93729 – REGRESSION(r125159): ASSERTION FAILED: m_listsInvalidatedAtDocument.contains(list) in Document::unregisterNodeListCache

Bug 93729 - REGRESSION(r125159): ASSERTION FAILED: m_listsInvalidatedAtDocument.contains(list) in Document::unregisterNodeListCache

Summary: REGRESSION(r125159): ASSERTION FAILED: m_listsInvalidatedAtDocument.contains(...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Arko Saha

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-08-10 11:31 PDT by Arko Saha
Modified:	2012-08-10 23:09 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Patch (4.12 KB, patch) 2012-08-10 13:52 PDT, Arko Saha	no flags	Details \| Formatted Diff \| Diff
Updated patch (4.26 KB, patch) 2012-08-10 15:38 PDT, Arko Saha	rniwa: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arko Saha 2012-08-10 11:31:35 PDT

Currently we are hitting an assertion failure in Document::unregisterNodeListCache

BackTrace:
STDERR: ASSERTION FAILED: m_listsInvalidatedAtDocument.contains(list)
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug/build/Source/WebCore/dom/Document.cpp(3910) : void WebCore::Document::unregisterNodeListCache(WebCore::DynamicNodeListCacheBase*)
STDERR: 1   0x7f9e8f7b1d31 WebCore::Document::unregisterNodeListCache(WebCore::DynamicNodeListCacheBase*)
STDERR: 2   0x7f9e8f785de6 WebCore::DynamicSubtreeNodeList::~DynamicSubtreeNodeList()
STDERR: 3   0x7f9e8f85f0e2 WebCore::PropertyNodeList::~PropertyNodeList()
STDERR: 4   0x7f9e8f85f11c WebCore::PropertyNodeList::~PropertyNodeList()
STDERR: 5   0x4aa45a WTF::RefCounted<WebCore::NodeList>::deref()
STDERR: 6   0x7f9e903596b0 WebCore::JSNodeList::releaseImpl()
STDERR: 7   0x7f9e9035951c WebCore::JSNodeListOwner::finalize(JSC::Handle<JSC::Unknown>, void*)
STDERR: 8   0x7f9e93ee132e JSC::WeakBlock::finalize(JSC::WeakImpl*)
STDERR: 9   0x7f9e93ee0d2f JSC::WeakBlock::sweep()
STDERR: 10  0x7f9e93ee0326 JSC::WeakSet::sweep()
STDERR: 11  0x7f9e93ed7893 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode)
STDERR: 12  0x7f9e93ed9a15 JSC::Sweep::operator()(JSC::MarkedBlock*)
STDERR: 13  0x7f9e93eda815 void JSC::MarkedAllocator::forEachBlock<JSC::Sweep>(JSC::Sweep&)
STDERR: 14  0x7f9e93eda46f JSC::Sweep::ReturnType JSC::MarkedSpace::forEachBlock<JSC::Sweep>(JSC::Sweep&)
STDERR: 15  0x7f9e93eda01f JSC::Sweep::ReturnType JSC::MarkedSpace::forEachBlock<JSC::Sweep>()
STDERR: 16  0x7f9e93ed8f2d JSC::MarkedSpace::sweep()
STDERR: 17  0x7f9e93eca277 JSC::Heap::collect(JSC::Heap::SweepToggle)
STDERR: 18  0x7f9e93eca003 JSC::Heap::collectAllGarbage()
STDERR: 19  0x7f9e901f3ae4
STDERR: 20  0x7f9e901f3bda WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController>*)
STDERR: 21  0x7f9e901f3e6e WebCore::Timer<WebCore::GCController>::fired()
STDERR: 22  0x7f9e8fd41fe1 WebCore::ThreadTimers::sharedTimerFiredInternal()
STDERR: 23  0x7f9e8fd41f0f WebCore::ThreadTimers::sharedTimerFired()
STDERR: 24  0x7f9e9067601d
STDERR: 25  0x7f9e8bae1c4e _ecore_timer_expired_call
STDERR: 26  0x7f9e8bae1e1b _ecore_timer_expired_timers_call
STDERR: 27  0x7f9e8badeeb1
STDERR: 28  0x7f9e8badf547 ecore_main_loop_begin
STDERR: 29  0x478c0d
STDERR: 30  0x478deb
STDERR: 31  0x479444 main

In Document::registerNodeListCache() it was not adding PropertyNodeList cache to m_listsInvalidatedAtDocument the as the node list currently not rooted at the document. Where in Document::unregisterNodeListCache() it was trying to remove PropertyNodeList cache from m_listsInvalidatedAtDocument. Hence it caused the assertion failure.
Please check https://bugs.webkit.org/show_bug.cgi?id=93485 for details.

Comment 1 Arko Saha 2012-08-10 13:52:10 PDT

Created attachment 157803 [details]
Patch

Comment 2 Ryosuke Niwa 2012-08-10 14:41:45 PDT

Comment on attachment 157803 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=157803&action=review

> LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:4
> +<head>
> +</head>

No need for the head element.

> LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:7
> +<div id='id1' itemprop='foo'></div>

Please use more descriptive name like elementWithItemProp.

> LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:22
> +if (window.testRunner) {
> +    setTimeout(function () { testRunner.notifyDone() }, 10);
> +}

Why do we need this? Do we need to trigger GC? Then try GCController.collect().

Comment 3 Arko Saha 2012-08-10 15:38:16 PDT

Created attachment 157822 [details]
Updated patch

Incorporated review comments.

Comment 4 Ryosuke Niwa 2012-08-10 15:44:06 PDT

Comment on attachment 157822 [details]
Updated patch

View in context: https://bugs.webkit.org/attachment.cgi?id=157822&action=review

> LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:10
> +if (window.testRunner) {
> +    testRunner.dumpAsText();
> +}

No curly brackets around a single line statement.

> LayoutTests/fast/dom/MicroData/propertynodelist-crash.html:19
> +    for (var i = 0; i < 10000; i++) { // force garbage collection
> +        var s = new String("");
> +    }

Ditto.

Comment 5 Arko Saha 2012-08-10 15:59:35 PDT

Committed r125334: <http://trac.webkit.org/changeset/125334>

Comment 6 Sudarsana Nagineni (babu) 2012-08-10 23:09:44 PDT

(In reply to comment #5)
> Committed r125334: <http://trac.webkit.org/changeset/125334>

Thanks for the fix Arko.