111521 2013-03-05 21:45:18 -0800 editing/selection/selection-in-iframe-removed-crash.html or selection-invalid-offset.html crashes intermittently 2014-06-11 17:31:01 -0700 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 rniwa ap ap beidson commit-queue enrica japhet leviw simon.fraser oldest_to_newest 848445 0 rniwa 2013-03-05 21:45:18 -0800 editing/selection/selection-invalid-offset.html has been crashing with the following stack trace intermittently. http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK1%20(Tests)/r144874%20(7586)/results.html Application Specific Information: CRASHING TEST: editing/selection/selection-in-iframe-removed-crash.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001103ee057 WebCore::FrameLoader::dispatchDidCommitLoad() + 135 (RefPtr.h:58) 1 com.apple.WebCore 0x00000001103eddc5 WebCore::FrameLoader::receivedFirstData() + 21 (FrameLoader.cpp:602) 2 com.apple.WebCore 0x000000011025ccef WebCore::DocumentLoader::commitData(char const*, unsigned long) + 239 (RefPtr.h:43) 3 com.apple.WebKit 0x000000010fda9bf4 -[WebHTMLRepresentation receivedData:withDataSource:] + 100 (WebHTMLRepresentation.mm:186) 4 com.apple.WebKit 0x000000010fd7cded -[WebDataSource(WebInternal) _receivedData:] + 77 (WebDataSource.mm:216) 5 com.apple.WebKit 0x000000010fd94c47 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 103 (WebFrameLoaderClient.mm:848) 6 com.apple.WebCore 0x000000011025cea0 WebCore::DocumentLoader::commitLoad(char const*, int) + 144 (RefCounted.h:148) 7 com.apple.WebCore 0x000000011097d5b3 WebCore::MainResourceLoader::dataReceived(WebCore::CachedResource*, char const*, int) + 819 (MainResourceLoader.cpp:529) 8 com.apple.WebCore 0x000000011097c729 WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction, WebCore::ResourceResponse const&) + 1257 (RefPtr.h:64) 9 com.apple.WebCore 0x000000011097d0c5 WebCore::MainResourceLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&) + 1749 (RefCounted.h:148) 10 com.apple.WebCore 0x000000011097b516 WebCore::MainResourceLoader::handleSubstituteDataLoadNow(WebCore::RunLoopTimer<WebCore::MainResourceLoader>*) + 710 (RetainPtr.h:84) 11 com.apple.WebCore 0x0000000110bc1818 WebCore::timerFired(__CFRunLoopTimer*, void*) + 40 (RunLoopTimerCF.cpp:52) 12 com.apple.CoreFoundation 0x00007fff92ac7da4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 13 com.apple.CoreFoundation 0x00007fff92ac78bd __CFRunLoopDoTimer + 557 14 com.apple.CoreFoundation 0x00007fff92aad099 __CFRunLoopRun + 1513 15 com.apple.CoreFoundation 0x00007fff92aac6b2 CFRunLoopRunSpecific + 290 16 com.apple.Foundation 0x00007fff87a8089e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268 17 DumpRenderTree 0x000000010f641122 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 1639 (DumpRenderTree.mm:1375) 18 DumpRenderTree 0x000000010f6408b6 dumpRenderTree(int, char const**) + 1727 (DumpRenderTree.mm:832) 19 DumpRenderTree 0x000000010f64148b main + 86 (DumpRenderTree.mm:925) 20 libdyld.dylib 0x00007fff895837e1 start + 1 848448 1 ap 2013-03-05 21:51:45 -0800 Any idea when this could start? Is this reproducible manually in browser? 848454 2 rniwa 2013-03-05 21:58:58 -0800 (In reply to comment #1) > Any idea when this could start? Is this reproducible manually in browser? I think it's caused by http://trac.webkit.org/changeset/144400. Note that even though NRWT thinks selection-invalid-offset.html is crashing, the crash log indicates that editing/selection/selection-in-iframe-removed-crash.html is the one crashing. 849163 3 rniwa 2013-03-06 12:03:04 -0800 Also see https://bugs.webkit.org/show_bug.cgi?id=111451. editing/selection/selection-in-iframe-removed-crash.html is hitting an assertion. 