48682 2010-10-29 14:37:45 -0700 Chromium: seg fault when testing fast/frames/iframe-reparenting-new-page.html 2012-04-12 21:19:49 -0700 1 1 1 Unclassified WebKit WebCore JavaScript 528+ (Nightly build) PC Linux RESOLVED INVALID P2 Normal --- 1 jennb webkit-unassigned abarth antonm dimich japhet oldest_to_newest 302068 0 jennb 2010-10-29 14:37:45 -0700 I've only seen this crash on the chromium platform. Crashes consistently for me on Linux (Lucid) and occasionally for me on Mac (Snow Leopard). Did not try on Windows. The test fast/frames/iframe-reparenting.html runs fine on its own, but seg faults when testing all fast/frames. I've narrowed the repro case down to making it fail by only running 2 layout tests: new-run-webkit-tests --chromium --use-drt --verbose --no-show-results fast/frames/iframe-reparenting-new-page.html fast/frames/iframe-reparenting.html 2010-10-29 14:31:29,847 dump_render_tree_thread.py:106 DEBUG Stacktrace for /work/WebKit/LayoutTests/fast/frames/iframe-reparenting.html: [8574:8574:1284969651047:ERROR:WebKit/chromium/base/process_util_posix.cc(105)] Received signal 11 StackTrace::StackTrace() [0x86e060] base::(anonymous namespace)::StackDumpSignalHandler() [0x89f0c1] 0x7fac40bb3af0 WebCore::Page::group() [0x468736] WebCore::V8Proxy::didLeaveScriptContext() [0xdc8ab4] WebCore::V8Proxy::callFunction() [0xdc8629] WebCore::ScheduledAction::execute() [0xd994f3] WebCore::ScheduledAction::execute() [0xd9933e] WebCore::DOMTimer::fired() [0x10cc370] WebCore::ThreadTimers::sharedTimerFiredInternal() [0xd0705c] WebCore::ThreadTimers::sharedTimerFired() [0xd06f8f] webkit_glue::WebKitClientImpl::DoTimeout() [0x17ba32e] DispatchToMethod<>() [0x17ba751] base::BaseTimer<>::TimerTask::Run() [0x17ba6a6] MessageLoop::RunTask() [0x87fb5e] MessageLoop::DeferOrRunPendingTask() [0x87fc42] MessageLoop::DoDelayedWork() [0x8803c5] base::MessagePumpForUI::HandleDispatch() [0x8d065b] (anonymous namespace)::WorkSourceDispatch() [0x8cfa53] 0x7fac438898c2 0x7fac4388d748 0x7fac4388d8fc base::MessagePumpForUI::RunOnce() [0x8d03d7] base::MessagePumpForUI::RunWithDispatcher() [0x8d0270] base::MessagePumpForUI::Run() [0x8d0ad2] MessageLoop::RunInternal() [0x87f29e] MessageLoop::RunHandler() [0x87f13c] MessageLoop::Run() [0x87f0cd] webkit_support::RunMessageLoop() [0x584c91] TestShell::waitTestFinished() [0x454fb9] TestShell::runFileTest() [0x44e5b1] runTest() [0x429685] main [0x429ff2] 0x7fac40b9ec4d 0x418c59 breakpoint in V8Proxy::didLeaveScriptContext shows m_frame has a refcount of -1 and its m_page is an invalid pointer. 