fast/loader/javascript-url-iframe-remove-on-navigate.html started crashing after r137607 landed. http://trac.webkit.org/changeset/137607 The patch already landed in r137333 but was later rolled out. http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=fast%2Floader%2Fjavascript-url-iframe-remove-on-navigate.html This regression is limited to the GTK port. Here's the crash log: Crash log for DumpRenderTree (pid 8685): ... [New LWP 9040] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'. Program terminated with signal 11, Segmentation fault. #0 0x00007f82690e7b84 in webkit_web_data_source_dispose (object=0x350d920) at ../../Source/WebKit/gtk/webkit/webkitwebdatasource.cpp:87 87 ASSERT(!priv->loader->isLoading()); ... Thread 1 (Thread 0x7f825e8db900 (LWP 8685)): #0 0x00007f82690e7b84 in webkit_web_data_source_dispose (object=0x350d920) at ../../Source/WebKit/gtk/webkit/webkitwebdatasource.cpp:87 #1 0x00007f8267d2fbb9 in g_object_unref () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0 #2 0x00007f82690b4067 in WebKit::DocumentLoader::unrefDataSource (this=0x5b80c90) at ../../Source/WebKit/gtk/WebCoreSupport/DocumentLoaderGtk.cpp:122 #3 0x00007f82690b3da0 in WebKit::DocumentLoader::detachFromFrame (this=0x5b80c90) at ../../Source/WebKit/gtk/WebCoreSupport/DocumentLoaderGtk.cpp:81 #4 0x00007f82699372fe in WebCore::FrameLoader::setProvisionalDocumentLoader (this=0x5b7cce0, loader=0x0) at ../../Source/WebCore/loader/FrameLoader.cpp:1644 #5 0x00007f8269936d80 in WebCore::FrameLoader::stopAllLoaders (this=0x5b7cce0, clearProvisionalItemPolicy=WebCore::ShouldClearProvisionalItem) at ../../Source/WebCore/loader/FrameLoader.cpp:1558 #6 0x00007f826993a497 in WebCore::FrameLoader::frameDetached (this=0x5b7cce0) at ../../Source/WebCore/loader/FrameLoader.cpp:2374 #7 0x00007f82696b63e4 in WebCore::HTMLFrameOwnerElement::disconnectContentFrame (this=0x5b7a790) at ../../Source/WebCore/html/HTMLFrameOwnerElement.cpp:68 #8 0x00007f826941ad1a in WebCore::ChildFrameDisconnector::Target::disconnect (this=0x7fff1f988508) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:121 #9 0x00007f8269421fc0 in WebCore::ChildFrameDisconnector::disconnect (this=0x7fff1f9884f0) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:331 #10 0x00007f826941e562 in WebCore::willRemoveChildren (container=0x5b69210) at ../../Source/WebCore/dom/ContainerNode.cpp:447 #11 0x00007f826941ec73 in WebCore::ContainerNode::removeChildren (this=0x5b69210) at ../../Source/WebCore/dom/ContainerNode.cpp:575 #12 0x00007f8269435b32 in WebCore::Document::implicitOpen (this=0x5b69210) at ../../Source/WebCore/dom/Document.cpp:2277 #13 0x00007f82694359ea in WebCore::Document::open (this=0x5b69210, ownerDocument=0x5b69210) at ../../Source/WebCore/dom/Document.cpp:2241 #14 0x00007f826943685f in WebCore::Document::write (this=0x5b69210, text=..., ownerDocument=0x5b69210) at ../../Source/WebCore/dom/Document.cpp:2561 #15 0x00007f82691b0716 in WebCore::documentWrite (exec=0x7f821c048148, document=0x5b69210, addNewline=WebCore::DoNotAddNewline) at ../../Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp:155 #16 0x00007f82691b0769 in WebCore::JSHTMLDocument::write (this=0x7f8216798580, exec=0x7f821c048148) at ../../Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp:160 #17 0x00007f8269fab6e3 in WebCore::jsHTMLDocumentPrototypeFunctionWrite (exec=0x7f821c048148) at DerivedSources/WebCore/JSHTMLDocument.cpp:450 #18 0x00007f821e6b5265 in ?? () #19 0x00007fff1f988ab0 in ?? () #20 0x00007f826d340b81 in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #21 0x00007f821c048100 in ?? () #22 0x000000000215e270 in ?? () #23 0x00007fff1f988a70 in ?? () #24 0x00007f826d2e69cf in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at ../../Source/JavaScriptCore/interpreter/JSStackInlines.h:213 #25 0x00007f826d2e573c in JSC::JITCode::execute (this=0x7f8216460b00, stack=0x215e270, callFrame=0x7f821c048100, globalData=0x27d63b0) at ../../Source/JavaScriptCore/jit/JITCode.h:134 #26 0x00007f826d2e2e69 in JSC::Interpreter::executeCall (this=0x215e260, callFrame=0x7f82164ae388, function=0x7f821c01b380, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1055 #27 0x00007f826d3c6289 in JSC::call (exec=0x7f82164ae388, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39 #28 0x00007f8269175ccf in WebCore::JSMainThreadExecState::call (exec=0x7f82164ae388, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:56 #29 0x00007f82691a79dc in WebCore::JSEventListener::handleEvent (this=0x5b913a0, scriptExecutionContext=0x5b692b0, event=0x5b39140) at ../../Source/WebCore/bindings/js/JSEventListener.cpp:130 #30 0x00007f82694c22fe in WebCore::EventTarget::fireEventListeners (this=0x54b5e60, event=0x5b39140, d=0x54b5f50, entry=WTF::Vector of length 94584224, capacity 4294967295 = {...}) at ../../Source/WebCore/dom/EventTarget.cpp:210 #31 0x00007f82694c20c2 in WebCore::EventTarget::fireEventListeners (this=0x54b5e60, event=0x5b39140) at ../../Source/WebCore/dom/EventTarget.cpp:175 #32 0x00007f82699e3bc0 in WebCore::DOMWindow::dispatchEvent (this=0x54b5e60, prpEvent=..., prpTarget=...) at ../../Source/WebCore/page/DOMWindow.cpp:1670 #33 0x00007f826943ace2 in WebCore::Document::dispatchWindowEvent (this=0x5b69210, event=..., target=...) at ../../Source/WebCore/dom/Document.cpp:3649 #34 0x00007f826943fa0f in WebCore::Document::enqueuePopstateEvent (this=0x5b69210, stateObject=...) at ../../Source/WebCore/dom/Document.cpp:4940 #35 0x00007f82694362f9 in WebCore::Document::implicitClose (this=0x5b69210) at ../../Source/WebCore/dom/Document.cpp:2424 #36 0x00007f8269932fc5 in WebCore::FrameLoader::checkCallImplicitClose (this=0x213d480) at ../../Source/WebCore/loader/FrameLoader.cpp:833 #37 0x00007f8269932d43 in WebCore::FrameLoader::checkCompleted (this=0x213d480) at ../../Source/WebCore/loader/FrameLoader.cpp:776 #38 0x00007f8269934052 in WebCore::FrameLoader::completed (this=0x5b7cce0) at ../../Source/WebCore/loader/FrameLoader.cpp:1082 #39 0x00007f8269932d66 in WebCore::FrameLoader::checkCompleted (this=0x5b7cce0) at ../../Source/WebCore/loader/FrameLoader.cpp:780 #40 0x00007f8269932b2a in WebCore::FrameLoader::loadDone (this=0x5b7cce0) at ../../Source/WebCore/loader/FrameLoader.cpp:722 #41 0x00007f8269909778 in WebCore::CachedResourceLoader::loadDone (this=0x5b836e0, resource=0x5b86100) at ../../Source/WebCore/loader/cache/CachedResourceLoader.cpp:721 #42 0x00007f8269986a32 in WebCore::SubresourceLoader::releaseResources (this=0x5b864b0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:318 #43 0x00007f826997b751 in WebCore::ResourceLoader::cancel (this=0x5b864b0, error=...) at ../../Source/WebCore/loader/ResourceLoader.cpp:410 #44 0x00007f826996d5ad in WebCore::MainResourceLoader::cancel (this=0x5b81a10, error=...) at ../../Source/WebCore/loader/MainResourceLoader.cpp:128 #45 0x00007f826996d441 in WebCore::MainResourceLoader::cancel (this=0x5b81a10) at ../../Source/WebCore/loader/MainResourceLoader.cpp:110 #46 