2008-05-30 Maciej Stachowiak <mjs@apple.com>
[WebKit.git] / WebCore / ChangeLog
index e44e673b559a3c74bb77e54f8e62d92f90af9238..ea6143288c3a94d3ffc346beb1d634f49d4c9c01 100644 (file)
@@ -1,3 +1,36 @@
+2008-05-30  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Alexey.
+        
+        - speculative fix for "REGRESSION(r34143?): Frequent crash while browsing"
+        https://bugs.webkit.org/show_bug.cgi?id=19285
+
+        I'm pretty sure this fixes it but I have not been able to
+        reproduce and am unsure if my theory of the bug is right.
+
+        I belive the bug was because JSDOMWindowBase accessed
+        JSDOMWindowShell in its destructor to remove itself from a
+        hashtable, but GC destructor order is not guaranteed, so the
+        hashtable may have been freed already. This patch changes things
+        so that a non-GC object (the KJSProxy) does the tracking of live
+        window objects for a frame. JSDOMWindowBase can null check the frame
+        pointer to verify if it is still good.
+        
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::~JSDOMWindowBase):
+        * bindings/js/JSDOMWindowShell.cpp:
+        (WebCore::JSDOMWindowShell::JSDOMWindowShell):
+        * bindings/js/JSDOMWindowShell.h:
+        (WebCore::JSDOMWindowShell::setWindow):
+        * bindings/js/kjs_proxy.cpp:
+        (WebCore::KJSProxy::clear):
+        (WebCore::KJSProxy::initScript):
+        (WebCore::KJSProxy::updateDocument):
+        * bindings/js/kjs_proxy.h:
+        (WebCore::KJSProxy::clearFormerWindow):
+        * page/Frame.cpp:
+        (WebCore::Frame::setDocument):
+
 2008-05-29  Chris Fleizach  <cfleizach@apple.com>
 
         Reviewed by Darin Adler.