Bug 85301

Summary: Crash calling disconnectFrame on a DOMWindowExtension a second time
Product: WebKit Reporter: Jessie Berlin <jberlin>
Component: Page LoadingAssignee: Jessie Berlin <jberlin>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, beidson, eric, jberlin, sam
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Jessie Berlin 2012-05-01 12:11:17 PDT 
CRASH: com.apple.WebCore:  WebCore::DOMWindowExtension::disconnectFrame + 31

   1 com.apple.WebCore              0x10eae409f WebCore::DOMWindowExtension::disconnectFrame() + 0x1f
   2 com.apple.WebCore              0x10eae31ea WebCore::DOMWindow::disconnectDOMWindowProperties() + 0xfa
   3 com.apple.WebCore              0x10eae2a82 WebCore::DOMWindow::clearDOMWindowProperties() + 0x12
   4 com.apple.WebCore              0x10eae2687 WebCore::DOMWindow::~DOMWindow() + 0x27
   5 com.apple.WebCore              0x10e49fa21 WebCore::DOMWindow::~DOMWindow() + 0x11
   6 com.apple.WebCore              0x10ec96864 WebCore::JSDOMWindowBase::~JSDOMWindowBase() + 0x34
   7 com.apple.JavaScriptCore       0x10e25615e JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper<true>(JSC::MarkedBlock::SweepMode) + 0x18e
   8 com.apple.JavaScriptCore       0x10e255f84 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 0x24
   9 com.apple.JavaScriptCore       0x10e2017cb JSC::Heap::sweep() + 0xcb
  10 com.apple.JavaScriptCore       0x10e201915 JSC::Heap::collect(JSC::Heap::SweepToggle) + 0xf5
  11 com.apple.JavaScriptCore       0x10e20080d JSC::DefaultGCActivityCallbackPlatformData::timerDidFire(__CFRunLoopTimer*, void*) + 0x9d

<rdar://problem/11353945>

DOMWindow calls disconnectFrame on all its DOMWindowProperties, even in cases where it previously called disconnectFrame when going into the page cache.

DOMWindowExtension should bail early if it already has a disconnected frame, since it has already notified any client the first time disconnectFrame was invoked.
Comment 1 Jessie Berlin 2012-05-01 12:15:48 PDT 
Created attachment 139657 [details]
Patch
Comment 2 Darin Adler 2012-05-01 12:42:20 PDT 
Comment on attachment 139657 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=139657&action=review

Is there a way to create a regression test for this?

> Source/WebCore/page/DOMWindowExtension.cpp:60
> +        ASSERT(!this->frame());

No need for this-> here.
Comment 3 Jessie Berlin 2012-05-01 12:49:49 PDT 
(In reply to comment #2)
> (From update of attachment 139657 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=139657&action=review
> 
> Is there a way to create a regression test for this?

The only way I was able to reproduce this was to keep navigating to pages that were page-cache-worthy until the JSC timer was fired. I am not sure what else would reliably trigger the DOMWindow destruction after it had already gone into the the page cache without first detaching the page.

> 
> > Source/WebCore/page/DOMWindowExtension.cpp:60
> > +        ASSERT(!this->frame());
> 
> No need for this-> here.

Fixed.

Thanks for the review!
Comment 4 Jessie Berlin 2012-05-01 13:15:05 PDT 
Comment on attachment 139657 [details]
Patch

Committed in http://trac.webkit.org/changeset/115746