[webkit-changes] [204631] trunk/Source/WebCore

[cdumez]

Title: [204631] trunk/Source/WebCore

Revision

204631

Author

cdu...@apple.com

Date

2016-08-19 08:46:42 -0700 (Fri, 19 Aug 2016)

Log Message

DumpRenderTree crashed in com.apple.WebCore: WebCore::DOMWindow::resetDOMWindowProperties + 607
https://bugs.webkit.org/show_bug.cgi?id=160983
<rdar://problem/26768524>

Reviewed by Brent Fulgham.

Update DOMWindow::frameDestroyed() to ref the window object as the crash
traces seem to indicate it can get destroyed during the execution of this
method. Also update the code in the ~Frame destructor to not iterate over
the list of FrameDestructionObservers because observers remove themselves
from the list when they get destroyed.

No new tests, do not know how to reproduce.

* page/DOMWindow.cpp:
(WebCore::DOMWindow::frameDestroyed):
* page/Frame.cpp:
(WebCore::Frame::~Frame):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/page/DOMWindow.cpp
• trunk/Source/WebCore/page/Frame.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (204630 => 204631)

--- trunk/Source/WebCore/ChangeLog	2016-08-19 15:36:55 UTC (rev 204630)
+++ trunk/Source/WebCore/ChangeLog	2016-08-19 15:46:42 UTC (rev 204631)
@@ -1,5 +1,26 @@
 2016-08-19  Chris Dumez  <cdu...@apple.com>
 
+        DumpRenderTree crashed in com.apple.WebCore: WebCore::DOMWindow::resetDOMWindowProperties + 607
+        https://bugs.webkit.org/show_bug.cgi?id=160983
+        <rdar://problem/26768524>
+
+        Reviewed by Brent Fulgham.
+
+        Update DOMWindow::frameDestroyed() to ref the window object as the crash
+        traces seem to indicate it can get destroyed during the execution of this
+        method. Also update the code in the ~Frame destructor to not iterate over
+        the list of FrameDestructionObservers because observers remove themselves
+        from the list when they get destroyed.
+
+        No new tests, do not know how to reproduce.
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::frameDestroyed):
+        * page/Frame.cpp:
+        (WebCore::Frame::~Frame):
+
+2016-08-19  Chris Dumez  <cdu...@apple.com>
+
         WebKit should unset event propagation flags after dispatch
         https://bugs.webkit.org/show_bug.cgi?id=160853
 

Modified: trunk/Source/WebCore/page/DOMWindow.cpp (204630 => 204631)

--- trunk/Source/WebCore/page/DOMWindow.cpp	2016-08-19 15:36:55 UTC (rev 204630)
+++ trunk/Source/WebCore/page/DOMWindow.cpp	2016-08-19 15:46:42 UTC (rev 204631)
@@ -481,6 +481,8 @@
 
 void DOMWindow::frameDestroyed()
 {
+    Ref<DOMWindow> protectedThis(*this);
+
     willDestroyDocumentInFrame();
     FrameDestructionObserver::frameDestroyed();
     resetDOMWindowProperties();

Modified: trunk/Source/WebCore/page/Frame.cpp (204630 => 204631)

--- trunk/Source/WebCore/page/Frame.cpp	2016-08-19 15:36:55 UTC (rev 204630)
+++ trunk/Source/WebCore/page/Frame.cpp	2016-08-19 15:46:42 UTC (rev 204631)
@@ -217,8 +217,8 @@
 
     disconnectOwnerElement();
 
-    for (auto& observer : m_destructionObservers)
-        observer->frameDestroyed();
+    while (auto* destructionObserver = m_destructionObservers.takeAny())
+        destructionObserver->frameDestroyed();
 
     if (!isMainFrame())
         m_mainFrame.selfOnlyDeref();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes