Bug 23007

Summary: REGRESSION: Timer-related crash when closing Web Inspector
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: WebCore Misc.Assignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Blocker CC: dimich
Priority: P1 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
reduced test case (will crash)
none
proposed fix darin: review+

Alexey Proskuryakov
Reported 2008-12-28 04:38:44 PST
Steps to reproduce: 1. Open any Web page (or even about:blank) 2. Open Web Inspector, and close it. Result: a crash. #0 0x0356ec10 in WebCore::Document::removeTimeout at Document.cpp:4283 #1 0x0353e68a in WebCore::DOMTimer::removeById at DOMTimer.cpp:99 #2 0x0378258b in WebCore::JSDOMWindowBase::removeTimeout at JSDOMWindowBase.cpp:839 #3 0x03789334 in WebCore::JSDOMWindow::clearTimeout at JSDOMWindowCustom.cpp:199 #4 0x037746e6 in WebCore::jsDOMWindowPrototypeFunctionClearTimeout at JSDOMWindow.cpp:4338 #5 0x00ba90fb in JSC::Interpreter::cti_op_call_NotJSFunction at Interpreter.cpp:4921 #6 0x00ba399a in JSC::Interpreter::retrieveCaller at Interpreter.cpp:4005 #7 0x00bc4162 in JSC::JIT::execute at JIT.h:350 #8 0x00baae9c in JSC::Interpreter::execute at Interpreter.cpp:976 #9 0x00afc437 in JSC::JSFunction::call at JSFunction.cpp:82 #10 0x00afc4ef in JSC::call at CallData.cpp:39 #11 0x00b0a580 in JSC::functionProtoFuncApply at FunctionPrototype.cpp:113 #12 0x00ba90fb in JSC::Interpreter::cti_op_call_NotJSFunction at Interpreter.cpp:4921 #13 0x00ba399a in JSC::Interpreter::retrieveCaller at Interpreter.cpp:4005 #14 0x00bc4162 in JSC::JIT::execute at JIT.h:350 #15 0x00baae9c in JSC::Interpreter::execute at Interpreter.cpp:976 #16 0x00afc437 in JSC::JSFunction::call at JSFunction.cpp:82 #17 0x00afc4ef in JSC::call at CallData.cpp:39 #18 0x03b0d5ad in WebCore::ScheduledAction::execute at ScheduledAction.cpp:85 #19 0x03b0d748 in WebCore::ScheduledAction::execute at ScheduledAction.cpp:56 #20 0x0353ecb3 in WebCore::DOMTimer::fired at DOMTimer.cpp:126 #21 0x03b6e5ab in WebCore::TimerBase::fireTimers at Timer.cpp:347 #22 0x03b6e63a in WebCore::TimerBase::sharedTimerFired at Timer.cpp:368 #23 0x03b39d84 in WebCore::timerFired at SharedTimerMac.mm:84
Attachments
reduced test case (will crash) (116 bytes, text/html)
2008-12-28 04:47 PST, Alexey Proskuryakov 		no flags
Details
proposed fix (3.40 KB, patch)
2008-12-28 05:17 PST, Alexey Proskuryakov 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2008-12-28 04:47:00 PST
Created attachment 26276 [details] reduced test case (will crash) This is not specific to Web Inspector.
Alexey Proskuryakov
Comment 2 2008-12-28 05:17:19 PST
Created attachment 26277 [details] proposed fix
Darin Adler
Comment 3 2008-12-28 11:10:28 PST
Comment on attachment 26277 [details] proposed fix r=me I asked about this in the original patch, and Niko reassured me that it was removed from the document map. I probably should not have accepted the answer.
Alexey Proskuryakov
Comment 4 2008-12-28 11:40:27 PST
Committed revision 39493.
Note You need to log in before you can comment on or make changes to this bug.