302979 1 jennb 2010-11-01 15:11:10 -0700 Upon further testing, I can get this to crash with just fast/frames/iframe-reparenting-new-page.html if using DumpRenderTree directly (passes with new-run-webkit-tests): out/Debug/DumpRenderTree /work/WebKit/LayoutTests/fast/frames/iframe-reparenting-new-page.html Content-Type: text/plain The test verifies that the timer in iframe continues firing after iframe is adopted into a new window and the original window was closed. On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". PASS successfullyParsed is true TEST COMPLETE PASS Loaded iframe in window 1. PASS iframe.contentWindow.counter is 1 PASS Loaded page 2. PASS Page 2 adopted the iframe. PASS Iframe transferred. PASS iframe.contentWindow.counter is 2 PASS window2.location.href is iframe.contentWindow.parent.location.href PASS Page 1 is closed. PASS Received the timer beat from the adopted iframe - exiting. #EOF [14304:14304:1546383445592:ERROR:WebKit/chromium/base/process_util_posix.cc(105)] Received signal 11 StackTrace::StackTrace() [0x86dfec] base::(anonymous namespace)::StackDumpSignalHandler() [0x89f04d] 0x7f1780d51af0 WebCore::Page::group() [0x4686c6] WebCore::V8Proxy::didLeaveScriptContext() [0xdc8a40] WebCore::V8Proxy::callFunction() [0xdc85b5] WebCore::ScheduledAction::execute() [0xd9947f] WebCore::ScheduledAction::execute() [0xd992ca] WebCore::DOMTimer::fired() [0x10cc2fc] WebCore::ThreadTimers::sharedTimerFiredInternal() [0xd06fe8] WebCore::ThreadTimers::sharedTimerFired() [0xd06f1b] webkit_glue::WebKitClientImpl::DoTimeout() [0x17ba2ae] DispatchToMethod<>() [0x17ba6d1] base::BaseTimer<>::TimerTask::Run() [0x17ba626] MessageLoop::RunTask() [0x87faea] MessageLoop::DeferOrRunPendingTask() [0x87fbce] MessageLoop::DoDelayedWork() [0x880351] base::MessagePumpForUI::HandleDispatch() [0x8d05e7] (anonymous namespace)::WorkSourceDispatch() [0x8cf9df] 0x7f1783a278c2 0x7f1783a2b748 0x7f1783a2b8fc base::MessagePumpForUI::RunOnce() [0x8d0363] base::MessagePumpForUI::RunWithDispatcher() [0x8d01fc] base::MessagePumpForUI::Run() [0x8d0a5e] MessageLoop::RunInternal() [0x87f22a] MessageLoop::RunHandler() [0x87f0c8] MessageLoop::Run() [0x87f059] webkit_support::RunMessageLoop() [0x584c1d] TestShell::waitTestFinished() [0x454fb9] TestShell::runFileTest() [0x44e5b1] runTest() [0x429685] main [0x42a0d5] 0x7f1780d3cc4d 0x418c59 303074 2 jennb 2010-11-01 16:51:53 -0700 This is caused by javascript in fast/frames/resources/iframe-reparenting-new-page.js closing the window that contains the timer in the middle of processing that timer event. I can make the crash disappear by delaying the window close until after the timer event has completed. Should V8 handle this correctly and allow closing a window in the timer callback? 303082 3 72601 jennb 2010-11-01 16:57:56 -0700 Created attachment 72601 simple test case This simple test case opens a window that contains a timer. When the timer fires, close the window that contains the timer. Crashes with similar stack track. Output included in zip file. 303375 4 antonm 2010-11-02 08:37:49 -0700 Jenn, thanks a lot for investigation and repro. I don't immediately think it's an issue with v8 itself, rather with the bindings. Still it might be pretty severe. I'll try to investigate it next week, but would appreciate if Adam or Nate would have a look as well, as my experience with frame closing and times is pretty limited. (In reply to comment #3) > Created an attachment (id=72601) [details] > simple test case > > This simple test case opens a window that contains a timer. When the timer fires, close the window that contains the timer. Crashes with similar stack track. Output included in zip file. 601807 5 dimich 2012-04-12 21:19:49 -0700 The magic iframe feature and the test mentioned here have been removed. Closing. 