Bug 75437

Summary: fast/js/select-options-remove-gc.html crashes intermittently
Product: WebKit Reporter: WebKit Review Bot <webkit.review.bot>
Component: New BugsAssignee: Andreas Kling <kling>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, benjamin, cmarcelo, japhet, kling, rniwa, robert, sam, tkent
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 75769    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch
andersca: review+
Better patch
none
Better patch sam: review+

Description WebKit Review Bot 2012-01-02 08:37:16 PST 
"fast/js/select-options-remove-gc.html crashes intermittently on Chromium"
Requested by mwenge2 on #webkit.
Comment 1 Robert Hogan 2012-01-02 08:41:19 PST 
I can get it to crash twice in every ten runs with:

lucid Tools/Scripts/new-run-webkit-tests --chromium --iterations=100 fast/js/select-options-remove-gc.html

It occasionally crashes on the bots too:

http://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=fast%2Fjs%2Fselect-options-remove-gc.html

http://build.webkit.org/results/Chromium%20Linux%20Release%20(Tests)/r103905%20(27679)/fast/js/select-options-remove-gc-crash-log.txt :

	base::debug::StackTrace::StackTrace() [0x5b727e]
	base::(anonymous namespace)::StackDumpSignalHandler() [0x5a00f9]
	0x7f71bf8e5af0
	0x9c9a10
	WebCore::HTMLSelectElement::optionToListIndex() [0x9c9cd5]
	WebCore::HTMLSelectElement::remove() [0x9ca396]
	WebCore::removeElement() [0x183cc4b]
	WebCore::V8HTMLOptionsCollection::removeCallback() [0x183b90f]
	v8::internal::Builtin_HandleApiCall() [0x67d48d]
	0x205cef404402
Comment 2 Robert Hogan 2012-01-02 08:42:56 PST 
I can reproduce this on Qt, so it's not port-specific.
Comment 3 Andreas Kling 2012-01-02 13:56:00 PST 
Taking, this has my ink all over it.
Comment 4 Andreas Kling 2012-01-03 15:53:11 PST 
Created attachment 121010 [details]
Patch
Comment 5 Andreas Kling 2012-01-03 15:54:20 PST 
Created attachment 121012 [details]
Patch
Comment 6 Alexey Proskuryakov 2012-01-03 16:29:43 PST 
As discussed on IRC, this fixes the wrong problem. We should make sure that reachable elements are not collected, not deal with the aftermath of GC.

How did this work in shipping WebKit?
Comment 7 Andreas Kling 2012-01-03 21:32:33 PST 
Created attachment 121057 [details]
Better patch

Reworked the HTMLCollection ownership model to ensure that collections keep their associated element alive.
Comment 8 Andreas Kling 2012-01-03 21:33:40 PST 
Created attachment 121058 [details]
Better patch
Comment 9 Andreas Kling 2012-01-05 22:45:06 PST 
Sam, would love your input on this.
Comment 10 Andreas Kling 2012-01-06 19:30:53 PST 
Committed r104373: <http://trac.webkit.org/changeset/104373>
Comment 11 Andreas Kling 2012-01-07 01:35:43 PST 
Committed r104383: <http://trac.webkit.org/changeset/104383>