23007 2008-12-28 04:38:44 -0800 REGRESSION: Timer-related crash when closing Web Inspector 2008-12-28 11:40:27 -0800 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED Regression P1 Blocker --- 1 ap ap dimich oldest_to_newest 103579 0 ap 2008-12-28 04:38:44 -0800 Steps to reproduce: 1. Open any Web page (or even about:blank) 2. Open Web Inspector, and close it. Result: a crash. #0 0x0356ec10 in WebCore::Document::removeTimeout at Document.cpp:4283 #1 0x0353e68a in WebCore::DOMTimer::removeById at DOMTimer.cpp:99 #2 0x0378258b in WebCore::JSDOMWindowBase::removeTimeout at JSDOMWindowBase.cpp:839 #3 0x03789334 in WebCore::JSDOMWindow::clearTimeout at JSDOMWindowCustom.cpp:199 #4 0x037746e6 in WebCore::jsDOMWindowPrototypeFunctionClearTimeout at JSDOMWindow.cpp:4338 #5 0x00ba90fb in JSC::Interpreter::cti_op_call_NotJSFunction at Interpreter.cpp:4921 #6 0x00ba399a in JSC::Interpreter::retrieveCaller at Interpreter.cpp:4005 #7 0x00bc4162 in JSC::JIT::execute at JIT.h:350 #8 0x00baae9c in JSC::Interpreter::execute at Interpreter.cpp:976 #9 0x00afc437 in JSC::JSFunction::call at JSFunction.cpp:82 #10 0x00afc4ef in JSC::call at CallData.cpp:39 #11 0x00b0a580 in JSC::functionProtoFuncApply at FunctionPrototype.cpp:113 #12 0x00ba90fb in JSC::Interpreter::cti_op_call_NotJSFunction at Interpreter.cpp:4921 #13 0x00ba399a in JSC::Interpreter::retrieveCaller at Interpreter.cpp:4005 #14 0x00bc4162 in JSC::JIT::execute at JIT.h:350 #15 0x00baae9c in JSC::Interpreter::execute at Interpreter.cpp:976 #16 0x00afc437 in JSC::JSFunction::call at JSFunction.cpp:82 #17 0x00afc4ef in JSC::call at CallData.cpp:39 #18 0x03b0d5ad in WebCore::ScheduledAction::execute at ScheduledAction.cpp:85 #19 0x03b0d748 in WebCore::ScheduledAction::execute at ScheduledAction.cpp:56 #20 0x0353ecb3 in WebCore::DOMTimer::fired at DOMTimer.cpp:126 #21 0x03b6e5ab in WebCore::TimerBase::fireTimers at Timer.cpp:347 #22 0x03b6e63a in WebCore::TimerBase::sharedTimerFired at Timer.cpp:368 #23 0x03b39d84 in WebCore::timerFired at SharedTimerMac.mm:84 103580 1 26276 ap 2008-12-28 04:47:00 -0800 Created attachment 26276 reduced test case (will crash) This is not specific to Web Inspector. 103582 2 26277 ap 2008-12-28 05:17:19 -0800 Created attachment 26277 proposed fix 103606 3 26277 darin 2008-12-28 11:10:28 -0800 Comment on attachment 26277 proposed fix r=me I asked about this in the original patch, and Niko reassured me that it was removed from the document map. I probably should not have accepted the answer. 103611 4 ap 2008-12-28 11:40:27 -0800 Committed revision 39493. 26276 2008-12-28 04:47:00 -0800 2008-12-28 04:47:00 -0800 reduced test case (will crash) remove-timeout-crash.html text/html 116 ap PHNjcmlwdD4KdmFyIHRpbWVvdXRJRDsKZnVuY3Rpb24gdGVzdCgpCnsKICAgIGNsZWFyVGltZW91 dCh0aW1lb3V0SUQpOwp9Cgp0aW1lb3V0SUQgPSBzZXRUaW1lb3V0KHRlc3QsIDApOwo8L3Njcmlw dD4= 26277 2008-12-28 05:17:19 -0800 2008-12-28 11:10:28 -0800 proposed fix clearTimeout.txt text/plain 3480 ap SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAzOTQ4OSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTUgQEAKKzIwMDgtMTItMjggIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEB3ZWJr aXQub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMzAwNworICAgICAgICBS RUdSRVNTSU9OOiBUaW1lci1yZWxhdGVkIGNyYXNoIHdoZW4gY2xvc2luZyBXZWIgSW5zcGVjdG9y CisKKyAgICAgICAgVGVzdDogZmFzdC9kb20vV2luZG93L3JlbW92ZS10aW1lb3V0LWNyYXNoLmh0 bWwKKworICAgICAgICAqIGJpbmRpbmdzL2pzL0RPTVRpbWVyLmNwcDogKFdlYkNvcmU6OkRPTVRp bWVyOjpmaXJlZCk6IEJlc2lkZXMgZGVsZXRpbmcgdGhlIHRpbWVyLCBtYWtlCisgICAgICAgIHN1 cmUgdG8gcmVtb3ZlIGl0IGZyb20gYSBEb2N1bWVudCBtYXAuCisKIDIwMDgtMTItMjggIERtaXRy