Bug 16289

Summary: WebKit loses data stored on "reachable" binding objects during garbage collection
Product: WebKit Reporter: Sjoerd Mulder <sjoerdmulder>
Component: WebCore JavaScriptAssignee: Maciej Stachowiak <mjs>
Status: RESOLVED FIXED    
Severity: Major CC: ap, eric
Priority: P2 Keywords: HasReduction, InRadar
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
Bug Depends on:    
Bug Blocks: 17064    
Attachments:
Description Flags
Testcase
none
reduced test case
none
patch v1 sam: review+

Sjoerd Mulder
Reported 2007-12-04 07:18:20 PST
When defining a function for for example namespace resolving it's handy to store this on the XML document Object. But webkit loses the function sometimes for strange reasons. See testcase, it should just continue counting and counting, this does work in Firefox and Opera
Attachments
Testcase (2.49 KB, application/force-download)
2007-12-04 07:18 PST, Sjoerd Mulder 		no flags
Details
reduced test case (906 bytes, text/html)
2007-12-05 06:29 PST, Alexey Proskuryakov 		no flags
Details
patch v1 (8.75 KB, patch)
2008-03-04 22:41 PST, Maciej Stachowiak 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Sjoerd Mulder
Comment 1 2007-12-04 07:18:46 PST
Created attachment 17701 [details] Testcase
Alexey Proskuryakov
Comment 2 2007-12-05 06:09:53 PST
Confirmed with r28024. This can be reproduced reliably by forcing garbage collection.
Alexey Proskuryakov
Comment 3 2007-12-05 06:29:39 PST
Created attachment 17718 [details] reduced test case
Alexey Proskuryakov
Comment 4 2007-12-05 06:31:25 PST
Not a regression from Safari 2.
Sjoerd Mulder
Comment 5 2007-12-06 08:20:14 PST
It also looses the 'documentElement' property
David Kilzer (:ddkilzer)
Comment 6 2007-12-06 08:43:42 PST
<rdar://problem/5633005>
Alexey Proskuryakov
Comment 7 2008-01-30 01:08:29 PST
*** Bug 17076 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 8 2008-01-30 01:10:05 PST
Acid3 itself has a larger and more advanced test case that will need to be verified when fixing this.
Eric Seidel (no email)
Comment 9 2008-03-04 13:41:57 PST
This example does: - get a dom object (domObjectA) - get a dom object reachable from that dom object, using dom methods (domObjectB) - set custom data on domObjectB - store domObjectA in a local variable - force a GC - access domObjectB through the dom methods off of domObjectA - notice that domObjectB is a fresh binding object, thus has no custom data When marking, we don't follow builtin dom methods and mark the related binding objects. One fix would be to mark all DOM objects held in the DOM cache which have custom data set on them. We would need some way to purge the DOM cache when the page it torn down (but we might do that already). I wonder how we keep custom prototypes alive... maybe we walk the prototype chain of any object when marking.
Maciej Stachowiak
Comment 10 2008-03-04 22:38:21 PST
This issue isn't quite the same as Acid3 tests 26 and 27, but I have a fix that addresses both. (Acid3 doesn't rely on custom properties on the node).
Maciej Stachowiak
Comment 11 2008-03-04 22:41:49 PST
Created attachment 19543 [details] patch v1
Sam Weinig
Comment 12 2008-03-04 22:53:47 PST
Comment on attachment 19543 [details] patch v1 r=me. Though you could use some braces for outer if-statements as is now our style. 90!!!
David Kilzer (:ddkilzer)
Comment 13 2008-05-07 13:55:45 PDT
Landed in r30790. <http://trac.webkit.org/changeset/30790>
Note You need to log in before you can comment on or make changes to this bug.