186216 2018-06-01 17:50:20 -0700 ServicesOverlayController can hold references to Documents after you navigate away 2022-02-09 10:46:45 -0800 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build Unspecified Unspecified NEW InRadar P2 Normal --- 1 simon.fraser webkit-unassigned ap simon.fraser webkit-bug-importer wenson_hsieh oldest_to_newest 1429450 0 simon.fraser 2018-06-01 17:50:20 -0700 ServiceOverlayController::Highlight() has a Ref<Range>, and Range has a Ref<Document>. When you change the selection in a view, ServiceOverlayController makes a “potential highlight” Highlight, which retains the Document. If you then navigate, there’s nothing that clears that Highlight, until the selection changes. We need to either have ServiceOverlayController use weak refs, or clear its highlights on navigation. 1429451 1 simon.fraser 2018-06-01 17:50:34 -0700 rdar://problem/40735219 1429453 2 simon.fraser 2018-06-01 17:51:54 -0700 This is visible with any layout test that makes a selection (like LayoutTests/fast/css/counters/counter-after-style-crash.html) and the patch in bug 186214 1839278 3 wenson_hsieh 2022-02-09 10:46:45 -0800 (In reply to Simon Fraser (smfr) from comment #0) > ServiceOverlayController::Highlight() has a Ref<Range>, and Range has a > Ref<Document>. > > When you change the selection in a view, ServiceOverlayController makes a > “potential highlight” Highlight, which retains the Document. If you then > navigate, there’s nothing that clears that Highlight, until the selection > changes. > > We need to either have ServiceOverlayController use weak refs, or clear its > highlights on navigation. We should probably add logic to clear state underneath `Document::willBeRemovedFromFrame()` (similar to how some of the other controller-type objects have a `documentDetached` method).