Bug 23007 - REGRESSION: Timer-related crash when closing Web Inspector
Summary: REGRESSION: Timer-related crash when closing Web Inspector
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Blocker
Assignee: Alexey Proskuryakov
URL:
Keywords: Regression
Depends on:
Blocks:
 
Reported: 2008-12-28 04:38 PST by Alexey Proskuryakov
Modified: 2008-12-28 11:40 PST (History)
1 user (show)

See Also:

Attachments
reduced test case (will crash) (116 bytes, text/html)
2008-12-28 04:47 PST, Alexey Proskuryakov 		no flags Details
proposed fix (3.40 KB, patch)
2008-12-28 05:17 PST, Alexey Proskuryakov 		darin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2008-12-28 04:38:44 PST 
Steps to reproduce:
1. Open any Web page (or even about:blank)
2. Open Web Inspector, and close it.

Result: a crash.

#0	0x0356ec10 in WebCore::Document::removeTimeout at Document.cpp:4283
#1	0x0353e68a in WebCore::DOMTimer::removeById at DOMTimer.cpp:99
#2	0x0378258b in WebCore::JSDOMWindowBase::removeTimeout at JSDOMWindowBase.cpp:839
#3	0x03789334 in WebCore::JSDOMWindow::clearTimeout at JSDOMWindowCustom.cpp:199
#4	0x037746e6 in WebCore::jsDOMWindowPrototypeFunctionClearTimeout at JSDOMWindow.cpp:4338
#5	0x00ba90fb in JSC::Interpreter::cti_op_call_NotJSFunction at Interpreter.cpp:4921
#6	0x00ba399a in JSC::Interpreter::retrieveCaller at Interpreter.cpp:4005
#7	0x00bc4162 in JSC::JIT::execute at JIT.h:350
#8	0x00baae9c in JSC::Interpreter::execute at Interpreter.cpp:976
#9	0x00afc437 in JSC::JSFunction::call at JSFunction.cpp:82
#10	0x00afc4ef in JSC::call at CallData.cpp:39
#11	0x00b0a580 in JSC::functionProtoFuncApply at FunctionPrototype.cpp:113
#12	0x00ba90fb in JSC::Interpreter::cti_op_call_NotJSFunction at Interpreter.cpp:4921
#13	0x00ba399a in JSC::Interpreter::retrieveCaller at Interpreter.cpp:4005
#14	0x00bc4162 in JSC::JIT::execute at JIT.h:350
#15	0x00baae9c in JSC::Interpreter::execute at Interpreter.cpp:976
#16	0x00afc437 in JSC::JSFunction::call at JSFunction.cpp:82
#17	0x00afc4ef in JSC::call at CallData.cpp:39
#18	0x03b0d5ad in WebCore::ScheduledAction::execute at ScheduledAction.cpp:85
#19	0x03b0d748 in WebCore::ScheduledAction::execute at ScheduledAction.cpp:56
#20	0x0353ecb3 in WebCore::DOMTimer::fired at DOMTimer.cpp:126
#21	0x03b6e5ab in WebCore::TimerBase::fireTimers at Timer.cpp:347
#22	0x03b6e63a in WebCore::TimerBase::sharedTimerFired at Timer.cpp:368
#23	0x03b39d84 in WebCore::timerFired at SharedTimerMac.mm:84
Comment 1 Alexey Proskuryakov 2008-12-28 04:47:00 PST 
Created attachment 26276 [details]
reduced test case (will crash)

This is not specific to Web Inspector.
Comment 2 Alexey Proskuryakov 2008-12-28 05:17:19 PST 
Created attachment 26277 [details]
proposed fix
Comment 3 Darin Adler 2008-12-28 11:10:28 PST 
Comment on attachment 26277 [details]
proposed fix

r=me

I asked about this in the original patch, and Niko reassured me that it was removed from the document map. I probably should not have accepted the answer.
Comment 4 Alexey Proskuryakov 2008-12-28 11:40:27 PST 
Committed revision 39493.