Bug 138914

Summary: Crash when destroying a Document that has a throttled timer still running
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, benjamin, commit-queue, ggaren, kling, koivisto
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 138292    
Bug Blocks:    
Attachments:
Description Flags
Patch none

Chris Dumez
Reported 2014-11-20 00:14:47 PST
Crash when destroying a Document that has a throttled timer still running: 0 com.apple.WebCore 0x00007fff9403d8d4 WebCore::Document::view() const + 4 1 com.apple.WebCore 0x00007fff94189e33 WebCore::DOMTimer::~DOMTimer() + 67 2 com.apple.WebCore 0x00007fff94189dde WebCore::DOMTimer::~DOMTimer() + 14 3 com.apple.WebCore 0x00007fff940c7396 WebCore::ScriptExecutionContext::~ScriptExecutionContext() + 534 4 com.apple.WebCore 0x00007fff940c59c0 WebCore::Document::~Document() + 5104 5 com.apple.WebCore 0x00007fff9461924e WebCore::HTMLDocument::~HTMLDocument() + 14 6 com.apple.WebCore 0x00007fff940c42dc WebCore::Node::~Node() + 172 7 com.apple.WebCore 0x00007fff9418275a WebCore::HTMLScriptElement::~HTMLScriptElement() + 26 8 com.apple.WebCore 0x00007fff941825df WebCore::JSNodeOwner::finalize(JSC::Handle<JSC::Unknown>, Radar: <rdar://problem/19040156>
Attachments
Patch (6.34 KB, patch)
2014-11-20 00:23 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2014-11-20 00:23:07 PST
Created attachment 241929 [details] Patch
Chris Dumez
Comment 2 2014-11-20 00:35:07 PST
Comment on attachment 241929 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=241929&action=review > LayoutTests/fast/dom/resources/frame-with-throttled-timer.html:3 > +<iframe id="testFrame"></iframe> This extra iframe is needed to work around: https://bugs.webkit.org/show_bug.cgi?id=138915
Benjamin Poulain
Comment 3 2014-11-20 10:04:15 PST
Comment on attachment 241929 [details] Patch rs=me
WebKit Commit Bot
Comment 4 2014-11-20 10:44:03 PST
Comment on attachment 241929 [details] Patch Clearing flags on attachment: 241929 Committed r176402: <http://trac.webkit.org/changeset/176402>
WebKit Commit Bot
Comment 5 2014-11-20 10:44:08 PST
All reviewed patches have been landed. Closing bug.
Benjamin Poulain
Comment 6 2014-11-20 11:21:05 PST
Comment on attachment 241929 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=241929&action=review > LayoutTests/fast/dom/throttled-timer-running-on-document-destruction.html:18 > +setTimeout(removeFrame, 300); Can't this be shorter? Maybe wait for the onload of the frame and do a short timer (100ms)?
Chris Dumez
Comment 7 2014-11-20 12:28:42 PST
(In reply to comment #6) > Comment on attachment 241929 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=241929&action=review > > > LayoutTests/fast/dom/throttled-timer-running-on-document-destruction.html:18 > > +setTimeout(removeFrame, 300); > > Can't this be shorter? > > Maybe wait for the onload of the frame and do a short timer (100ms)? Yes, that works. I updated the test in https://bugs.webkit.org/show_bug.cgi?id=138915.
Note You need to log in before you can comment on or make changes to this bug.