Changeset 192880 in webkit
- Timestamp:
- Dec 1, 2015 4:23:34 AM (8 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
bindings/gobject/DOMObjectCache.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r192879 r192880 1 2015-12-01 Carlos Garcia Campos <cgarcia@igalia.com> 2 3 [GTK] ASSERTION FAILED: m_table running /webkit2/BackForwardList/navigation in Debug build 4 https://bugs.webkit.org/show_bug.cgi?id=151700 5 6 Reviewed by Martin Robinson. 7 8 This happens when the frame notifies its observers that the page 9 will be detached. The m_table that asserts is the 10 FrameDestructionObserver HashSet. It happens when clearing the 11 GObject DOM cache wrappers during frame destruction, and there's a 12 Document object wrapped whose last reference is held by the DOM 13 wrapper. In that case, the Document object is destroyed while the 14 frame is being destroyed. Deleting the wrapper objects after the 15 frame destruction fixes the crash. 16 17 * bindings/gobject/DOMObjectCache.cpp: 18 1 19 2015-12-01 Youenn Fablet <youenn.fablet@crf.canon.fr> 2 20 -
trunk/Source/WebCore/bindings/gobject/DOMObjectCache.cpp
r185502 r192880 156 156 157 157 auto objects = WTF::move(m_objects); 158 for (auto* data : objects) { 158 159 // Deleting of DOM wrappers might end up deleting the wrapped core object which could cause some problems 160 // for example if a Document is deleted during the frame destruction, so we remove the weak references now 161 // and delete the objects on next run loop iteration. See https://bugs.webkit.org/show_bug.cgi?id=151700. 162 for (auto* data : objects) 159 163 g_object_weak_unref(data->object, DOMObjectCacheFrameObserver::objectFinalizedCallback, this); 160 data->clearObject(); 161 } 164 165 RunLoop::main().dispatch([objects] { 166 for (auto* data : objects) 167 data->clearObject(); 168 }); 162 169 } 163 170
Note: See TracChangeset
for help on using the changeset viewer.
