<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[192880] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/192880">192880</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2015-12-01 04:23:34 -0800 (Tue, 01 Dec 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>[GTK] ASSERTION FAILED: m_table running /webkit2/BackForwardList/navigation in Debug build
https://bugs.webkit.org/show_bug.cgi?id=151700
Reviewed by Martin Robinson.
This happens when the frame notifies its observers that the page
will be detached. The m_table that asserts is the
FrameDestructionObserver HashSet. It happens when clearing the
GObject DOM cache wrappers during frame destruction, and there's a
Document object wrapped whose last reference is held by the DOM
wrapper. In that case, the Document object is destroyed while the
frame is being destroyed. Deleting the wrapper objects after the
frame destruction fixes the crash.
* bindings/gobject/DOMObjectCache.cpp:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsgobjectDOMObjectCachecpp">trunk/Source/WebCore/bindings/gobject/DOMObjectCache.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (192879 => 192880)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-12-01 11:02:30 UTC (rev 192879)
+++ trunk/Source/WebCore/ChangeLog 2015-12-01 12:23:34 UTC (rev 192880)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2015-12-01 Carlos Garcia Campos <cgarcia@igalia.com>
+
+ [GTK] ASSERTION FAILED: m_table running /webkit2/BackForwardList/navigation in Debug build
+ https://bugs.webkit.org/show_bug.cgi?id=151700
+
+ Reviewed by Martin Robinson.
+
+ This happens when the frame notifies its observers that the page
+ will be detached. The m_table that asserts is the
+ FrameDestructionObserver HashSet. It happens when clearing the
+ GObject DOM cache wrappers during frame destruction, and there's a
+ Document object wrapped whose last reference is held by the DOM
+ wrapper. In that case, the Document object is destroyed while the
+ frame is being destroyed. Deleting the wrapper objects after the
+ frame destruction fixes the crash.
+
+ * bindings/gobject/DOMObjectCache.cpp:
+
</ins><span class="cx"> 2015-12-01 Youenn Fablet <youenn.fablet@crf.canon.fr>
</span><span class="cx">
</span><span class="cx"> [Streams API] pull function of tee should call readFromReadableStreamReader directly
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsgobjectDOMObjectCachecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/gobject/DOMObjectCache.cpp (192879 => 192880)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/gobject/DOMObjectCache.cpp 2015-12-01 11:02:30 UTC (rev 192879)
+++ trunk/Source/WebCore/bindings/gobject/DOMObjectCache.cpp 2015-12-01 12:23:34 UTC (rev 192880)
</span><span class="lines">@@ -155,10 +155,17 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> auto objects = WTF::move(m_objects);
</span><del>- for (auto* data : objects) {
</del><ins>+
+ // Deleting of DOM wrappers might end up deleting the wrapped core object which could cause some problems
+ // for example if a Document is deleted during the frame destruction, so we remove the weak references now
+ // and delete the objects on next run loop iteration. See https://bugs.webkit.org/show_bug.cgi?id=151700.
+ for (auto* data : objects)
</ins><span class="cx"> g_object_weak_unref(data->object, DOMObjectCacheFrameObserver::objectFinalizedCallback, this);
</span><del>- data->clearObject();
- }
</del><ins>+
+ RunLoop::main().dispatch([objects] {
+ for (auto* data : objects)
+ data->clearObject();
+ });
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> virtual void willDetachPage() override
</span></span></pre>
</div>
</div>
</body>
</html>