[Webkit-unassigned] [Bug 103592] DRT - crashed in WebCore::SearchFieldCancelButtonElement::defaultEventHandler

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Dec 1 02:24:50 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=103592





--- Comment #14 from Xiaobo Wang <xiaobo.wang at torchmobile.com.cn>  2012-12-01 02:27:08 PST ---
Yes, it's very flaky. When we remove the input element with JavaScript "search.parentNode.removeChild(search)", the search type input control is detached from DOM tree. It's shadow nodes are also detached, but they're not removed. So in SearchFieldCancelButtonElement::defaultEventHandler(), we can still get the shadowRoot and ShadowHost. The shadow roots are removed on JavaScript GC, see back trace below. How and when GC is performed is platform dependent. This might be the reason why it didn't crash on other platforms.

Back trace when removing ShadowRoots for the input element
===========================================================
WebCore::ElementShadow::removeAllShadowRoots() at ElementShadow.cpp:102 0x794ae1a8    
WebCore::Element::~Element() at Element.cpp:142 0x794a8ed2    
WebCore::StyledElement::~StyledElement() at StyledElement.cpp:141 0x794cf650    
~HTMLElement() at HTMLElement.h:45 0x795750dc    
WebCore::LabelableElement::~LabelableElement() at LabelableElement.cpp:41 0x795750dc    
WebCore::HTMLFormControlElement::~HTMLFormControlElement() at HTMLFormControlElement.cpp:70 0x795460ca    
WebCore::HTMLFormControlElementWithState::~HTMLFormControlElementWithState() at HTMLFormControlElementWithState.cpp:42 0x79cdc9a6    
WebCore::HTMLTextFormControlElement::~HTMLTextFormControlElement() at HTMLTextFormControlElement.cpp:66 0x7956d874    
WebCore::HTMLInputElement::~HTMLInputElement() at HTMLInputElement.cpp:159 0x7954dc2c    
WebCore::HTMLInputElement::~HTMLInputElement() at HTMLInputElement.cpp:159 0x7954dd0c    
WebCore::Node::removedLastRef() at Node.cpp:2,884 0x794b8816    
deref() at TreeShared.h:81 0x798f7a3e    
releaseImpl() at JSNode.h:69 0x798f7a3e    
WebCore::JSNodeOwner::finalize() at JSNodeCustom.cpp:144 0x798f7a3e    
finalize() at WeakSetInlines.h:52 0x7a021284    
JSC::WeakBlock::sweep() at WeakBlock.cpp:80 0x7a021284    
JSC::WeakSet::sweep() at WeakSet.cpp:47 0x7a020fca    
JSC::MarkedBlock::sweep() at MarkedBlock.cpp:106 0x7a01d24a    
sweepNextBlock() at IncrementalSweeper.cpp:130 0x7a01bf3a    
JSC::IncrementalSweeper::doSweep() at IncrementalSweeper.cpp:104 0x7a01bf3a    
JSC::HeapTimer::timerDidFire() at HeapTimer.cpp:119 0x7a01bc84    
fired() at BlackBerryPlatformTimer.h:118 0x7a01bdee    

For the flakiness of GC, it's reasonable to do point checking in these places.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list