RESOLVED FIXED Bug 30906
[V8] Out-of-memory crash in isolated worlds 
https://bugs.webkit.org/show_bug.cgi?id=30906
Summary [V8] Out-of-memory crash in isolated worlds
Adam Barth
Reported 2009-10-29 07:58:21 PDT
---------------------------- * Crash Trace * ---------------------------- [api.cc:435] - v8::Context::Enter() [v8isolatedworld.cpp:63] - WebCore::V8IsolatedWorld::V8IsolatedWorld(WebCore::V8Proxy *,int) [v8proxy.cpp:286] - WebCore::V8Proxy::evaluateInIsolatedWorld(int,WTF::Vector const &,int) [webframe_impl.cc:644] - WebFrameImpl::executeScriptInIsolatedWorld(int,WebKit::WebScriptSource const *,unsigned int,int) [user_script_slave.cc:192] - UserScriptSlave::InjectScripts(WebKit::WebFrame *,UserScript::RunLocation) [render_view.cc:2232] - RenderView::didFinishDocumentLoad(WebKit::WebFrame *) [webframeloaderclient_impl.cc:312] - WebFrameLoaderClient::dispatchDidFinishDocumentLoad() [frameloader.cpp:1044] - WebCore::FrameLoader::finishedParsing() [frameloader.cpp:544] - WebCore::FrameLoader::stopLoading(WebCore::UnloadEventPolicy,WebCore::DatabasePolicy) [documentloader.cpp:276] - WebCore::DocumentLoader::stopLoading(WebCore::DatabasePolicy) [frameloader.cpp:2235] - WebCore::FrameLoader::stopAllLoaders(WebCore::DatabasePolicy) [frameloader.cpp:3069] - WebCore::FrameLoader::frameDetached() [htmlframeownerelement.cpp:45] - WebCore::HTMLFrameOwnerElement::willRemove() [containernode.cpp:282] - WebCore::ContainerNode::willRemove() [containernode.cpp:296] - WebCore::willRemoveChild [containernode.cpp:323] - WebCore::ContainerNode::removeChild(WebCore::Node *,int &) [containernode.cpp:192] - WebCore::ContainerNode::replaceChild(WTF::PassRefPtr,WebCore::Node *,int &,bool) [v8htmlelement.cpp:214] - WebCore::HTMLElementInternal::outerHTMLAttrSetter
Attachments
Patch v1 (3.05 KB, patch)
2009-10-29 08:01 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch v1 (3.14 KB, patch)
2009-10-29 08:47 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2009-10-29 08:01:31 PDT
Created attachment 42099 [details] Patch v1
Adam Barth
Comment 2 2009-10-29 08:44:25 PDT
Comment on attachment 42099 [details] Patch v1 This patch leaks the isolated world object.
Adam Barth
Comment 3 2009-10-29 08:47:17 PDT
Created attachment 42103 [details] Patch v1
Dimitri Glazkov (Google)
Comment 4 2009-10-29 11:45:31 PDT
Comment on attachment 42103 [details] Patch v1 r=me.
Adam Barth
Comment 5 2009-10-29 12:03:05 PDT
Comment on attachment 42103 [details] Patch v1 Time to break the build!
Eric Seidel (no email)
Comment 6 2009-10-29 12:06:37 PDT
Comment on attachment 42103 [details] Patch v1 Can we make world a smart pointer (like OwnPtr) instead of using manual delete?
Adam Barth
Comment 7 2009-10-29 12:16:15 PDT
(In reply to comment #6) > (From update of attachment 42103 [details]) > Can we make world a smart pointer (like OwnPtr) instead of using manual delete? The problem is that it's lifetime is managed by the V8 GC. We manually delete it here because if we never create the context, we can't transfer ownership to V8.
WebKit Commit Bot
Comment 8 2009-10-29 13:15:27 PDT
Comment on attachment 42103 [details] Patch v1 Clearing flags on attachment: 42103 Committed r50296: <http://trac.webkit.org/changeset/50296>
WebKit Commit Bot
Comment 9 2009-10-29 13:15:39 PDT
All reviewed patches have been landed. Closing bug.
Adam Barth
Comment 10 2009-10-29 13:33:22 PDT
Committed r50299: <http://trac.webkit.org/changeset/50299>
Adam Barth
Comment 11 2009-10-29 23:53:07 PDT
http://trac.webkit.org/changeset/50319
Note You need to log in before you can comment on or make changes to this bug.