Bug 138914 - Crash when destroying a Document that has a throttled timer still running
Summary: Crash when destroying a Document that has a throttled timer still running
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on: 138292
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-20 00:14 PST by Chris Dumez
Modified: 2014-11-20 12:28 PST (History)
6 users (show)

See Also:

Attachments
Patch (6.34 KB, patch)
2014-11-20 00:23 PST, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2014-11-20 00:14:47 PST 
Crash when destroying a Document that has a throttled timer still running:
0   com.apple.WebCore             	0x00007fff9403d8d4 WebCore::Document::view() const + 4
1   com.apple.WebCore             	0x00007fff94189e33 WebCore::DOMTimer::~DOMTimer() + 67
2   com.apple.WebCore             	0x00007fff94189dde WebCore::DOMTimer::~DOMTimer() + 14
3   com.apple.WebCore             	0x00007fff940c7396 WebCore::ScriptExecutionContext::~ScriptExecutionContext() + 534
4   com.apple.WebCore             	0x00007fff940c59c0 WebCore::Document::~Document() + 5104
5   com.apple.WebCore             	0x00007fff9461924e WebCore::HTMLDocument::~HTMLDocument() + 14
6   com.apple.WebCore             	0x00007fff940c42dc WebCore::Node::~Node() + 172
7   com.apple.WebCore             	0x00007fff9418275a WebCore::HTMLScriptElement::~HTMLScriptElement() + 26
8   com.apple.WebCore             	0x00007fff941825df WebCore::JSNodeOwner::finalize(JSC::Handle<JSC::Unknown>, 

Radar: <rdar://problem/19040156>
Comment 1 Chris Dumez 2014-11-20 00:23:07 PST 
Created attachment 241929 [details]
Patch
Comment 2 Chris Dumez 2014-11-20 00:35:07 PST 
Comment on attachment 241929 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=241929&action=review

> LayoutTests/fast/dom/resources/frame-with-throttled-timer.html:3
> +<iframe id="testFrame"></iframe>

This extra iframe is needed to work around:
https://bugs.webkit.org/show_bug.cgi?id=138915
Comment 3 Benjamin Poulain 2014-11-20 10:04:15 PST 
Comment on attachment 241929 [details]
Patch

rs=me
Comment 4 WebKit Commit Bot 2014-11-20 10:44:03 PST 
Comment on attachment 241929 [details]
Patch

Clearing flags on attachment: 241929

Committed r176402: <http://trac.webkit.org/changeset/176402>
Comment 5 WebKit Commit Bot 2014-11-20 10:44:08 PST 
All reviewed patches have been landed.  Closing bug.
Comment 6 Benjamin Poulain 2014-11-20 11:21:05 PST 
Comment on attachment 241929 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=241929&action=review

> LayoutTests/fast/dom/throttled-timer-running-on-document-destruction.html:18
> +setTimeout(removeFrame, 300);

Can't this be shorter?

Maybe wait for the onload of the frame and do a short timer (100ms)?
Comment 7 Chris Dumez 2014-11-20 12:28:42 PST 
(In reply to comment #6)
> Comment on attachment 241929 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=241929&action=review
> 
> > LayoutTests/fast/dom/throttled-timer-running-on-document-destruction.html:18
> > +setTimeout(removeFrame, 300);
> 
> Can't this be shorter?
> 
> Maybe wait for the onload of the frame and do a short timer (100ms)?

Yes, that works. I updated the test in https://bugs.webkit.org/show_bug.cgi?id=138915.