Sometimes, fails only on 64-bits Debug #0 0x00002b326632a82a in webkit_web_data_source_dispose (object=0x21248c0) at ../../Source/WebKit/gtk/webkit/webkitwebdatasource.cpp:86 86 ASSERT(!priv->loader->isLoading()); Thread 1 (Thread 25532): #0 0x00002b326632a82a in webkit_web_data_source_dispose (object=0x21248c0) at ../../Source/WebKit/gtk/webkit/webkitwebdatasource.cpp:86 #1 0x00002b326a7a51ca in g_object_unref (_object=0x21248c0) at /tmp/buildd/glib2.0-2.28.6/./gobject/gobject.c:2697 #2 0x00002b32662f937c in WebKit::DocumentLoader::unrefDataSource (this=0x4c46a60) at ../../Source/WebKit/gtk/WebCoreSupport/DocumentLoaderGtk.cpp:122 #3 0x00002b32662f928f in WebKit::DocumentLoader::decreaseLoadCount (this=0x4c46a60, identifier=1573) at ../../Source/WebKit/gtk/WebCoreSupport/DocumentLoaderGtk.cpp:105 #4 0x00002b3266310b0f in WebKit::FrameLoaderClient::dispatchDidFailLoading (this=0x4c69540, loader=0x4c46a60, identifier=1573, error=...) at ../../Source/WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:1171 #5 0x00002b32669cf1ee in WebCore::ResourceLoadNotifier::didFailToLoad (this=0x4c90418, loader=0x4caac10, error=...) at ../../Source/WebCore/loader/ResourceLoadNotifier.cpp:98 #6 0x00002b32669ce45b in WebCore::ResourceLoader::cancel (this=0x4caac10, error=...) at ../../Source/WebCore/loader/ResourceLoader.cpp:384 #7 0x00002b32669ce259 in WebCore::ResourceLoader::cancel (this=0x4caac10) at ../../Source/WebCore/loader/ResourceLoader.cpp:343 #8 0x00002b3266974bdb in WebCore::cancelAll (loaders=...) at ../../Source/WebCore/loader/DocumentLoader.cpp:69 #9 0x00002b3266977d60 in WebCore::DocumentLoader::stopLoadingSubresources (this=0x4c46a60) at ../../Source/WebCore/loader/DocumentLoader.cpp:758 #10 0x00002b32669763a5 in WebCore::DocumentLoader::stopLoading (this=0x4c46a60) at ../../Source/WebCore/loader/DocumentLoader.cpp:262 #11 0x00002b326698cc5f in WebCore::FrameLoader::stopAllLoaders (this=0x4c90240, clearProvisionalItemPolicy=WebCore::ShouldClearProvisionalItem) at ../../Source/WebCore/loader/FrameLoader.cpp:1806 #12 0x00002b326699041f in WebCore::FrameLoader::frameDetached (this=0x4c90240) at ../../Source/WebCore/loader/FrameLoader.cpp:2670 #13 0x00002b3266806af6 in WebCore::HTMLFrameOwnerElement::willRemove (this=0x4c35550) at ../../Source/WebCore/html/HTMLFrameOwnerElement.cpp:58 #14 0x00002b32668060b3 in WebCore::HTMLFrameElementBase::willRemove (this=0x4c35550) at ../../Source/WebCore/html/HTMLFrameElementBase.cpp:283 #15 0x00002b32666107bc in WebCore::willRemoveChild (child=0x4c35550) at ../../Source/WebCore/dom/ContainerNode.cpp:387 #16 0x00002b326661099c in WebCore::ContainerNode::removeChild (this=0x4c78e40, oldChild=0x4c35550, ec=@0x7fff9d2c1d5c) at ../../Source/WebCore/dom/ContainerNode.cpp:427 #17 0x00002b3266695579 in WebCore::Node::removeChild (this=0x4c78e40, oldChild=0x4c35550, ec=@0x7fff9d2c1d5c) at ../../Source/WebCore/dom/Node.cpp:658 #18 0x00002b3266478712 in WebCore::JSNode::removeChild (this=0x2b32bc4a5318, exec=0x2b32bc0140d0) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:172 #19 0x00002b32670f1ee3 in WebCore::jsNodePrototypeFunctionRemoveChild (exec=0x2b32bc0140d0) at DerivedSources/WebCore/JSNode.cpp:493 #20 0x00002b327c0011e8 in ?? () #21 0x00007fff9d2c1e70 in ?? () #22 0x00002b327c01686e in ?? () #23 0x00007fff9d2c1e00 in ?? () #24 0x00002b32bc4a4a58 in ?? () #25 0x0000000004c7f9a0 in ?? () #26 0x00002b32bc4a04e0 in ?? () #27 0x00002b32bc4a4cf8 in ?? () #28 0x00007fff9d2c1e20 in ?? () #29 0x00007fff9d2c1e30 in ?? () #30 0x00002b3265552213 in JSC::JSValue::decode (ptr=0x7fff9d2c2a90) at ../../Source/JavaScriptCore/runtime/JSValueInlineMethods.h:369 #31 0x00002b32655e7519 in JSC::JITCode::execute (this=0x2b32bc4ac878, registerFile=0x159b8b8, callFrame=0x2b32bc014048, globalData=0x1d1bfb0) at ../../Source/JavaScriptCore/jit/JITCode.h:77 #32 0x00002b32655e3f7c in JSC::Interpreter::executeCall (this=0x159b8a0, callFrame=0x2b32bc4a0568, function=0x2b32bc492de0, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:852 #33 0x00002b3265678580 in JSC::call (exec=0x2b32bc4a0568, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:38 #34 0x00002b3266431013 in WebCore::JSMainThreadExecState::call (exec=0x2b32bc4a0568, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:48 #35 0x00002b326645e5dd in WebCore::JSEventListener::handleEvent (this=0x4ca50f0, scriptExecutionContext=0x4c944c8, event=0x4c35800) at ../../Source/WebCore/bindings/js/JSEventListener.cpp:128 #36 0x00002b326667fd85 in WebCore::EventTarget::fireEventListeners (this=0x4ca5340, event=0x4c35800, d=0x4ca5458, entry=WTF::Vector of length 1, capacity 1 = {...}) at ../../Source/WebCore/dom/EventTarget.cpp:389 #37 0x00002b326667fc12 in WebCore::EventTarget::fireEventListeners (this=0x4ca5340, event=0x4c35800) at ../../Source/WebCore/dom/EventTarget.cpp:358 #38 0x00002b326667faa2 in WebCore::EventTarget::dispatchEvent (this=0x4ca5340, event=...) at ../../Source/WebCore/dom/EventTarget.cpp:340 #39 0x00002b3266a3149e in WebCore::EventSource::endRequest (this=0x4ca5340) at ../../Source/WebCore/page/EventSource.cpp:133 #40 0x00002b3266a31bf4 in WebCore::EventSource::didFail (this=0x4ca5340, error=...) at ../../Source/WebCore/page/EventSource.cpp:243 #41 0x00002b326697ff12 in WebCore::DocumentThreadableLoader::didFail (this=0x4ca54e0, loader=0x4ca48e0, error=...) at ../../Source/WebCore/loader/DocumentThreadableLoader.cpp:252 #42 0x00002b32669d7bd3 in WebCore::SubresourceLoader::willCancel (this=0x4ca48e0, error=...) at ../../Source/WebCore/loader/SubresourceLoader.cpp:230 #43 0x00002b32669ce318 in WebCore::ResourceLoader::cancel (this=0x4ca48e0, error=...) at ../../Source/WebCore/loader/ResourceLoader.cpp:363 #44 0x00002b32669ce259 in WebCore::ResourceLoader::cancel (this=0x4ca48e0) at ../../Source/WebCore/loader/ResourceLoader.cpp:343 #45 0x00002b326697f1dc in WebCore::DocumentThreadableLoader::cancel (this=0x4ca54e0) at ../../Source/WebCore/loader/DocumentThreadableLoader.cpp:137 #46 0x00002b3266a31a47 in WebCore::EventSource::didReceiveResponse (this=0x4ca5340, response=...) at ../../Source/WebCore/page/EventSource.cpp:218 #47 0x00002b326697fa23 in WebCore::DocumentThreadableLoader::didReceiveResponse (this=0x4ca54e0, loader=0x4ca48e0, response=...) at ../../Source/WebCore/loader/DocumentThreadableLoader.cpp:201 #48 0x00002b32669d7671 in WebCore::SubresourceLoader::didReceiveResponse (this=0x4ca48e0, r=...) at ../../Source/WebCore/loader/SubresourceLoader.cpp:141 #49 0x00002b32669ce6e9 in WebCore::ResourceLoader::didReceiveResponse (this=0x4ca48e0, response=...) at ../../Source/WebCore/loader/ResourceLoader.cpp:437 #50 0x00002b3266f31b40 in WebCore::gotHeadersCallback (msg=0x4205850, data=0x4ca62e0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:289 #51 0x00002b326a7a3e7e in g_closure_invoke (closure=0x4ca6da0, return_value=0xffff000000000002, n_param_values=1, param_values=0x4ac0b20, invocation_hint=0xffff000000000000) at /tmp/buildd/glib2.0-2.28.6/./gobject/gclosure.c:767 #52 0x00002b326a7b58d7 in signal_emit_unlocked_R (node=<value optimized out>, detail=0, instance=0x4205850, emission_return=0x0, instance_and_params=0x4ac0b20) at /tmp/buildd/glib2.0-2.28.6/./gobject/gsignal.c:3252 #53 0x00002b326a7bed05 in g_signal_emit_valist (instance=<value optimized out>, signal_id=<value optimized out>, detail=<value optimized out>, var_args=<value optimized out>) at /tmp/buildd/glib2.0-2.28.6/./gobject/gsignal.c:2983 #54 0x00002b326a7beed3 in g_signal_emit (instance=<value optimized out>, signal_id=<value optimized out>, detail=<value optimized out>) at /tmp/buildd/glib2.0-2.28.6/./gobject/gsignal.c:3040 #55 0x00002b326a23b3d0 in io_read (sock=0x4b4d2e0, msg=0x4205850) at soup-message-io.c:944 #56 0x00002b326a7a3e7e in g_closure_invoke (closure=0x4b5dad0, return_value=0x0, n_param_values=1, param_values=0x4970d60, invocation_hint=0x7fff9d2c2f00) at /tmp/buildd/glib2.0-2.28.6/./gobject/gclosure.c:767 #57 0x00002b326a7b58d7 in signal_emit_unlocked_R (node=<value optimized out>, detail=0, instance=0x4b4d2e0, emission_return=0x0, instance_and_params=0x4970d60) at /tmp/buildd/glib2.0-2.28.6/./gobject/gsignal.c:3252 #58 0x00002b326a7bed05 in g_signal_emit_valist (instance=<value optimized out>, signal_id=<value optimized out>, detail=<value optimized out>, var_args=<value optimized out>) at /tmp/buildd/glib2.0-2.28.6/./gobject/gsignal.c:2983 #59 0x00002b326a7beed3 in g_signal_emit (instance=<value optimized out>, signal_id=<value optimized out>, detail=<value optimized out>) at /tmp/buildd/glib2.0-2.28.6/./gobject/gsignal.c:3040 #60 0x00002b326a24873e in socket_read_watch (pollable=<value optimized out>, user_data=0x4b4d2e0) at soup-socket.c:1139 #61 0x00002b326b03b4a3 in g_main_dispatch (context=0x14f7a40) at /tmp/buildd/glib2.0-2.28.6/./glib/gmain.c:2440 #62 g_main_context_dispatch (context=0x14f7a40) at /tmp/buildd/glib2.0-2.28.6/./glib/gmain.c:3013 #63 0x00002b326b03bc80 in g_main_context_iterate (context=0x14f7a40, block=1, dispatch=1, self=<value optimized out>) at /tmp/buildd/glib2.0-2.28.6/./glib/gmain.c:3091 #64 0x00002b326b03c2f2 in g_main_loop_run (loop=0x4c20c50) at /tmp/buildd/glib2.0-2.28.6/./glib/gmain.c:3299 #65 0x00002b3268f772b7 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #66 0x0000000000423e91 in runTest (testPathOrURL=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:703 #67 0x000000000042352e in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:495 #68 0x00000000004257f0 in main (argc=2, argv=0x7fff9d2c3da8) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1180 Will skip the test for now.
