85301 2012-05-01 12:11:17 -0700 Crash calling disconnectFrame on a DOMWindowExtension a second time 2012-05-01 13:17:58 -0700 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 jberlin jberlin abarth beidson eric jberlin sam oldest_to_newest 613580 0 jberlin 2012-05-01 12:11:17 -0700 CRASH: com.apple.WebCore: WebCore::DOMWindowExtension::disconnectFrame + 31 1 com.apple.WebCore 0x10eae409f WebCore::DOMWindowExtension::disconnectFrame() + 0x1f 2 com.apple.WebCore 0x10eae31ea WebCore::DOMWindow::disconnectDOMWindowProperties() + 0xfa 3 com.apple.WebCore 0x10eae2a82 WebCore::DOMWindow::clearDOMWindowProperties() + 0x12 4 com.apple.WebCore 0x10eae2687 WebCore::DOMWindow::~DOMWindow() + 0x27 5 com.apple.WebCore 0x10e49fa21 WebCore::DOMWindow::~DOMWindow() + 0x11 6 com.apple.WebCore 0x10ec96864 WebCore::JSDOMWindowBase::~JSDOMWindowBase() + 0x34 7 com.apple.JavaScriptCore 0x10e25615e JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper<true>(JSC::MarkedBlock::SweepMode) + 0x18e 8 com.apple.JavaScriptCore 0x10e255f84 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 0x24 9 com.apple.JavaScriptCore 0x10e2017cb JSC::Heap::sweep() + 0xcb 10 com.apple.JavaScriptCore 0x10e201915 JSC::Heap::collect(JSC::Heap::SweepToggle) + 0xf5 11 com.apple.JavaScriptCore 0x10e20080d JSC::DefaultGCActivityCallbackPlatformData::timerDidFire(__CFRunLoopTimer*, void*) + 0x9d <rdar://problem/11353945> DOMWindow calls disconnectFrame on all its DOMWindowProperties, even in cases where it previously called disconnectFrame when going into the page cache. DOMWindowExtension should bail early if it already has a disconnected frame, since it has already notified any client the first time disconnectFrame was invoked. 613582 1 139657 jberlin 2012-05-01 12:15:48 -0700 Created attachment 139657 Patch 613586 2 139657 darin 2012-05-01 12:42:20 -0700 Comment on attachment 139657 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=139657&action=review Is there a way to create a regression test for this? > Source/WebCore/page/DOMWindowExtension.cpp:60 > + ASSERT(!this->frame()); No need for this-> here. 613589 3 jberlin 2012-05-01 12:49:49 -0700 (In reply to comment #2) > (From update of attachment 139657 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=139657&action=review > > Is there a way to create a regression test for this? The only way I was able to reproduce this was to keep navigating to pages that were page-cache-worthy until the JSC timer was fired. I am not sure what else would reliably trigger the DOMWindow destruction after it had already gone into the the page cache without first detaching the page. > > > Source/WebCore/page/DOMWindowExtension.cpp:60 > > + ASSERT(!this->frame()); > > No need for this-> here. Fixed. Thanks for the review! 