Bug 47257

Summary: DeviceOrientation crash when page is in page cache and is navigated while listener is registered
Product: WebKit Reporter: Steve Block <steveblock>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: hans, jorlow, steveblock
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 30335    
Attachments:
Description Flags
Patch jorlow: review+, steveblock: commit-queue-

Steve Block
Reported 2010-10-06 04:52:18 PDT
When a page is navigated while a listener is registered for DeviceOrientation events, a crash can occur if the controller later attempts to dispatch an event. We need to make sure all listeners are removed when the page is navigated. We currently remove all listeners from DOMWindow::removeAllEventListeners() but this is not called on page reload. We could add similar code to DOMWindow::clear().
Attachments
Patch (4.11 KB, patch)
2010-10-14 04:24 PDT, Steve Block 		jorlow: review+
steveblock: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Steve Block
Comment 1 2010-10-14 04:18:38 PDT
This occurs only when the page is in the page cache, as in this case, event listeners are not unregistered. Note that a crash is only observed with V8.
Steve Block
Comment 2 2010-10-14 04:24:32 PDT
Created attachment 70725 [details] Patch
Jeremy Orlow
Comment 3 2010-10-14 05:19:38 PDT
Comment on attachment 70725 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=70725&action=review r=me > LayoutTests/fast/dom/DeviceOrientation/script-tests/event-after-navigation.js:1 > +description('Tests for a crash where an event is fired after the page has been navigated away when the original page is in the page cache.<br><br>Note that the crash is only seen with V8.'); Is there any reason this crash can only possibly happen in V8? If not, this comment probably should be removed, even if we currently only see it in V8. If so, it should probably mention why it's V8 specific. This way it'll be clear whether the comment is stale.
Steve Block
Comment 4 2010-10-14 05:26:48 PDT
> Is there any reason this crash can only possibly happen in V8? If not, this > comment probably should be removed, even if we currently only see it in V8. No, there's no fundamental reason why it should only happen with V8. The controller should never try to fire events once the document has gone. I'll remove the comment before landing.
Steve Block
Comment 5 2010-10-14 07:15:05 PDT
Committed r69764: <http://trac.webkit.org/changeset/69764>
Note You need to log in before you can comment on or make changes to this bug.