5kZXggNjA5ODkyYmRjOTQzZWU1ZWFmZWRlZGMzOWI1Y2Yz ZDVhYjM0MGFjNS4uODVlOTRhM2JiZDAzY2VjZmM2MDYzMGIwODkyOTE3YmQ0M2MyMGFmZCAxMDA2 NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvZG9tL0RvY3VtZW50LmNwcAorKysgYi9Tb3VyY2UvV2Vi Q29yZS9kb20vRG9jdW1lbnQuY3BwCkBAIC00MDcxLDYgKzQwNzEsNyBAQCB2b2lkIERvY3VtZW50 OjpzZXRGb2N1c05hdmlnYXRpb25TdGFydGluZ05vZGUoTm9kZSogbm9kZSkKICAgICAgICAgcmV0 dXJuOwogICAgIH0KIAorICAgIEFTU0VSVCghbm9kZSB8fCBub2RlICE9IHRoaXMpOwogICAgIG1f Zm9jdXNOYXZpZ2F0aW9uU3RhcnRpbmdOb2RlID0gbm9kZTsKIH0KIApAQCAtNDI2OCw3ICs0MjY5 LDEwIEBAIHZvaWQgRG9jdW1lbnQ6OmFkanVzdEZvY3VzTmF2aWdhdGlvbk5vZGVPbk5vZGVSZW1v dmFsKE5vZGUmIG5vZGUsIE5vZGVSZW1vdmFsIG5vCiAgICAgICAgIHJldHVybjsKIAogICAgIGlm IChpc05vZGVJblN1YnRyZWUoKm1fZm9jdXNOYXZpZ2F0aW9uU3RhcnRpbmdOb2RlLCBub2RlLCBu b2RlUmVtb3ZhbCkpIHsKLSAgICAgICAgbV9mb2N1c05hdmlnYXRpb25TdGFydGluZ05vZGUgPSAo bm9kZVJlbW92YWwgPT0gTm9kZVJlbW92YWw6OkNoaWxkcmVuT2ZOb2RlKSA/ICZub2RlIDogZmFs bGJhY2tGb2N1c05hdmlnYXRpb25TdGFydGluZ05vZGVBZnRlclJlbW92YWwobm9kZSk7CisgICAg ICAgIGF1dG8qIG5ld05vZGUgPSAobm9kZVJlbW92YWwgPT0gTm9kZVJlbW92YWw6OkNoaWxkcmVu T2ZOb2RlKSA/ICZub2RlIDogZmFsbGJhY2tGb2N1c05hdmlnYXRpb25TdGFydGluZ05vZGVBZnRl clJlbW92YWwobm9kZSk7CisgICAgICAgIGlmIChuZXdOb2RlID09IHRoaXMpCisgICAgICAgICAg ICBuZXdOb2RlID0gbnVsbHB0cjsKKyAgICAgICAgbV9mb2N1c05hdmlnYXRpb25TdGFydGluZ05v ZGUgPSBuZXdOb2RlOwogICAgICAgICBtX2ZvY3VzTmF2aWdhdGlvblN0YXJ0aW5nTm9kZUlzUmVt b3ZlZCA9IHRydWU7CiAgICAgfQogfQo=