eSBUaXRvdiAgPGRpbWljaEBjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgRGFy aW4gQWRsZXIuCkluZGV4OiBXZWJDb3JlL2JpbmRpbmdzL2pzL0RPTVRpbWVyLmNwcAo9PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09Ci0tLSBXZWJDb3JlL2JpbmRpbmdzL2pzL0RPTVRpbWVyLmNwcAkocmV2aXNpb24gMzk0ODkp CisrKyBXZWJDb3JlL2JpbmRpbmdzL2pzL0RPTVRpbWVyLmNwcAkod29ya2luZyBjb3B5KQpAQCAt MTIxLDcgKzEyMSw4IEBAIHZvaWQgRE9NVGltZXI6OmZpcmVkKCkKICAgICBTY2hlZHVsZWRBY3Rp b24qIGFjdGlvbiA9IG1fYWN0aW9uLnJlbGVhc2UoKTsKIAogICAgIC8vIE5vIGFjY2VzcyB0byBt ZW1iZXIgdmFyaWFibGVzIGFmdGVyIHRoaXMgcG9pbnQuCi0gICAgZGVsZXRlIHRoaXM7CisgICAg QVNTRVJUKGNvbnRleHQtPmlzRG9jdW1lbnQoKSk7CisgICAgc3RhdGljX2Nhc3Q8RG9jdW1lbnQq Pihjb250ZXh0KS0+cmVtb3ZlVGltZW91dChtX3RpbWVvdXRJZCk7CiAKICAgICBhY3Rpb24tPmV4 ZWN1dGUoY29udGV4dCk7CiAgICAgZGVsZXRlIGFjdGlvbjsKSW5kZXg6IExheW91dFRlc3RzL0No YW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHJldmlzaW9uIDM5 NDg5KQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEs MTMgQEAKKzIwMDgtMTItMjggIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEB3ZWJraXQub3JnPgor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIGh0dHBzOi8v YnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMzAwNworICAgICAgICBSRUdSRVNTSU9O OiBUaW1lci1yZWxhdGVkIGNyYXNoIHdoZW4gY2xvc2luZyBXZWIgSW5zcGVjdG9yCisKKyAgICAg ICAgKiBmYXN0L2RvbS9XaW5kb3cvcmVtb3ZlLXRpbWVvdXQtY3Jhc2gtZXhwZWN0ZWQudHh0OiBB ZGRlZC4KKyAgICAgICAgKiBmYXN0L2RvbS9XaW5kb3cvcmVtb3ZlLXRpbWVvdXQtY3Jhc2guaHRt bDogQWRkZWQuCisKIDIwMDgtMTItMjggIENhbWVyb24gWndhcmljaCAgPHp3YXJpY2hAYXBwbGUu Y29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IE9saXZlciBIdW50LgpJbmRleDogTGF5b3V0VGVz dHMvZmFzdC9kb20vV2luZG93L3JlbW92ZS10aW1lb3V0LWNyYXNoLWV4cGVjdGVkLnR4dAo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9mYXN0L2RvbS9XaW5kb3cvcmVtb3ZlLXRpbWVvdXQtY3Jh c2gtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZmFzdC9kb20vV2lu ZG93L3JlbW92ZS10aW1lb3V0LWNyYXNoLWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKQEAgLTAs MCArMSwzIEBACitUZXN0IGZvciBidWcgMjMwMDc6IFRpbWVyLXJlbGF0ZWQgY3Jhc2ggd2hlbiBj bG9zaW5nIFdlYiBJbnNwZWN0b3IuCisKK1BBU1MgaWYgbm8gY3Jhc2guCgpQcm9wZXJ0eSBjaGFu Z2VzIG9uOiBMYXlvdXRUZXN0cy9mYXN0L2RvbS9XaW5kb3cvcmVtb3ZlLXRpbWVvdXQtY3Jhc2gt ZXhwZWN0ZWQudHh0Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18KTmFtZTogc3ZuOm1pbWUtdHlwZQogICArIHRleHQvcGxh aW4KTmFtZTogc3ZuOmVvbC1zdHlsZQogICArIG5hdGl2ZQoKSW5kZXg6IExheW91dFRlc3RzL2Zh c3QvZG9tL1dpbmRvdy9yZW1vdmUtdGltZW91dC1jcmFzaC5odG1sCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExh eW91dFRlc3RzL2Zhc3QvZG9tL1dpbmRvdy9yZW1vdmUtdGltZW91dC1jcmFzaC5odG1sCShyZXZp c2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZmFzdC9kb20vV2luZG93L3JlbW92ZS10aW1lb3V0LWNy YXNoLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTkgQEAKKzxwPlRlc3QgZm9yIDxhIGhy ZWY9Imh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMzAwNyI+YnVnIDIz MDA3PC9hPjoKK1RpbWVyLXJlbGF0ZWQgY3Jhc2ggd2hlbiBjbG9zaW5nIFdlYiBJbnNwZWN0b3Iu PC9wPgorPHA+UEFTUyBpZiBubyBjcmFzaC48L3A+Cis8c2NyaXB0PgoraWYgKHdpbmRvdy5sYXlv dXRUZXN0Q29udHJvbGxlcikgeworICAgIGxheW91dFRlc3RDb250cm9sbGVyLndhaXRVbnRpbERv bmUoKTsKKyAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5kdW1wQXNUZXh0KCk7Cit9CisKK3ZhciB0 aW1lb3V0SUQ7CitmdW5jdGlvbiB0ZXN0KCkKK3sKKyAgICBjbGVhclRpbWVvdXQodGltZW91dElE KTsKKyAgICBpZiAod2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgICAgICBzZXRUaW1l b3V0KGZ1bmN0aW9uKCkgeyBsYXlvdXRUZXN0Q29udHJvbGxlci5ub3RpZnlEb25lKCkgfSwgMCk7 Cit9CisKK3RpbWVvdXRJRCA9IHNldFRpbWVvdXQodGVzdCwgMCk7Cis8L3NjcmlwdD4KClByb3Bl cnR5IGNoYW5nZXMgb246IExheW91dFRlc3RzL2Zhc3QvZG9tL1dpbmRvdy9yZW1vdmUtdGltZW91 dC1jcmFzaC5odG1sCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18KTmFtZTogc3ZuOm1pbWUtdHlwZQogICArIHRleHQvaHRt bAoK