0x00007f826991b6c7 in WebCore::DocumentLoader::stopLoading (this=0x5b80c90) at ../../Source/WebCore/loader/DocumentLoader.cpp:257 #47 0x00007f8269977a84 in WebCore::NavigationScheduler::schedule (this=0x5b7d0d8, redirect=...) at ../../Source/WebCore/loader/NavigationScheduler.cpp:432 #48 0x00007f8269977516 in WebCore::NavigationScheduler::scheduleLocationChange (this=0x5b7d0d8, securityOrigin=0x5b66e00, url="about:blank", referrer="file:///home/slave/webkitgtk/gtk-linux-64-debug/build/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate.html", lockHistory=false, lockBackForwardList=true) at ../../Source/WebCore/loader/NavigationScheduler.cpp:358 #49 0x00007f8269984579 in WebCore::SubframeLoader::loadOrRedirectSubframe (this=0x213d6e0, ownerElement=0x5b7a790, url=..., frameName="target", lockHistory=false, lockBackForwardList=false) at ../../Source/WebCore/loader/SubframeLoader.cpp:340 #50 0x00007f82699832c3 in WebCore::SubframeLoader::requestFrame (this=0x213d6e0, ownerElement=0x5b7a790, urlString="javascript:alert('FAIL')", frameName="target", lockHistory=false, lockBackForwardList=false) at ../../Source/WebCore/loader/SubframeLoader.cpp:87 #51 0x00007f82696b5047 in WebCore::HTMLFrameElementBase::openURL (this=0x5b7a790, lockHistory=false, lockBackForwardList=false) at ../../Source/WebCore/html/HTMLFrameElementBase.cpp:88 #52 0x00007f82696b596a in WebCore::HTMLFrameElementBase::setLocation (this=0x5b7a790, str="javascript:alert('FAIL')") at ../../Source/WebCore/html/HTMLFrameElementBase.cpp:201 #53 0x00007f82696b519d in WebCore::HTMLFrameElementBase::parseAttribute (this=0x5b7a790, name="src", value="javascript:alert('FAIL')") at ../../Source/WebCore/html/HTMLFrameElementBase.cpp:98 #54 0x00007f82696b92bc in WebCore::HTMLIFrameElement::parseAttribute (this=0x5b7a790, name="src", value="javascript:alert('FAIL')") at ../../Source/WebCore/html/HTMLIFrameElement.cpp:99 #55 0x00007f826949d62c in WebCore::Element::attributeChanged (this=0x5b7a790, name="src", newValue="javascript:alert('FAIL')") at ../../Source/WebCore/dom/Element.cpp:776 #56 0x00007f826953b49d in WebCore::StyledElement::attributeChanged (this=0x5b7a790, name="src", newValue="javascript:alert('FAIL')") at ../../Source/WebCore/dom/StyledElement.cpp:168 #57 0x00007f82694a39c0 in WebCore::Element::didModifyAttribute (this=0x5b7a790, name="src", value="javascript:alert('FAIL')") at ../../Source/WebCore/dom/Element.cpp:2492 #58 0x00007f82694a8487 in WebCore::Element::setAttributeInternal (this=0x5b7a790, index=0, name="src", newValue="javascript:alert('FAIL')", inSynchronizationOfLazyAttribute=WebCore::Element::NotInSynchronizationOfLazyAttribute) at ../../Source/WebCore/dom/Element.cpp:749 #59 0x00007f826949d42c in WebCore::Element::setAttribute (this=0x5b7a790, name="src", value="javascript:alert('FAIL')") at ../../Source/WebCore/dom/Element.cpp:714 #60 0x00007f8269fe2db8 in WebCore::setJSHTMLIFrameElementSrc (exec=0x7f821c048058, thisObject=0x7f821679f520, value=...) at DerivedSources/WebCore/JSHTMLIFrameElement.cpp:421 #61 0x00007f8269fe3f76 in JSC::lookupPut<WebCore::JSHTMLIFrameElement> (exec=0x7f821c048058, propertyName=..., value=..., table=0x7f826c95a310, thisObj=0x7f821679f520, shouldThrow=false) at ../../Source/JavaScriptCore/runtime/Lookup.h:373 #62 0x00007f8269fe3acd in JSC::lookupPut<WebCore::JSHTMLIFrameElement, WebCore::JSHTMLElement> (exec=0x7f821c048058, propertyName=..., value=..., table=0x7f826c95a310, thisObj=0x7f821679f520, slot=...) at ../../Source/JavaScriptCore/runtime/Lookup.h:389 #63 0x00007f8269fe27b5 in WebCore::JSHTMLIFrameElement::put (cell=0x7f821679f520, exec=0x7f821c048058, propertyName=..., value=..., slot=...) at DerivedSources/WebCore/JSHTMLIFrameElement.cpp:321 #64 0x00007f826d22ee3c in JSC::JSValue::put (this=0x7fff1f989d20, exec=0x7f821c048058, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1522 #65 0x00007f826d33534e in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7f821c048058, pc=0x53faf60) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:980 #66 0x00007f826d33e557 in llint_op_put_by_id () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #67 0x00007f821c048058 in ?? () #68 0x000000000215e270 in ?? () #69 0x00007fff1f989e10 in ?? () #70 0x00007f826d2e69cf in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at ../../Source/JavaScriptCore/interpreter/JSStackInlines.h:213 #71 0x00007f826d2e573c in JSC::JITCode::execute (this=0x7f8216460ba0, stack=0x215e270, callFrame=0x7f821c048058, globalData=0x27d63b0) at ../../Source/JavaScriptCore/jit/JITCode.h:134 #72 0x00007f826d2e2e69 in JSC::Interpreter::executeCall (this=0x215e260, callFrame=0x7f82164ae388, function=0x7f821c01b400, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1055 #73 0x00007f826d3c6289 in JSC::call (exec=0x7f82164ae388, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39 #74 0x00007f8269175ccf in WebCore::JSMainThreadExecState::call (exec=0x7f82164ae388, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:56 #75 0x00007f82691e1da8 in WebCore::ScheduledAction::executeFunctionInContext (this=0x5b91160, globalObject=0x7f82164ae180, thisValue=..., context=0x5b692b0) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:112 #76 0x00007f82691e1f94 in WebCore::ScheduledAction::execute (this=0x5b91160, document=0x5b69210) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:134 #77 0x00007f82691e1b18 in WebCore::ScheduledAction::execute (this=0x5b91160, context=0x5b692b0) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:80 #78 0x00007f82699dacac in WebCore::DOMTimer::fired (this=0x5b911a0) at ../../Source/WebCore/page/DOMTimer.cpp:139 #79 0x00007f826a2e1d49 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x2152000) at ../../Source/WebCore/platform/ThreadTimers.cpp:116 #80 0x00007f826a2e1c43 in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:93 #81 0x00007f826a46baba in WebCore::timeout_cb () at ../../Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49 #82 0x00007f8267c1b5ac in g_timeout_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #83 0x00007f8267c19903 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #84 0x00007f8267c1a4b3 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #85 0x00007f8267c1a6a3 in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #86 0x00007f8267c1aad3 in g_main_loop_run () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #87 0x00007f8268762e22 in gtk_main () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #88 0x0000000000486dbd in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:760 #89 0x00000000004864fb in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:550 #90 0x00000000004897a9 in main (argc=2, argv=0x7fff1f98aef8) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1500
This crash stopped appearing somewhere between r137981 and 137941, perhaps thanks to the rollout in r137947. http://trac.webkit.org/log/?verbose=on&rev=137981&stop_rev=137941 http://trac.webkit.org/changeset/137947