Bug 23007

Summary:

REGRESSION: Timer-related crash when closing Web Inspector

Product:

WebKit

Reporter:

Alexey Proskuryakov <ap>

Component:

WebCore Misc.

Assignee:

Alexey Proskuryakov <ap>

Status:

RESOLVED FIXED

Severity:

Blocker

CC:

dimich

Priority:

Keywords:

Regression

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.5

Attachments:

Description	Flags
reduced test case (will crash)	none
proposed fix	darin: review+

Description Alexey Proskuryakov 2008-12-28 04:38:44 PST

Steps to reproduce:
1. Open any Web page (or even about:blank)
2. Open Web Inspector, and close it.

Result: a crash.

#0	0x0356ec10 in WebCore::Document::removeTimeout at Document.cpp:4283
#1	0x0353e68a in WebCore::DOMTimer::removeById at DOMTimer.cpp:99
#2	0x0378258b in WebCore::JSDOMWindowBase::removeTimeout at JSDOMWindowBase.cpp:839
#3	0x03789334 in WebCore::JSDOMWindow::clearTimeout at JSDOMWindowCustom.cpp:199
#4	0x037746e6 in WebCore::jsDOMWindowPrototypeFunctionClearTimeout at JSDOMWindow.cpp:4338
#5	0x00ba90fb in JSC::Interpreter::cti_op_call_NotJSFunction at Interpreter.cpp:4921
#6	0x00ba399a in JSC::Interpreter::retrieveCaller at Interpreter.cpp:4005
#7	0x00bc4162 in JSC::JIT::execute at JIT.h:350
#8	0x00baae9c in JSC::Interpreter::execute at Interpreter.cpp:976
#9	0x00afc437 in JSC::JSFunction::call at JSFunction.cpp:82
#10	0x00afc4ef in JSC::call at CallData.cpp:39
#11	0x00b0a580 in JSC::functionProtoFuncApply at FunctionPrototype.cpp:113
#12	0x00ba90fb in JSC::Interpreter::cti_op_call_NotJSFunction at Interpreter.cpp:4921
#13	0x00ba399a in JSC::Interpreter::retrieveCaller at Interpreter.cpp:4005
#14	0x00bc4162 in JSC::JIT::execute at JIT.h:350
#15	0x00baae9c in JSC::Interpreter::execute at Interpreter.cpp:976
#16	0x00afc437 in JSC::JSFunction::call at JSFunction.cpp:82
#17	0x00afc4ef in JSC::call at CallData.cpp:39
#18	0x03b0d5ad in WebCore::ScheduledAction::execute at ScheduledAction.cpp:85
#19	0x03b0d748 in WebCore::ScheduledAction::execute at ScheduledAction.cpp:56
#20	0x0353ecb3 in WebCore::DOMTimer::fired at DOMTimer.cpp:126
#21	0x03b6e5ab in WebCore::TimerBase::fireTimers at Timer.cpp:347
#22	0x03b6e63a in WebCore::TimerBase::sharedTimerFired at Timer.cpp:368
#23	0x03b39d84 in WebCore::timerFired at SharedTimerMac.mm:84

Comment 1 Alexey Proskuryakov 2008-12-28 04:47:00 PST

Created attachment 26276 [details]
reduced test case (will crash)

This is not specific to Web Inspector.

Comment 2 Alexey Proskuryakov 2008-12-28 05:17:19 PST

Created attachment 26277 [details]
proposed fix

Comment 3 Darin Adler 2008-12-28 11:10:28 PST

Comment on attachment 26277 [details]
proposed fix

r=me

I asked about this in the original patch, and Niko reassured me that it was removed from the document map. I probably should not have accepted the answer.

Comment 4 Alexey Proskuryakov 2008-12-28 11:40:27 PST

Committed revision 39493.