[Webkit-unassigned] [Bug 180174] REGRESSION: Layout Test storage/indexeddb/detached-iframe.html is a flaky crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 1 11:46:46 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=180174

--- Comment #5 from Matt Baker <mattbaker at apple.com> ---
(In reply to Joseph Pecoraro from comment #4)
> The crash looks like a null Frame:
> 
> > Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
> > Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000040
> > 
> > ...
> > 
> > Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
> > 0   com.apple.WebCore             	0x0000000450402a8c WebCore::Frame::page() const + 12 (Frame.h:373)
> > 1   com.apple.WebCore             	0x0000000451830325 WebCore::InspectorInstrumentation::instrumentingAgentsForFrame(WebCore::Frame&) + 21 (InspectorInstrumentation.h:1431)
> > 2   com.apple.WebCore             	0x0000000452480116 WebCore::InspectorInstrumentation::didDispatchPostMessage(WebCore::Frame&, WebCore::TimerBase&) + 54 (InspectorInstrumentation.h:731)
> > 3   com.apple.WebCore             	0x000000045247fe57 WebCore::DOMWindow::postMessageTimerFired(WebCore::PostMessageTimer&) + 551 (DOMWindow.cpp:973)
> 
> Coming from:
> 
> >    void DOMWindow::postMessageTimerFired(PostMessageTimer& timer)
> >    {
> >        if (!document() || !isCurrentlyDisplayedInFrame())
> >            return;
> >
> >        ...
> >
> >        InspectorInstrumentation::willDispatchPostMessage(*m_frame, timer);
> >
> >        dispatchEvent(timer.event(*document()));
> >
> >        InspectorInstrumentation::didDispatchPostMessage(*m_frame, timer);
> >    }
> 
> So my guess is `m_frame` is nullptr by didDispatchPostMessage time (and
> presumably wasn't at willDispatchPostMessage time).

So something is calling FrameDestructionObserver::frameDestroyed() during event dispatch. If this is the case, can we still get the PageDebuggerAgent for the frame, in order to clean up async call stack state? Is the agent even around anymore?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171201/122ff56a/attachment.html>

More information about the webkit-unassigned mailing list