Bug 12379

Summary: ASSERTION FAILED: extensions->genericContext<SVGAnimatedLength>(obj.get()) == imp (during layout tests)
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: SVGAssignee: Nikolas Zimmermann <zimmermann>
Status: RESOLVED FIXED    
Severity: Blocker CC: zimmermann
Priority: P1 Keywords: LayoutTestFailure, Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://build.webkit.org/post-commit-leaks-powerpc-mac-os-x/builds/4500/step-leak-test/0
Attachments:
Description Flags
Initial patch mjs: review+

Mark Rowe (bdash)
Reported 2007-01-23 04:44:38 PST
ASSERTION FAILED: extensions->genericContext<SVGAnimatedLength>(obj.get()) == imp (/Users/buildbot/Desktop/BuildData/WebKit-BuildSlave/post-commit-leaks-powerpc-mac-os-x/build/WebKitBuild/Debug/DerivedSources/WebCore/JSSVGLinearGradientElement.cpp:104 KJS::JSValue* WebCore::JSSVGLinearGradientElement::getValueProperty(KJS::ExecState*, int) const) Segmentation fault Appears to happen on or just before svg/custom/js-update-gradient.svg. It does not reproduce 100% of the time. I've not managed to reproduce it when trying to retrieve a backtrace.
Attachments
Initial patch (2.67 KB, patch)
2007-01-23 12:41 PST, Nikolas Zimmermann 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2007-01-23 04:50:20 PST
(In reply to comment #0) > Appears to happen on or just before svg/custom/js-update-gradient.svg. It does > not reproduce 100% of the time. I've not managed to reproduce it when trying > to retrieve a backtrace. Log into the buildbot server and pick up the stack trace from ~/Library/Logs/CrashReporter/DumpRenderTree.crash.log for the time it happened.
Mark Rowe (bdash)
Comment 2 2007-01-23 04:56:07 PST
I don't have easy access to the build slave in question (that I know of), or I'd do just that :-)
Nikolas Zimmermann
Comment 3 2007-01-23 05:16:56 PST
[14:14] bdash: WildFox: so why does it only sometimes happen? [14:14] WildFox: bdash: well, ie. if you access mygradient.x1 from JS following happens [14:15] WildFox: the "x1" is a SVGAnimatedLength object [14:15] WildFox: we store the "context" ("mygradient") with the "x1" pointer in a hashmap [14:15] WildFox: so if you call mygradient.x1.baseVal.value it will update the right context [14:15] WildFox: (SVG DOM oddness) [14:15] WildFox: the problem is that cache is never cleared [14:15] WildFox: for single-docs, no problem [14:16] WildFox: if you open a new document, which also access mygradient.x1 you may have bad luck that the _same_ pointer is used [14:16] WildFox: same x1 pointer [14:16] bdash: WildFox: ah, right [14:16] WildFox: it's really "bad luck" if that happens [14:16] bdash: but it's what is happening ;) [14:16] WildFox: bdash: we just need to find "the right place" to clear the caches We need to find a place to clear the caches ASAP! Anyone got an idea?
Maciej Stachowiak
Comment 4 2007-01-23 09:51:46 PST
Shouldn't each document have its own separate cache?
Nikolas Zimmermann
Comment 5 2007-01-23 12:41:53 PST
Created attachment 12634 [details] Initial patch Okay, it turned out there is no need for any place to "clear the cache". It would even be wrong to do that - as discussed with Maciej. I just forgot to remove the context objects from the SVGDocumentExtension cache once their corresponding JS objects get destructed. Ran layout tests 10 times now - couldn't reproduce anymore - hopefully it's fixed.
Maciej Stachowiak
Comment 6 2007-01-23 14:22:27 PST
Comment on attachment 12634 [details] Initial patch r=me
Nikolas Zimmermann
Comment 7 2007-01-23 14:31:44 PST
Landed in r19058.
Note You need to log in before you can comment on or make changes to this bug.