[Webkit-unassigned] [Bug 186215] New: Editor can hold references to Documents after you navigate away
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 1 17:48:47 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=186215
Bug ID: 186215
Summary: Editor can hold references to Documents after you
navigate away
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: simon.fraser at apple.com
If a page triggers Editor VisibleSelection code—say, like:
var selection = window.getSelection();
var container = document.getElementById("container");
selection.setPosition(container, 0);
— then Frame’s m_editor retains that Document after you navigate away from the page. It’s only released when the Frame is released:
* frame #0: 0x000000010d3b4c5b WebCore`WebCore::Document::~Document(this=0x000000012ad00fb8) at Document.cpp:582
frame #1: 0x000000010d757e55 WebCore`WebCore::HTMLDocument::~HTMLDocument(this=0x000000012ad00fb8) at HTMLDocument.cpp:95
frame #2: 0x000000010d757e75 WebCore`WebCore::HTMLDocument::~HTMLDocument(this=0x000000012ad00fb8) at HTMLDocument.cpp:95
frame #3: 0x000000010d757f19 WebCore`WebCore::HTMLDocument::~HTMLDocument(this=0x000000012ad00fb8) at HTMLDocument.cpp:95
frame #4: 0x000000010d3b8590 WebCore`WebCore::Document::decrementReferencingNodeCount(this=0x000000012ad00fb8) at Document.h:361
frame #5: 0x000000010d4e80b0 WebCore`WebCore::Node::~Node(this=0x000000012b400528) at Node.cpp:314
frame #6: 0x000000010d38139d WebCore`WebCore::CharacterData::~CharacterData(this=0x000000012b400528) at CharacterData.h:29
frame #7: 0x000000010d586135 WebCore`WebCore::Text::~Text(this=0x000000012b400528) at Text.cpp:56
frame #8: 0x000000010d586155 WebCore`WebCore::Text::~Text(this=0x000000012b400528) at Text.cpp:56
frame #9: 0x000000010d586179 WebCore`WebCore::Text::~Text(this=0x000000012b400528) at Text.cpp:56
frame #10: 0x000000010d4e87fb WebCore`WebCore::Node::removedLastRef(this=0x000000012b400528) at Node.cpp:2557
frame #11: 0x000000010d4e876c WebCore`WebCore::Node::deref(this=0x000000012b400528) at Node.cpp:365
frame #12: 0x000000010b7b879e WebCore`void WTF::derefIfNotNull<WebCore::Node>(ptr=0x000000012b400528) at RefPtr.h:45
frame #13: 0x000000010b7b8769 WebCore`WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >::~RefPtr(this=0x0000000124cf2900) at RefPtr.h:70
frame #14: 0x000000010b7b7c05 WebCore`WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >::~RefPtr(this=0x0000000124cf2900) at RefPtr.h:70
frame #15: 0x000000010b984bd5 WebCore`WebCore::Position::~Position(this=0x0000000124cf2900) at Position.h:55
frame #16: 0x000000010b984bb5 WebCore`WebCore::Position::~Position(this=0x0000000124cf2900) at Position.h:55
frame #17: 0x000000010ba7a3cc WebCore`WebCore::VisibleSelection::~VisibleSelection(this=0x0000000124cf2900) at VisibleSelection.h:38
frame #18: 0x000000010ba75f65 WebCore`WebCore::VisibleSelection::~VisibleSelection(this=0x0000000124cf2900) at VisibleSelection.h:38
frame #19: 0x000000010d6122a0 WebCore`WebCore::Editor::~Editor(this=0x0000000124cf2800) at Editor.cpp:1164
frame #20: 0x000000010d612635 WebCore`WebCore::Editor::~Editor(this=0x0000000124cf2800) at Editor.cpp:1164
frame #21: 0x000000010dd966eb WebCore`WTF::UniqueRef<WebCore::Editor>::~UniqueRef() [inlined] std::__1::default_delete<WebCore::Editor>::operator(this=0x0000000124cb5308, __ptr=0x0000000124cf2800)(WebCore::Editor*) const at memory:2239
frame #22: 0x000000010dd966d0 WebCore`WTF::UniqueRef<WebCore::Editor>::~UniqueRef() [inlined] std::__1::unique_ptr<WebCore::Editor, std::__1::default_delete<WebCore::Editor> >::reset(this=0x0000000124cb5308, __p=0x0000000000000000) at memory:2552
frame #23: 0x000000010dd96683 WebCore`WTF::UniqueRef<WebCore::Editor>::~UniqueRef() [inlined] std::__1::unique_ptr<WebCore::Editor, std::__1::default_delete<WebCore::Editor> >::~unique_ptr(this=0x0000000124cb5308) at memory:2506
frame #24: 0x000000010dd96683 WebCore`WTF::UniqueRef<WebCore::Editor>::~UniqueRef() [inlined] std::__1::unique_ptr<WebCore::Editor, std::__1::default_delete<WebCore::Editor> >::~unique_ptr(this=0x0000000124cb5308) at memory:2506
frame #25: 0x000000010dd96683 WebCore`WTF::UniqueRef<WebCore::Editor>::~UniqueRef(this=0x0000000124cb5308) at UniqueRef.h:42
frame #26: 0x000000010dd70045 WebCore`WTF::UniqueRef<WebCore::Editor>::~UniqueRef(this=0x0000000124cb5308) at UniqueRef.h:42
frame #27: 0x000000010dd6fb86 WebCore`WebCore::Frame::~Frame(this=0x0000000124cb5230) at Frame.cpp:231
frame #28: 0x000000010dd70125 WebCore`WebCore::Frame::~Frame(this=0x0000000124cb5230) at Frame.cpp:214
frame #29: 0x000000010dd70149 WebCore`WebCore::Frame::~Frame(this=0x0000000124cb5230) at Frame.cpp:214
frame #30: 0x000000010b9e26cf WebCore`WTF::ThreadSafeRefCounted<WebCore::AbstractFrame, (WTF::DestructionThread)0>::deref(this=0x0000000124cb5238) const at ThreadSafeRefCounted.h:76
frame #31: 0x000000010b9e2653 WebCore`WTF::Ref<WebCore::Frame, WTF::DumbPtrTraits<WebCore::Frame> >::~Ref(this=0x0000000124dfe098) at Ref.h:61
frame #32: 0x000000010b9e2465 WebCore`WTF::Ref<WebCore::Frame, WTF::DumbPtrTraits<WebCore::Frame> >::~Ref(this=0x0000000124dfe098) at Ref.h:55
frame #33: 0x000000010ddc3a13 WebCore`WebCore::Page::~Page(this=0x0000000124dfe000) at Page.cpp:337
frame #34: 0x000000010ddc4ad5 WebCore`WebCore::Page::~Page(this=0x0000000124dfe000) at Page.cpp:293
Seen with LayoutTests/fast/css/counters/counter-before-content-not-incremented.html when testing with changes in bug 186214.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180602/d52e2e74/attachment-0001.html>
More information about the webkit-unassigned
mailing list