[Webkit-unassigned] [Bug 23736] WebKit Crashes on http://g-conquest.fr/~server2

Wed Mar 4 14:34:16 PST 2009

https://bugs.webkit.org/show_bug.cgi?id=23736

------- Comment #8 from eric at webkit.org  2009-03-04 14:34 PDT -------
I added an ASSERT to ~DocLoader(), which we now hit:

DocLoader::~DocLoader()
{
    clearPreloads();
    DocumentResourceMap::iterator end = m_documentResources.end();
    for (DocumentResourceMap::iterator it = m_documentResources.begin(); it !=
end; ++it)
        it->second->setDocLoader(0);
    m_cache->removeDocLoader(this);

    // Make sure no requests still point to this DocLoader
    ASSERT(m_requestCount == 0);
}

m_requestCount == 1.  The stack trace of hitting the ASSERT is:
#0      0x036ba6d2 in WebCore::DocLoader::~DocLoader at DocLoader.cpp:70
#1      0x036c8d12 in WebCore::Document::~Document at Document.cpp:436
#2      0x037b697f in WebCore::HTMLDocument::~HTMLDocument at
HTMLDocument.cpp:91
#3      0x035d68ab in WebCore::Document::selfOnlyDeref at Document.h:208
#4      0x035d68d1 in WebCore::DocPtr<WebCore::Document>::~DocPtr at
DocPtr.h:32
#5      0x036c65fe in WebCore::Document::removedLastRef at Document.cpp:410
#6      0x0347247f in WebCore::TreeShared<WebCore::Node>::deref at
TreeShared.h:69
#7      0x03c7ff3e in WTF::RefPtr<WebCore::Node>::~RefPtr at RefPtr.h:50
#8      0x03971a92 in WebCore::JSNode::~JSNode at JSNode.cpp:256
#9      0x038ed205 in WebCore::JSDocument::~JSDocument at JSDocument.cpp:251
#10     0x03915c7a in WebCore::JSHTMLDocument::~JSHTMLDocument at
JSHTMLDocument.h:30
#11     0x0065c964 in JSC::Heap::sweep<(JSC::HeapType)0> at Collector.cpp:917
#12     0x005cbd76 in JSC::Heap::collect at Collector.cpp:996
#13     0x0378e1fb in WebCore::GCController::gcTimerFired at
GCController.cpp:74
#14     0x0378e3ef in WebCore::Timer<WebCore::GCController>::fired at
Timer.h:93
#15     0x03cf40f1 in WebCore::ThreadTimers::fireTimers at ThreadTimers.cpp:111
#16     0x03cf4305 in WebCore::ThreadTimers::sharedTimerFiredInternal at
ThreadTimers.cpp:141
#17     0x03cf4351 in WebCore::ThreadTimers::sharedTimerFired at
ThreadTimers.cpp:122
#18     0x03cbe98a in WebCore::timerFired at SharedTimerMac.mm:86

It seems like someone forgot about this poor little Document, and the only
thing left holding onto it is JavaScript.  When JavaScript lets go of it, the
DocLoader is destroyed, which happens before the load actually finishes... How
could the rest of WebCore have forgotten about this Document w/o having
canceled the loads?

One way to fix this would be to cancel all loads from within ~DocLoader(), but
maybe that's just masking other bugs?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.