RESOLVED FIXED 87990
Crashes unregistering DOMWindowProperties while releasing CachedPages 
https://bugs.webkit.org/show_bug.cgi?id=87990
Summary Crashes unregistering DOMWindowProperties while releasing CachedPages
Brady Eidson
Reported 2012-05-31 10:51:11 PDT
Crashes unregistered DOMWindowProperties releasing CachedPages. I haven't been able to craft a test case to reproduce this, but we know some people are seeing crashes where the following occurs: -A page with iframes goes in to the page cache -SOMEHOW, a DOMWindowProperty is created in one of these iframes. It is registered with the DOMWindow as a property, but it doesn't know that it is a disconnected DOMWindow in the page cache. -When the cached frame is later destroyed, the DOMWindow tells each of its properties that the cached frame is going away, and the DOMWindowProperty in question doesn't have a disconnected DOMWindow to unregister from. -Crash. My proposed patch will involve a pretty straight forward rewrite of the base DOMWindowProperty class that guards against this case by always keeping track of the DOMWindow it has registered with, and only unregistering from that very same DOMWindow. In radar as <rdar://problem/11544454>
Attachments
Patch v1 (6.11 KB, patch)
2012-05-31 11:03 PDT, Brady Eidson 		jberlin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brady Eidson
Comment 1 2012-05-31 11:03:25 PDT
Created attachment 145114 [details] Patch v1
Jessie Berlin
Comment 2 2012-05-31 11:18:36 PDT
Comment on attachment 145114 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=145114&action=review r=me (assuming all the layout tests pass with this version) > Source/WebCore/page/DOMWindowProperty.cpp:41 > + // We should fix that. This needs a FIXME and a bug number.
Brady Eidson
Comment 3 2012-05-31 12:58:29 PDT
http://trac.webkit.org/changeset/119136
Note You need to log in before you can comment on or make changes to this bug.