Bug 30906 - [V8] Out-of-memory crash in isolated worlds
Summary: [V8] Out-of-memory crash in isolated worlds
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-29 07:58 PDT by Adam Barth
Modified: 2009-10-29 23:53 PDT (History)
1 user (show)

See Also:

Attachments
Patch v1 (3.05 KB, patch)
2009-10-29 08:01 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
Patch v1 (3.14 KB, patch)
2009-10-29 08:47 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2009-10-29 07:58:21 PDT 
----------------------------
*        Crash Trace       *
----------------------------
                     [api.cc:435] - v8::Context::Enter()
         [v8isolatedworld.cpp:63] - WebCore::V8IsolatedWorld::V8IsolatedWorld(WebCore::V8Proxy *,int)
                [v8proxy.cpp:286] - WebCore::V8Proxy::evaluateInIsolatedWorld(int,WTF::Vector const &,int)
           [webframe_impl.cc:644] - WebFrameImpl::executeScriptInIsolatedWorld(int,WebKit::WebScriptSource const *,unsigned int,int)
       [user_script_slave.cc:192] - UserScriptSlave::InjectScripts(WebKit::WebFrame *,UserScript::RunLocation)
            [render_view.cc:2232] - RenderView::didFinishDocumentLoad(WebKit::WebFrame *)
[webframeloaderclient_impl.cc:312] - WebFrameLoaderClient::dispatchDidFinishDocumentLoad()
           [frameloader.cpp:1044] - WebCore::FrameLoader::finishedParsing()
            [frameloader.cpp:544] - WebCore::FrameLoader::stopLoading(WebCore::UnloadEventPolicy,WebCore::DatabasePolicy)
         [documentloader.cpp:276] - WebCore::DocumentLoader::stopLoading(WebCore::DatabasePolicy)
           [frameloader.cpp:2235] - WebCore::FrameLoader::stopAllLoaders(WebCore::DatabasePolicy)
           [frameloader.cpp:3069] - WebCore::FrameLoader::frameDetached()
   [htmlframeownerelement.cpp:45] - WebCore::HTMLFrameOwnerElement::willRemove()
          [containernode.cpp:282] - WebCore::ContainerNode::willRemove()
          [containernode.cpp:296] - WebCore::willRemoveChild
          [containernode.cpp:323] - WebCore::ContainerNode::removeChild(WebCore::Node *,int &)
          [containernode.cpp:192] - WebCore::ContainerNode::replaceChild(WTF::PassRefPtr,WebCore::Node *,int &,bool)
          [v8htmlelement.cpp:214] - WebCore::HTMLElementInternal::outerHTMLAttrSetter
Comment 1 Adam Barth 2009-10-29 08:01:31 PDT 
Created attachment 42099 [details]
Patch v1
Comment 2 Adam Barth 2009-10-29 08:44:25 PDT 
Comment on attachment 42099 [details]
Patch v1

This patch leaks the isolated world object.
Comment 3 Adam Barth 2009-10-29 08:47:17 PDT 
Created attachment 42103 [details]
Patch v1
Comment 4 Dimitri Glazkov (Google) 2009-10-29 11:45:31 PDT 
Comment on attachment 42103 [details]
Patch v1

r=me.
Comment 5 Adam Barth 2009-10-29 12:03:05 PDT 
Comment on attachment 42103 [details]
Patch v1

Time to break the build!
Comment 6 Eric Seidel (no email) 2009-10-29 12:06:37 PDT 
Comment on attachment 42103 [details]
Patch v1

Can we make world a smart pointer (like OwnPtr) instead of using manual delete?
Comment 7 Adam Barth 2009-10-29 12:16:15 PDT 
(In reply to comment #6)
> (From update of attachment 42103 [details])
> Can we make world a smart pointer (like OwnPtr) instead of using manual delete?

The problem is that it's lifetime is managed by the V8 GC.  We manually delete it here because if we never create the context, we can't transfer ownership to V8.
Comment 8 WebKit Commit Bot 2009-10-29 13:15:27 PDT 
Comment on attachment 42103 [details]
Patch v1

Clearing flags on attachment: 42103

Committed r50296: <http://trac.webkit.org/changeset/50296>
Comment 9 WebKit Commit Bot 2009-10-29 13:15:39 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 10 Adam Barth 2009-10-29 13:33:22 PDT 
Committed r50299: <http://trac.webkit.org/changeset/50299>
Comment 11 Adam Barth 2009-10-29 23:53:07 PDT 
http://trac.webkit.org/changeset/50319