Changeset 209582 in webkit

Timestamp:

Dec 8, 2016 4:53:32 PM (7 years ago)

Author:

rniwa@webkit.org

Message:

ASSERTION FAILED: m_items.isEmpty() in CustomElementReactionQueue destructor
​https://bugs.webkit.org/show_bug.cgi?id=162029
<rdar://problem/28945851>

Reviewed by Chris Dumez.

Source/WebCore:

The bug was caused by Document::removedLastRef enqueuing disconnectedCallback during a tear down.
Don't enqueue a disconnectedCallback while a document is getting torn down since that should not be
observable to author scripts. The connected, adopted, and attributeChanged callbacks are immune from
this problem since they don't happen during a document destruction.

Note that this was also the case prior to this patch since the disconnectedCallback would have been
added to the current CustomElementReactionQueue which will be destructed without invoking callbacks
(or hit a release assertion added in r208785 and r209426 for now).

Tests: fast/custom-elements/disconnected-callback-in-detached-iframe.html

fast/custom-elements/element-queue-during-document-destruction.html

• dom/CustomElementReactionQueue.cpp:

(WebCore::CustomElementReactionQueue::enqueueConnectedCallbackIfNeeded): Added an assertion that
document's refCount hasn't reached zero yet.
(WebCore::CustomElementReactionQueue::enqueueDisconnectedCallbackIfNeeded): Fixed the bug.
(WebCore::CustomElementReactionQueue::enqueueAdoptedCallbackIfNeeded): Added the same assertion.
(WebCore::CustomElementReactionQueue::enqueueAttributeChangedCallbackIfNeeded): Ditto.

LayoutTests:

Added a regression test that reliably reproduces the crash in DumpRenderTree / WebKitTestRunner.

Also added a W3C style testharness.js test for the behavior I broke in an earlier iteration of the patch.

• fast/custom-elements/disconnected-callback-in-detached-iframe-expected.txt: Added.
• fast/custom-elements/disconnected-callback-in-detached-iframe.html: Added.
• fast/custom-elements/element-queue-during-document-destruction-expected.txt: Added.
• fast/custom-elements/element-queue-during-document-destruction.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/custom-elements/disconnected-callback-in-detached-iframe-expected.txt (added)
• LayoutTests/fast/custom-elements/disconnected-callback-in-detached-iframe.html (added)
• LayoutTests/fast/custom-elements/element-queue-during-document-destruction-expected.txt (added)
• LayoutTests/fast/custom-elements/element-queue-during-document-destruction.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/CustomElementReactionQueue.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-12-07  Ryosuke Niwa  <rniwa@webkit.org>
+
+        ASSERTION FAILED: m_items.isEmpty() in CustomElementReactionQueue destructor
+        https://bugs.webkit.org/show_bug.cgi?id=162029
+        <rdar://problem/28945851>
+
+        Reviewed by Chris Dumez.
+
+        Added a regression test that reliably reproduces the crash in DumpRenderTree / WebKitTestRunner.
+
+        Also added a W3C style testharness.js test for the behavior I broke in an earlier iteration of the patch.
+
+        * fast/custom-elements/disconnected-callback-in-detached-iframe-expected.txt: Added.
+        * fast/custom-elements/disconnected-callback-in-detached-iframe.html: Added.
+        * fast/custom-elements/element-queue-during-document-destruction-expected.txt: Added.
+        * fast/custom-elements/element-queue-during-document-destruction.html: Added.
+
 2016-12-08  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-12-07  Ryosuke Niwa  <rniwa@webkit.org>
+
+        ASSERTION FAILED: m_items.isEmpty() in CustomElementReactionQueue destructor
+        https://bugs.webkit.org/show_bug.cgi?id=162029
+        <rdar://problem/28945851>
+
+        Reviewed by Chris Dumez.
+
+        The bug was caused by Document::removedLastRef enqueuing disconnectedCallback during a tear down.
+        Don't enqueue a disconnectedCallback while a document is getting torn down since that should not be
+        observable to author scripts. The connected, adopted, and attributeChanged callbacks are immune from
+        this problem since they don't happen during a document destruction.
+
+        Note that this was also the case prior to this patch since the disconnectedCallback would have been
+        added to the current CustomElementReactionQueue which will be destructed without invoking callbacks
+        (or hit a release assertion added in r208785 and r209426 for now).
+
+        Tests: fast/custom-elements/disconnected-callback-in-detached-iframe.html
+               fast/custom-elements/element-queue-during-document-destruction.html
+
+        * dom/CustomElementReactionQueue.cpp:
+        (WebCore::CustomElementReactionQueue::enqueueConnectedCallbackIfNeeded): Added an assertion that
+        document's refCount hasn't reached zero yet.
+        (WebCore::CustomElementReactionQueue::enqueueDisconnectedCallbackIfNeeded): Fixed the bug.
+        (WebCore::CustomElementReactionQueue::enqueueAdoptedCallbackIfNeeded): Added the same assertion.
+        (WebCore::CustomElementReactionQueue::enqueueAttributeChangedCallbackIfNeeded): Ditto.
+
 2016-12-08  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WebCore/dom/CustomElementReactionQueue.cpp

@@ -142 +142 @@
 {
     ASSERT(element.isDefinedCustomElement());
+    ASSERT(element.document().refCount() > 0);
     auto& queue = CustomElementReactionStack::ensureCurrentQueue(element);
     if (queue.m_interface->hasConnectedCallback())
@@ -150 +151 @@
 {
     ASSERT(element.isDefinedCustomElement());
+    if (element.document().refCount() <= 0)
+        return; // Don't enqueue disconnectedCallback if the entire document is getting destructed.
     auto& queue = CustomElementReactionStack::ensureCurrentQueue(element);
     if (queue.m_interface->hasDisconnectedCallback())
@@ -158 +161 @@
 {
     ASSERT(element.isDefinedCustomElement());
+    ASSERT(element.document().refCount() > 0);
     auto& queue = CustomElementReactionStack::ensureCurrentQueue(element);
     if (queue.m_interface->hasAdoptedCallback())
@@ -166 +170 @@
 {
     ASSERT(element.isDefinedCustomElement());
+    ASSERT(element.document().refCount() > 0);
     auto& queue = CustomElementReactionStack::ensureCurrentQueue(element);
     if (queue.m_interface->observesAttribute(attributeName.localName()))