613607 4 139657 jberlin 2012-05-01 13:15:05 -0700 Comment on attachment 139657 Patch Committed in http://trac.webkit.org/changeset/115746 139657 2012-05-01 12:15:48 -0700 2012-05-01 13:15:05 -0700 Patch fix.patch text/plain 1784 jberlin ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCBlMThjNDIwLi5jZDkzOGMzIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTgg QEAKKzIwMTItMDUtMDEgIEplc3NpZSBCZXJsaW4gIDxqYmVybGluQGFwcGxlLmNvbT4KKworICAg ICAgICBDcmFzaCBjYWxsaW5nIGRpc2Nvbm5lY3RGcmFtZSBvbiBhIERPTVdpbmRvd0V4dGVuc2lv biBhIHNlY29uZCB0aW1lLgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1 Zy5jZ2k/aWQ9ODUzMDEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKwor ICAgICAgICBET01XaW5kb3dFeHRlbnNpb246OmRpc2Nvbm5lY3RGcmFtZSBhc3N1bWVkIGl0IHdv dWxkIG9ubHkgYmUgY2FsbGVkIHdoZW4gdGhlcmUgd2FzIGEgZnJhbWUKKyAgICAgICAgdG8gZGlz Y29ubmVjdC4gSG93ZXZlciwgRE9NV2luZG93J3MgZGVzdHJ1Y3RvciBpbnZva2VzIGRpc2Nvbm5l Y3RGcmFtZSBvbiBhbGwgaXRzCisgICAgICAgIERPTVdpbmRvd1Byb3BlcnRpZXMsIGV2ZW4gaWYg aXQgYWxyZWFkeSBkaWQgc28gd2hlbiBpdCBlbnRlcmVkIHRoZSBwYWdlIGNhY2hlLgorCisgICAg ICAgICogcGFnZS9ET01XaW5kb3dFeHRlbnNpb24uY3BwOgorICAgICAgICAoV2ViQ29yZTo6RE9N V2luZG93RXh0ZW5zaW9uOjpkaXNjb25uZWN0RnJhbWUpOgorICAgICAgICBEb24ndCBkbyBhbnl0 aGluZyBpZiB0aGUgZnJhbWUgaGFzIGFscmVhZHkgYmVlbiBkaXNjb25uZWN0ZWQuCisKIDIwMTIt MDQtMjggIEVtaWwgQSBFa2x1bmQgIDxlYWVAY2hyb21pdW0ub3JnPiBhbmQgTGV2aSBXZWludHJh dWIgIDxsZXZpd0BjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgQWRkIEVOQUJMRV9TVUJQSVhFTF9M QVlPVVQgY29udHJvbGxpbmcgRnJhY3Rpb25hbExheW91dFVuaXQgZGVub21pbmF0b3IKZGlmZiAt LWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BhZ2UvRE9NV2luZG93RXh0ZW5zaW9uLmNwcCBiL1NvdXJj ZS9XZWJDb3JlL3BhZ2UvRE9NV2luZG93RXh0ZW5zaW9uLmNwcAppbmRleCBiZDU2OGE2Li4yYjIx Y2Q3IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wYWdlL0RPTVdpbmRvd0V4dGVuc2lvbi5j cHAKKysrIGIvU291cmNlL1dlYkNvcmUvcGFnZS9ET01XaW5kb3dFeHRlbnNpb24uY3BwCkBAIC01 NCw2ICs1NCwxMyBAQCBET01XaW5kb3dFeHRlbnNpb246On5ET01XaW5kb3dFeHRlbnNpb24oKQog CiB2b2lkIERPTVdpbmRvd0V4dGVuc2lvbjo6ZGlzY29ubmVjdEZyYW1lKCkKIHsKKyAgICAvLyBU aGUgRE9NV2luZG93IGRlc3RydWN0b3IgY2FsbHMgZGlzY29ubmVjdEZyYW1lIG9uIGFsbCBpdHMg RE9NV2luZG93UHJvcGVydGllcywgZXZlbiBpZiBpdAorICAgIC8vIGRpZCB0aGF0IGFscmVhZHkg d2hlbiBlbnRlcmluZyB0aGUgcGFnZSBjYWNoZS4KKyAgICBpZiAobV9kaXNjb25uZWN0ZWRGcmFt ZSkgeworICAgICAgICBBU1NFUlQoIXRoaXMtPmZyYW1lKCkpOworICAgICAgICByZXR1cm47Cisg ICAgfQorCiAgICAgLy8gQ2FsbGluZyBvdXQgdG8gdGhlIGNsaWVudCBtaWdodCByZXN1bHQgaW4g dGhpcyBET01XaW5kb3dFeHRlbnNpb24gYmVpbmcgZGVzdHJveWVkCiAgICAgLy8gd2hpbGUgdGhl cmUgaXMgc3RpbGwgd29yayB0byBkby4KICAgICBSZWZQdHI8RE9NV2luZG93RXh0ZW5zaW9uPiBw cm90ZWN0b3IgPSB0aGlzOwo=