[Webkit-unassigned] [Bug 135211] New: ScriptController::updateDocument ASSERT mutating map while iterating map

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 23 14:30:42 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=135211

           Summary: ScriptController::updateDocument ASSERT mutating map
                    while iterating map
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: joepeck at webkit.org


I think there is another case of iterating m_windowShells when it could be mutated in ScriptController::updateDocument:
<http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK2%20(Tests)/r171485%20(5831)/fast/html/details-nested-1-crash-log.txt>

ASSERTION FAILED: m_table
/Volumes/Data/slave/mavericks-debug/build/WebKitBuild/Debug/usr/local/include/wtf/HashTable.h(210) : void WTF::HashTableConstIterator<WTF::RefPtr<WebCore::DOMWrapperWorld>, WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::PtrHash<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::HashTraits<JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> > >::checkValidity() const [Key = WTF::RefPtr<WebCore::DOMWrapperWorld>, Value = WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> >, Extractor = WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> > >, HashFunctions = WTF
1   0x10b5c5b90 WTFCrash
2   0x10ce7a242 WTF::HashTableConstIterator<WTF::RefPtr<WebCore::DOMWrapperWorld>, WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::PtrHash<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::HashTraits<JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> > >::checkValidity() const
3   0x10e2684e9 WTF::HashTableConstIterator<WTF::RefPtr<WebCore::DOMWrapperWorld>, WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::PtrHash<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::HashTraits<JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> > >::operator++()
4   0x10e2684b9 WTF::HashTableIterator<WTF::RefPtr<WebCore::DOMWrapperWorld>, WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::PtrHash<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::HashTraits<JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> > >::operator++()
5   0x10e266419 WTF::HashTableIteratorAdapter<WTF::HashTable<WTF::RefPtr<WebCore::DOMWrapperWorld>, WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::PtrHash<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> >, WTF::HashTraits<JSC::Strong<WebCore::JSDOMWindowShell> > >, WTF::HashTraits<WTF::RefPtr<WebCore::DOMWrapperWorld> > >, WTF::KeyValuePair<WTF::RefPtr<WebCore::DOMWrapperWorld>, JSC::Strong<WebCore::JSDOMWindowShell> > >::operator++()
6   0x10e26b6bb WebCore::ScriptController::updateDocument()
7   0x10cd91b0b WebCore::Document::didBecomeCurrentDocumentInFrame()
8   0x10d0e847f WebCore::Frame::setDocument(WTF::PassRefPtr<WebCore::Document>)
9   0x10ce1dfb5 WebCore::DocumentWriter::begin(WebCore::URL const&, bool, WebCore::Document*)
10  0x10cde4caf WebCore::DocumentLoader::commitData(char const*, unsigned long)
11  0x10cde4779 WebCore::DocumentLoader::finishedLoading(double)
12  0x10cde9691 WebCore::DocumentLoader::maybeLoadEmpty()
13  0x10cde9802 WebCore::DocumentLoader::startLoadingMainResource()
14  0x10d0fcd59 WebCore::FrameLoader::continueLoadAfterWillSubmitForm()
15  0x10d0f92a2 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)
16  0x10d1061b2 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const

This is most likely caused by:
<https://webkit.org/b/135178> JSDOMWindowShell leaks on pages with media elements

We should be able to work around this in the same way that did by not iterating over the live map.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list