RESOLVED FIXED 93729
REGRESSION(r125159): ASSERTION FAILED: m_listsInvalidatedAtDocument.contains(list) in Document::unregisterNodeListCache 
https://bugs.webkit.org/show_bug.cgi?id=93729
Summary REGRESSION(r125159): ASSERTION FAILED: m_listsInvalidatedAtDocument.contains(...
Arko Saha
Reported 2012-08-10 11:31:35 PDT
Currently we are hitting an assertion failure in Document::unregisterNodeListCache BackTrace: STDERR: ASSERTION FAILED: m_listsInvalidatedAtDocument.contains(list) STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug/build/Source/WebCore/dom/Document.cpp(3910) : void WebCore::Document::unregisterNodeListCache(WebCore::DynamicNodeListCacheBase*) STDERR: 1 0x7f9e8f7b1d31 WebCore::Document::unregisterNodeListCache(WebCore::DynamicNodeListCacheBase*) STDERR: 2 0x7f9e8f785de6 WebCore::DynamicSubtreeNodeList::~DynamicSubtreeNodeList() STDERR: 3 0x7f9e8f85f0e2 WebCore::PropertyNodeList::~PropertyNodeList() STDERR: 4 0x7f9e8f85f11c WebCore::PropertyNodeList::~PropertyNodeList() STDERR: 5 0x4aa45a WTF::RefCounted<WebCore::NodeList>::deref() STDERR: 6 0x7f9e903596b0 WebCore::JSNodeList::releaseImpl() STDERR: 7 0x7f9e9035951c WebCore::JSNodeListOwner::finalize(JSC::Handle<JSC::Unknown>, void*) STDERR: 8 0x7f9e93ee132e JSC::WeakBlock::finalize(JSC::WeakImpl*) STDERR: 9 0x7f9e93ee0d2f JSC::WeakBlock::sweep() STDERR: 10 0x7f9e93ee0326 JSC::WeakSet::sweep() STDERR: 11 0x7f9e93ed7893 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) STDERR: 12 0x7f9e93ed9a15 JSC::Sweep::operator()(JSC::MarkedBlock*) STDERR: 13 0x7f9e93eda815 void JSC::MarkedAllocator::forEachBlock<JSC::Sweep>(JSC::Sweep&) STDERR: 14 0x7f9e93eda46f JSC::Sweep::ReturnType JSC::MarkedSpace::forEachBlock<JSC::Sweep>(JSC::Sweep&) STDERR: 15 0x7f9e93eda01f JSC::Sweep::ReturnType JSC::MarkedSpace::forEachBlock<JSC::Sweep>() STDERR: 16 0x7f9e93ed8f2d JSC::MarkedSpace::sweep() STDERR: 17 0x7f9e93eca277 JSC::Heap::collect(JSC::Heap::SweepToggle) STDERR: 18 0x7f9e93eca003 JSC::Heap::collectAllGarbage() STDERR: 19 0x7f9e901f3ae4 STDERR: 20 0x7f9e901f3bda WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController>*) STDERR: 21 0x7f9e901f3e6e WebCore::Timer<WebCore::GCController>::fired() STDERR: 22 0x7f9e8fd41fe1 WebCore::ThreadTimers::sharedTimerFiredInternal() STDERR: 23 0x7f9e8fd41f0f WebCore::ThreadTimers::sharedTimerFired() STDERR: 24 0x7f9e9067601d STDERR: 25 0x7f9e8bae1c4e _ecore_timer_expired_call STDERR: 26 0x7f9e8bae1e1b _ecore_timer_expired_timers_call STDERR: 27 0x7f9e8badeeb1 STDERR: 28 0x7f9e8badf547 ecore_main_loop_begin STDERR: 29 0x478c0d STDERR: 30 0x478deb STDERR: 31 0x479444 main In Document::registerNodeListCache() it was not adding PropertyNodeList cache to m_listsInvalidatedAtDocument the as the node list currently not rooted at the document. Where in Document::unregisterNodeListCache() it was trying to remove PropertyNodeList cache from m_listsInvalidatedAtDocument. Hence it caused the assertion failure. Please check https://bugs.webkit.org/show_bug.cgi?id=93485 for details.
Attachments
Patch (4.12 KB, patch)
2012-08-10 13:52 PDT, Arko Saha 		no flags
DetailsFormatted DiffDiff
Updated patch (4.26 KB, patch)
2012-08-10 15:38 PDT, Arko Saha 		rniwa: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Arko Saha
Comment 1 2012-08-10 13:52:10 PDT
Created attachment 157803 [details] Patch
Ryosuke Niwa
Comment 2 2012-08-10 14:41:45 PDT
Comment on attachment 157803 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=157803&action=review > LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:4 > +<head> > +</head> No need for the head element. > LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:7 > +<div id='id1' itemprop='foo'></div> Please use more descriptive name like elementWithItemProp. > LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:22 > +if (window.testRunner) { > + setTimeout(function () { testRunner.notifyDone() }, 10); > +} Why do we need this? Do we need to trigger GC? Then try GCController.collect().
Arko Saha
Comment 3 2012-08-10 15:38:16 PDT
Created attachment 157822 [details] Updated patch Incorporated review comments.
Ryosuke Niwa
Comment 4 2012-08-10 15:44:06 PDT
Comment on attachment 157822 [details] Updated patch View in context: https://bugs.webkit.org/attachment.cgi?id=157822&action=review > LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:10 > +if (window.testRunner) { > + testRunner.dumpAsText(); > +} No curly brackets around a single line statement. > LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:19 > + for (var i = 0; i < 10000; i++) { // force garbage collection > + var s = new String(""); > + } Ditto.
Arko Saha
Comment 5 2012-08-10 15:59:35 PDT
Committed r125334: <http://trac.webkit.org/changeset/125334>
Sudarsana Nagineni (babu)
Comment 6 2012-08-10 23:09:44 PDT
(In reply to comment #5) > Committed r125334: <http://trac.webkit.org/changeset/125334> Thanks for the fix Arko.
Note You need to log in before you can comment on or make changes to this bug.