*** Bug 61937 has been marked as a duplicate of this bug. ***
The ASSERT also exists in Mac: http://trac.webkit.org/browser/trunk/Source/WebKit/mac/WebView/WebDataSource.mm#L94 I think that's probably where it came from to our own WebKitWebDataSource. Maybe the place where we are destroying the datasource is bad (or simply different) compared to Mac, though?
(In reply to comment #2) > The ASSERT also exists in Mac: > > http://trac.webkit.org/browser/trunk/Source/WebKit/mac/WebView/WebDataSource.mm#L94 > > I think that's probably where it came from to our own WebKitWebDataSource. Maybe the place where we are destroying the datasource is bad (or simply different) compared to Mac, though? Could it be that Mac lets the main loop spin before actually destroying the wrapper object?
This crash also frequently occurs on Mac. It's the previous test that crashes, in fact. run-webkit-tests --repeat 10 http/tests/eventsource/eventsource-status-error-iframe-crash.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebKit 0x00000001023d1262 -[WebDataSourcePrivate dealloc] + 274 (WebDataSource.mm:94) 1 com.apple.WebKit 0x00000001023d2b44 -[WebDataSource dealloc] + 132 (WebDataSource.mm:409) 2 com.apple.CoreFoundation 0x00007fff88c11800 CFRelease + 176 3 com.apple.WebKit 0x00000001023d9cd3 WebDocumentLoaderMac::releaseDataSource() + 147 (WebDocumentLoaderMac.mm:135) 4 com.apple.WebKit 0x00000001023d9f88 WebDocumentLoaderMac::decreaseLoadCount(unsigned long) + 472 (WebDocumentLoaderMac.mm:116) ... 38 com.apple.WebCore 0x0000000102e7f40f WebCore::DocumentThreadableLoader::cancel() + 95 (DocumentThreadableLoader.cpp:146) 39 com.apple.WebCore 0x000000010303c4d5 WebCore::EventSource::didReceiveResponse(unsigned long, WebCore::ResourceResponse const&) + 1429 (EventSource.cpp:221)
*** Bug 62554 has been marked as a duplicate of this bug. ***
The problem here is that we dispatch an error event when canceling EventSource loads in a frame that's being detached. This is incorrect per the spec, and in this particular case, it makes us recurse into Frame's willDetach methods, causing some major brokenness. Patch forthcoming.
Created attachment 105819 [details] proposed fix This changes the logic and behavior quite a bit, but I think that it's becoming simpler.
Comment on attachment 105819 [details] proposed fix This patch makes me smile.
Comment on attachment 105819 [details] proposed fix Clearing flags on attachment: 105819 Committed r94242: <http://trac.webkit.org/changeset/94242>
All reviewed patches have been landed. Closing bug.
Philippe were any tests skipped for this issue? If so we should unskip them.
(In reply to comment #11) > Philippe were any tests skipped for this issue? If so we should unskip them. Right, I forgot, thanks for the reminder! http://trac.webkit.org/changeset/94576
(In reply to comment #12) > (In reply to comment #11) > > Philippe were any tests skipped for this issue? If so we should unskip them. > > Right, I forgot, thanks for the reminder! > > http://trac.webkit.org/changeset/94576 There where still some skipped from bug https://bugs.webkit.org/show_bug.cgi?id=61937. I've unskipped them now. http://trac.webkit.org/changeset/99365