[Webkit-unassigned] [Bug 151554] New: GC bug when accessing iframe's from parent frame after removing first from tree

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=151554

            Bug ID: 151554
           Summary: GC bug when accessing iframe's from parent frame after
                    removing first from tree
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nekr.fabula at gmail.com

I have an app. It runs player in iframe and I control player from to frame by accessing its JavaScript (for frames' document.domain is set to base domain, e.g. example.com). On navigation in app, page with iframe is removed from tree and then destroy function is called on iframe's JS object (parent frame has reference to that object). Work fine in all browsers except of Safari/WebKit. WebKit fails with error "undefined is not Object" and Debugger is paused on error line. Interesting thing is that here Debugger says that variable actually is Object. window.onerror reports "Script Error" with line "0".

Steps to reproduce:

1. Go to html5.oumy.tv:8080
2. Navigate to a channel and then to a clip
3. Click play, seems few times so all JS is initialized
4. Click back button in top left corner
5. Enjoy debugging!

Tested on iOS 8.1 Simulator, iPhone device with iOS 9 and Macbook Pro 2015 (Desktop Safari)

I also capture video of the problem: https://youtu.be/NqQ-DCy2CgY

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151122/06b405fa/attachment.html>