[Webkit-unassigned] [Bug 58564] New: Document::removedLastRef called twice on JS GC
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 14 13:05:30 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=58564
Summary: Document::removedLastRef called twice on JS GC
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: HTML DOM
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: rolandsteiner at chromium.org
CC: jschuh at chromium.org, inferno at chromium.org
If one adds an ASSERT in the WebCore/dom/Document function Document::removedLastRef() to verify that it's not called twice, e.g., by changing the line
m_markers->detach();
to
ASSERT(m_markers);
m_markers->detach();
m_markers.clear();
JS GC (at least with JSC) will trigger this ASSERT when running layout tests:
run-webkit-tests --debug --exit-after-n-crashes 1
On my machine the triggering test is fast/dom/generic-form-element-assert.html, but I don't think it's this test's particular fault. It probably just happens to cause a GC at the "right" time. (I haven't yet found a way to reproduce this behavior in a faster way.)
So far I tested this with JSC only - I don't know whether V8 is also affected.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list