72601 2010-11-01 16:57:56 -0700 2010-11-01 16:57:56 -0700 simple test case fail-case.zip application/octet-stream 1856 jennb UEsDBBQAAAAIAP2FYT2hJWQxgwEAAOwCAAARABwAd2luZG93LXRpbWVyLmh0bWxVVAkAA65Rz0yu Uc9MdXgLAAEEfCsAAASIEwAAfVKxbtwwDN31FYQmH4LogKzxGWiuGTJlcZGli2rRZ6EyZUh0roeg /17K9gUtkNSLJT6S7/FR9cBjaFSdu+QnbpR6tQnOnlw8390r5Xuo1psJ9hJnbjHzMRKnGAKmHbwp kO8jzLh5nL7kFn9xtbv/PO1sPX8j9uFrJPxvZkY+WnqekF4WSbniNKNU/Faqn6ljHwlCPFUj5mxP uFOrOhe7eURic0J+DFiOD5cnV2nJ1TvjiTAVmXBzgK0UbkB/J/1v696Tz0N1bVuYdOtHTIIkdAaO IWZPp80/o7dhNjtNJ/D7hMXZDy1d0E89oMi+v1yt+lsdS+K7to0SDlctUVyrNBe1t31MtyXblN3r tU29v76A+kd0F4gUonUHvXbVEp6advB5oYFuwO5nhvOAPMj4nkGQbHsEjrCMCQJs3HK0LKo6mcJ6 ymBh0VHKCQZLLhTTStYG4GvZFrTSYqGbbM6YxTLpUgix0JEwJZsHU++nBkRfCbuDbKWRSEKRvC+j lP/6yP8AUEsDBBQAAAAIAAuGYT3wSbvEgAAAAKkAAAATABwAdGltZXItZm9yLXRlc3QuaHRtbFVU CQADxVHPTMVRz0x1eAsAAQR8KwAABIgTAABFjk0OgjAQhfdzioYVJKa4cWXt2gNwAWxLmFhmSDuE GOPdLf6+7fvejxllihZMdglnsTAs5ASZlKC71g3cQRXxHCgkPSBhHuvmCA/4k1n6JD90RfK86hyk wynwIvXWtFOH/Stm2u+SubC/KabIvT9Vn5LKwjnEyLqAm1+w9v3wCVBLAwQUAAAACAAMh2E9c036 3T8DAACvBwAAEAAcAHRpbWVyLW91dHB1dC50eHRVVAkAA6dTz0ynU89MdXgLAAEEfCsAAASIEwAA nZVNb9s4EIbv/hUE9pIcakuyZElEUaAb19hgGziw1eZQBAFFjiwikiiQVOxc9rfv6CO2U9tbbHUQ KPJ9ZobkzEg1djKHtNlM5k1Zr6ASoBMNQP6ZbGUl1PaDlSXocW7LYnSjKguV/ZC81kCJhZ2d1AWT 1SjJpcFvYwnPgT8bss3B5qCJtARXDMuAWEV4oQwOciC9bRwyRNAqGjGEkc5XC1ckZ5UoZLXpNf0C vKD3MUnQQOesZsaAITJrbWpoXVXoRTOTj0ejpGMyqUGMyQ26bq31jnH1jy/LxeiHG3pBTId3EHi+ GwehF8cR/bJaLVf0AdK/pZ3wXKtSNuUkZQYmtVYcjHlqrCyearS7G3N+5TrB9SNZAQf5AoIYualY QVx3RIZnbRl/TjTjQOlhfHVNfji7aCYy4I97beuH0itWqeq1VA3ui5VgatRfD3B7XevOx1/tSYEe DMWZ44uDIWcXZnE0jac+Z5mzn8Z93SiNLhYaDVNas80QiR+yMPMeT5Xfo3utdq+UCim+AnuBNdey tl1O7GwPCx4xN/4vmLOiWDQVt1JVeyZIgzPMGnNJNAWIz52aUtgBb+wQp4hjP8x+B/M4O4PNl3dd wlDaZUyvdh3Op9H0jDzJNTDREYZSkzNkuq9FS9/imWi8msGnM8sg+t9GDrCbHuAtpM/SPm2KBg30 6XlTSKyL27IucBuqNaCa4ULcMGUegwM+l5hFlueJusMKVeLjp4NwJtyfM/BPfHcRffyE4baDhJln SldNdcR5swN3h5WByfRVqbqTtfohNcOMAbugnEMGeqkRuMcehJX6jks5XOLUHAr2CuJB6Td95EyD k50M1D2WzULpb7eU9nXzdiADK5wAwgN7oQJbZ2vVaP4zzrNYZCfVxx3Pi7h3ZnoW+tG56Sjjv4wf z2pZ7RuIcKaz6a83jdCDtPlb2Pu2IRw3O+k/Z/E9wIJLl4Kq9xWAV+h5l64e1e9bWJg5PLosPqiC +KQuTFPXSttOeAT2TBD53D1qjgn+RNY5FFg3WyZt+7mQlTT5W/H5gZ+l8VlAN9VCFtDODFofgvQo 7VBwtOjFs+ioyZX4w+vnmSOCM+16GnJfHE37bsSDePQvUEsBAh4DFAAAAAgA/YVhPaElZDGDAQAA 7AIAABEAGAAAAAAAAQAAAKCBAAAAAHdpbmRvdy10aW1lci5odG1sVVQFAAOuUc9MdXgLAAEEfCsA AASIEwAAUEsBAh4DFAAAAAgAC4ZhPfBJu8SAAAAAqQAAABMAGAAAAAAAAQAAAKCBzgEAAHRpbWVy LWZvci10ZXN0Lmh0bWxVVAUAA8VRz0x1eAsAAQR8KwAABIgTAABQSwECHgMUAAAACAAMh2E9c036 3T8DAACvBwAAEAAYAAAAAAABAAAAoIGbAgAAdGltZXItb3V0cHV0LnR4dFVUBQADp1PPTHV4CwAB BHwrAAAEiBMAAFBLBQYAAAAAAwADAAYBAAAkBgAAAAA=