RESOLVED FIXED Bug 85301
Crash calling disconnectFrame on a DOMWindowExtension a second time 
https://bugs.webkit.org/show_bug.cgi?id=85301
Summary Crash calling disconnectFrame on a DOMWindowExtension a second time
Jessie Berlin
Reported 2012-05-01 12:11:17 PDT
CRASH: com.apple.WebCore: WebCore::DOMWindowExtension::disconnectFrame + 31 1 com.apple.WebCore 0x10eae409f WebCore::DOMWindowExtension::disconnectFrame() + 0x1f 2 com.apple.WebCore 0x10eae31ea WebCore::DOMWindow::disconnectDOMWindowProperties() + 0xfa 3 com.apple.WebCore 0x10eae2a82 WebCore::DOMWindow::clearDOMWindowProperties() + 0x12 4 com.apple.WebCore 0x10eae2687 WebCore::DOMWindow::~DOMWindow() + 0x27 5 com.apple.WebCore 0x10e49fa21 WebCore::DOMWindow::~DOMWindow() + 0x11 6 com.apple.WebCore 0x10ec96864 WebCore::JSDOMWindowBase::~JSDOMWindowBase() + 0x34 7 com.apple.JavaScriptCore 0x10e25615e JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper<true>(JSC::MarkedBlock::SweepMode) + 0x18e 8 com.apple.JavaScriptCore 0x10e255f84 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 0x24 9 com.apple.JavaScriptCore 0x10e2017cb JSC::Heap::sweep() + 0xcb 10 com.apple.JavaScriptCore 0x10e201915 JSC::Heap::collect(JSC::Heap::SweepToggle) + 0xf5 11 com.apple.JavaScriptCore 0x10e20080d JSC::DefaultGCActivityCallbackPlatformData::timerDidFire(__CFRunLoopTimer*, void*) + 0x9d <rdar://problem/11353945> DOMWindow calls disconnectFrame on all its DOMWindowProperties, even in cases where it previously called disconnectFrame when going into the page cache. DOMWindowExtension should bail early if it already has a disconnected frame, since it has already notified any client the first time disconnectFrame was invoked.
Attachments
Patch (1.74 KB, patch)
2012-05-01 12:15 PDT, Jessie Berlin 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jessie Berlin
Comment 1 2012-05-01 12:15:48 PDT
Created attachment 139657 [details] Patch
Darin Adler
Comment 2 2012-05-01 12:42:20 PDT
Comment on attachment 139657 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=139657&action=review Is there a way to create a regression test for this? > Source/WebCore/page/DOMWindowExtension.cpp:60 > + ASSERT(!this->frame()); No need for this-> here.
Jessie Berlin
Comment 3 2012-05-01 12:49:49 PDT
(In reply to comment #2) > (From update of attachment 139657 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=139657&action=review > > Is there a way to create a regression test for this? The only way I was able to reproduce this was to keep navigating to pages that were page-cache-worthy until the JSC timer was fired. I am not sure what else would reliably trigger the DOMWindow destruction after it had already gone into the the page cache without first detaching the page. > > > Source/WebCore/page/DOMWindowExtension.cpp:60 > > + ASSERT(!this->frame()); > > No need for this-> here. Fixed. Thanks for the review!
Jessie Berlin
Comment 4 2012-05-01 13:15:05 PDT
Comment on attachment 139657 [details] Patch Committed in http://trac.webkit.org/changeset/115746
Note You need to log in before you can comment on or make changes to this bug.