Bug 138914

Summary: Crash when destroying a Document that has a throttled timer still running
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, benjamin, commit-queue, ggaren, kling, koivisto
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 138292    
Bug Blocks:    
Attachments:
Description Flags
Patch none

Description Chris Dumez 2014-11-20 00:14:47 PST 
Crash when destroying a Document that has a throttled timer still running:
0   com.apple.WebCore             	0x00007fff9403d8d4 WebCore::Document::view() const + 4
1   com.apple.WebCore             	0x00007fff94189e33 WebCore::DOMTimer::~DOMTimer() + 67
2   com.apple.WebCore             	0x00007fff94189dde WebCore::DOMTimer::~DOMTimer() + 14
3   com.apple.WebCore             	0x00007fff940c7396 WebCore::ScriptExecutionContext::~ScriptExecutionContext() + 534
4   com.apple.WebCore             	0x00007fff940c59c0 WebCore::Document::~Document() + 5104
5   com.apple.WebCore             	0x00007fff9461924e WebCore::HTMLDocument::~HTMLDocument() + 14
6   com.apple.WebCore             	0x00007fff940c42dc WebCore::Node::~Node() + 172
7   com.apple.WebCore             	0x00007fff9418275a WebCore::HTMLScriptElement::~HTMLScriptElement() + 26
8   com.apple.WebCore             	0x00007fff941825df WebCore::JSNodeOwner::finalize(JSC::Handle<JSC::Unknown>, 

Radar: <rdar://problem/19040156>
Comment 1 Chris Dumez 2014-11-20 00:23:07 PST 
Created attachment 241929 [details]
Patch
Comment 2 Chris Dumez 2014-11-20 00:35:07 PST 
Comment on attachment 241929 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=241929&action=review

> LayoutTests/fast/dom/resources/frame-with-throttled-timer.html:3
> +<iframe id="testFrame"></iframe>

This extra iframe is needed to work around:
https://bugs.webkit.org/show_bug.cgi?id=138915
Comment 3 Benjamin Poulain 2014-11-20 10:04:15 PST 
Comment on attachment 241929 [details]
Patch

rs=me
Comment 4 WebKit Commit Bot 2014-11-20 10:44:03 PST 
Comment on attachment 241929 [details]
Patch

Clearing flags on attachment: 241929

Committed r176402: <http://trac.webkit.org/changeset/176402>
Comment 5 WebKit Commit Bot 2014-11-20 10:44:08 PST 
All reviewed patches have been landed.  Closing bug.
Comment 6 Benjamin Poulain 2014-11-20 11:21:05 PST 
Comment on attachment 241929 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=241929&action=review

> LayoutTests/fast/dom/throttled-timer-running-on-document-destruction.html:18
> +setTimeout(removeFrame, 300);

Can't this be shorter?

Maybe wait for the onload of the frame and do a short timer (100ms)?
Comment 7 Chris Dumez 2014-11-20 12:28:42 PST 
(In reply to comment #6)
> Comment on attachment 241929 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=241929&action=review
> 
> > LayoutTests/fast/dom/throttled-timer-running-on-document-destruction.html:18
> > +setTimeout(removeFrame, 300);
> 
> Can't this be shorter?
> 
> Maybe wait for the onload of the frame and do a short timer (100ms)?

Yes, that works. I updated the test in https://bugs.webkit.org/show_bug.cgi?id=138915.