[Webkit-unassigned] [Bug 141736] [GTK] Crash in debug builds when closing web page after r180214
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 18 00:53:18 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=141736
--- Comment #1 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to comment #0)
> r180214 seems to have introduced a crash when closing epiphany. I need to
> debug this further but my guess at this point is that in
> DOMObjectCacheFrameObserver::frameDestroyed, the call to
> domObjectCacheFrameObservers().remove(frame) causes the destruction of the
> DOMObjectCacheFrameObserver, which is bad because
> WebCore::FrameDestructionObserver's destructor calls
> m_frame->removeDestructionObserver, resulting in
> WebCore::Frame::m_destructionObservers changing size while it is being
> iterated through in WebCore::Frame's destructor. That's probably illegal.
>
The crash happens when Frame::willDetachPage() iterates the observers, so at that point frameDestroyed() hasn't been called at all, it's called in ~Frame. When the frame is destroyed we call the parent FrameDestructionObserver::frameDestroyed() that sets m_frame to nullptr, so when the DOMObjectCacheFrameObserver is deleted, the destructor doesn't call m_frame->removeDestructionObserver() because m_frame is already nullptr. That's why things happen in that order, and the reason why we save the m_frame pointer before calling FrameDestructionObserver::frameDestroyed(). So, unless something really weird is happening, it must be something else.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150218/0162c83e/attachment-0002.html>
More information about the webkit-unassigned
mailing list