Bug 186216

Summary:	ServicesOverlayController can hold references to Documents after you navigate away
Product:	WebKit	Reporter:	Simon Fraser (smfr) <simon.fraser>
Component:	WebCore Misc.	Assignee:	Nobody <webkit-unassigned>
Status:	NEW ---
Severity:	Normal	CC:	ap, simon.fraser, webkit-bug-importer, wenson_hsieh
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Description Simon Fraser (smfr) 2018-06-01 17:50:20 PDT

ServiceOverlayController::Highlight() has a Ref<Range>, and Range has a Ref<Document>.

When you change the selection in a view, ServiceOverlayController makes a “potential highlight” Highlight, which retains the Document. If you then navigate, there’s nothing that clears that Highlight, until the selection changes.

We need to either have ServiceOverlayController use weak refs, or clear its highlights on navigation.

Comment 1 Simon Fraser (smfr) 2018-06-01 17:50:34 PDT

rdar://problem/40735219

Comment 2 Simon Fraser (smfr) 2018-06-01 17:51:54 PDT

This is visible with any layout test that makes a selection (like LayoutTests/fast/css/counters/counter-after-style-crash.html) and the patch in bug 186214

Comment 3 Wenson Hsieh 2022-02-09 10:46:45 PST

(In reply to Simon Fraser (smfr) from comment #0)
> ServiceOverlayController::Highlight() has a Ref<Range>, and Range has a
> Ref<Document>.
> 
> When you change the selection in a view, ServiceOverlayController makes a
> “potential highlight” Highlight, which retains the Document. If you then
> navigate, there’s nothing that clears that Highlight, until the selection
> changes.
> 
> We need to either have ServiceOverlayController use weak refs, or clear its
> highlights on navigation.

We should probably add logic to clear state underneath `Document::willBeRemovedFromFrame()` (similar to how some of the other controller-type objects have a `documentDetached` method).