Bug 151554
Summary: | GC bug when accessing iframe's from parent frame after removing first from tree | ||
---|---|---|---|
Product: | WebKit | Reporter: | Arthur <nekr.fabula> |
Component: | WebCore JavaScript | Assignee: | Nobody <webkit-unassigned> |
Status: | NEW | ||
Severity: | Normal | CC: | ap, cdumez, ggaren |
Priority: | P2 | ||
Version: | WebKit Nightly Build | ||
Hardware: | All | ||
OS: | All |
Arthur
I have an app. It runs player in iframe and I control player from to frame by accessing its JavaScript (for frames' document.domain is set to base domain, e.g. example.com). On navigation in app, page with iframe is removed from tree and then destroy function is called on iframe's JS object (parent frame has reference to that object). Work fine in all browsers except of Safari/WebKit. WebKit fails with error "undefined is not Object" and Debugger is paused on error line. Interesting thing is that here Debugger says that variable actually is Object. window.onerror reports "Script Error" with line "0".
Steps to reproduce:
1. Go to html5.oumy.tv:8080
2. Navigate to a channel and then to a clip
3. Click play, seems few times so all JS is initialized
4. Click back button in top left corner
5. Enjoy debugging!
Tested on iOS 8.1 Simulator, iPhone device with iOS 9 and Macbook Pro 2015 (Desktop Safari)
I also capture video of the problem: https://youtu.be/NqQ-DCy2CgY
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Arthur
Btw, you cannot navigate through call stack when debugging desktop Safari, but it works when debugging iOS. Might be helpful :-)
Also relevant twitter thread: https://twitter.com/nekrtemplar/status/668509659884625921
Arthur
Just experienced same problem on Microsoft Edge, it says "Cannot call `keys` on undefined", plus debugger says same for all global objects. Seems like global object was GCed but local vars not (leaked because of reference from other frame).