Crash in DOMTimer::fired
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Feb 2019 06:43:13 +0000 (06:43 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Feb 2019 06:43:13 +0000 (06:43 +0000)
commitf8eacc5023181e5edd9b66ef82d25146dfcf72b9
tree9f590c255b943b6d35468da71e176981411da814
parent1262be720b14a3dfe53f830f546f8c802aee2bc1
Crash in DOMTimer::fired
https://bugs.webkit.org/show_bug.cgi?id=194638

Reviewed by Brent Fulgham.

Source/WebCore:

This patch continues the saga of hunting down timer related crashes after r239814, r225985, r227934.

The crash was caused by the bug that we don't remove a DOMTimer from NestedTimersMap if a DOMTimer
is created & installed inside another DOMTimer's callback (via execute call in DOMTimer::fired).

Fixed the crash by using a Ref in NestedTimersMap. This will keep the timer alive until we exit
from DOMTimer::fired. Because DOMTimer::fired always calls stopTracking() which clears the map
we would not leak these DOM timers.

We could, alternatively, use WeakPtr in NestedTimersMap but that would unnecessarily increase the
size of DOMTimer for a very marginal benefit of DOMTimer objcets being deleted slightly earlier.
Deleting itself in DOMTimer's destructor involves more logic & house keeping in the timer code,
and is no longer the preferred approach when dealing with these classes of bugs in WebKit.

Test: fast/dom/timer-destruction-during-firing.html

* page/DOMTimer.cpp:
(WebCore::NestedTimersMap::add):
(WebCore::DOMTimer::install):
(WebCore::DOMTimer::fired):

LayoutTests:

Added a regression test. It needs debug assertions without the fix.

* fast/dom/timer-destruction-during-firing-expected.txt: Added.
* fast/dom/timer-destruction-during-firing.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241499 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/timer-destruction-during-firing-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/timer-destruction-during-firing.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/DOMTimer.cpp