Bug 75437

Summary: fast/js/select-options-remove-gc.html crashes intermittently
Product: WebKit Reporter: WebKit Review Bot <webkit.review.bot>
Component: New BugsAssignee: Andreas Kling <kling>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, benjamin, cmarcelo, japhet, kling, rniwa, robert, sam, tkent
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 75769    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch
andersca: review+
Better patch
none
Better patch sam: review+

WebKit Review Bot
Reported 2012-01-02 08:37:16 PST
"fast/js/select-options-remove-gc.html crashes intermittently on Chromium" Requested by mwenge2 on #webkit.
Attachments
Patch (8.46 KB, patch)
2012-01-03 15:53 PST, Andreas Kling 		no flags
DetailsFormatted DiffDiff
Patch (7.63 KB, patch)
2012-01-03 15:54 PST, Andreas Kling 		andersca: review+
DetailsFormatted DiffDiff
Better patch (7.63 KB, patch)
2012-01-03 21:32 PST, Andreas Kling 		no flags
DetailsFormatted DiffDiff
Better patch (55.92 KB, patch)
2012-01-03 21:33 PST, Andreas Kling 		sam: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Robert Hogan
Comment 1 2012-01-02 08:41:19 PST
I can get it to crash twice in every ten runs with: lucid Tools/Scripts/new-run-webkit-tests --chromium --iterations=100 fast/js/select-options-remove-gc.html It occasionally crashes on the bots too: http://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=fast%2Fjs%2Fselect-options-remove-gc.html http://build.webkit.org/results/Chromium%20Linux%20Release%20(Tests)/r103905%20(27679)/fast/js/select-options-remove-gc-crash-log.txt : base::debug::StackTrace::StackTrace() [0x5b727e] base::(anonymous namespace)::StackDumpSignalHandler() [0x5a00f9] 0x7f71bf8e5af0 0x9c9a10 WebCore::HTMLSelectElement::optionToListIndex() [0x9c9cd5] WebCore::HTMLSelectElement::remove() [0x9ca396] WebCore::removeElement() [0x183cc4b] WebCore::V8HTMLOptionsCollection::removeCallback() [0x183b90f] v8::internal::Builtin_HandleApiCall() [0x67d48d] 0x205cef404402
Robert Hogan
Comment 2 2012-01-02 08:42:56 PST
I can reproduce this on Qt, so it's not port-specific.
Andreas Kling
Comment 3 2012-01-02 13:56:00 PST
Taking, this has my ink all over it.
Andreas Kling
Comment 4 2012-01-03 15:53:11 PST
Created attachment 121010 [details] Patch
Andreas Kling
Comment 5 2012-01-03 15:54:20 PST
Created attachment 121012 [details] Patch
Alexey Proskuryakov
Comment 6 2012-01-03 16:29:43 PST
As discussed on IRC, this fixes the wrong problem. We should make sure that reachable elements are not collected, not deal with the aftermath of GC. How did this work in shipping WebKit?
Andreas Kling
Comment 7 2012-01-03 21:32:33 PST
Created attachment 121057 [details] Better patch Reworked the HTMLCollection ownership model to ensure that collections keep their associated element alive.
Andreas Kling
Comment 8 2012-01-03 21:33:40 PST
Created attachment 121058 [details] Better patch
Andreas Kling
Comment 9 2012-01-05 22:45:06 PST
Sam, would love your input on this.
Andreas Kling
Comment 10 2012-01-06 19:30:53 PST
Committed r104373: <http://trac.webkit.org/changeset/104373>
Andreas Kling
Comment 11 2012-01-07 01:35:43 PST
Committed r104383: <http://trac.webkit.org/changeset/104383>
Note You need to log in before you can comment on or make changes to this bug.