849375 4 leviw 2013-03-06 15:35:08 -0800 I'm having no luck reproducing this locally. I've tried release and debug, running just editing/selection/selection-in-iframe-removed-crash.html and editing/selection/selection-invalid-offset.html with a lot of iterations as well as the whole suite of tests, over and over again. 853629 5 ap 2013-03-12 11:05:33 -0700 In a debug build, an assertion failure occurs: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000109426f6c WTF::RefPtr<WebCore::Frame>::get() const + 12 (RefPtr.h:58) 1 com.apple.WebCore 0x0000000109558e6c WebCore::Page::mainFrame() const + 28 (Page.h:156) 2 com.apple.WebCore 0x0000000109ba13a2 WebCore::FrameLoader::dispatchDidCommitLoad() + 194 (FrameLoader.cpp:3292) 3 com.apple.WebCore 0x0000000109ba10bc WebCore::FrameLoader::receivedFirstData() + 28 (FrameLoader.cpp:602) 4 com.apple.WebCore 0x00000001098ba8a2 WebCore::DocumentLoader::commitData(char const*, unsigned long) + 210 (DocumentLoader.cpp:362) 853998 6 rniwa 2013-03-12 19:12:03 -0700 *** Bug 112220 has been marked as a duplicate of this bug. *** 854002 7 rniwa 2013-03-12 19:16:56 -0700 Updated the test expectation per https://bugs.webkit.org/show_bug.cgi?id=112220: http://trac.webkit.org/changeset/145671 923236 8 ap 2013-08-30 16:42:18 -0700 Still happens, just got this crash today. 1014873 9 ap 2014-06-11 13:19:58 -0700 This is a pretty bad bug, which could be a root cause of certain common crashers. <rdar://problem/15159351> 1014878 10 232895 ap 2014-06-11 13:27:35 -0700 Created attachment 232895 proposed fix Let's see what EWS thinks, I'm not entirely sure what's the right way to check for cancellation here. 1014990 11 232895 commit-queue 2014-06-11 17:30:56 -0700 Comment on attachment 232895 proposed fix Clearing flags on attachment: 232895 Committed r169866: <http://trac.webkit.org/changeset/169866> 1014991 12 commit-queue 2014-06-11 17:31:01 -0700 All reviewed patches have been landed. Closing bug. 232895 2014-06-11 13:27:35 -0700 2014-06-11 17:30:56 -0700 proposed fix CancelLoad.txt text/plain 3093 ap SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE2OTgyMykKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBACisyMDE0LTA2LTExICBBbGV4ZXkg UHJvc2t1cnlha292ICA8YXBAYXBwbGUuY29tPgorCisgICAgICAgIGVkaXRpbmcvc2VsZWN0aW9u L3NlbGVjdGlvbi1pbi1pZnJhbWUtcmVtb3ZlZC1jcmFzaC5odG1sIG9yIHNlbGVjdGlvbi1pbnZh bGlkLW9mZnNldC5odG1sIGNyYXNoZXMgaW50ZXJtaXR0ZW50bHkKKyAgICAgICAgaHR0cHM6Ly9i dWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTExMTUyMQorICAgICAgICA8cmRhcjovL3By b2JsZW0vMTUxNTkzNTE+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisK KyAgICAgICAgQ292ZXJlZCBieSBleGlzdGluZyB0ZXN0cy4KKworICAgICAgICAqIGxvYWRlci9E b2N1bWVudExvYWRlci5jcHA6IChXZWJDb3JlOjpEb2N1bWVudExvYWRlcjo6Y29tbWl0RGF0YSk6 IEJhaWwgb3V0IGlmIHRoZQorICAgICAgICBsb2FkIHdhcyBjYW5jZWxlZCBmcm9tIHVuZGVyIHJl Y2VpdmVkRmlyc3REYXRhKCkuIFNpbmNlIHRoaXMgaXMgd2hlcmUgd2UgY29tbWl0IHRoZQorICAg ICAgICBsb2FkLCB0aGVyZSBhcmUgYW1wbGUgb3Bwb3J0dW5pdGllcyBmb3Igc2NyaXB0cyBvciBj bGllbnRzIHRvIGRvIGFueXRoaW5nLgorCiAyMDE0LTA2LTExICBCcmVudCBGdWxnaGFtICA8YmZ1 bGdoYW1AYXBwbGUuY29tPgogCiAgICAgICAgIFJPTExPVVQ6IHIxNTM1MTA6IEJyb2tlIFRhYmxl IGJvcmRlcnMgb24gV2lraXBlZGlhCkluZGV4OiBTb3VyY2UvV2ViQ29yZS9sb2FkZXIvRG9jdW1l bnRMb2FkZXIuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL2xvYWRlci9Eb2N1bWVu dExvYWRlci5jcHAJKHJldmlzaW9uIDE2OTc3MykKKysrIFNvdXJjZS9XZWJDb3JlL2xvYWRlci9E b2N1bWVudExvYWRlci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTgxMiw2ICs4MTIsMTAgQEAgdm9p ZCBEb2N1bWVudExvYWRlcjo6Y29tbWl0RGF0YShjb25zdCBjaAogICAgICAgICBpZiAoIWlzTXVs dGlwYXJ0UmVwbGFjaW5nTG9hZCgpKQogICAgICAgICAgICAgZnJhbWVMb2FkZXIoKS0+cmVjZWl2 ZWRGaXJzdERhdGEoKTsKIAorICAgICAgICAvLyBUaGUgbG9hZCBjb3VsZCBiZSBjYW5jZWxlZCB1 bmRlciByZWNlaXZlZEZpcnN0RGF0YSgpLCB3aGljaCBtYWtlcyBkZWxlZ2F0ZSBjYWxscyBhbmQg ZXZlbiBzb21ldGltZXMgZGlzcGF0Y2hlcyBET00gZXZlbnRzLgorICAgICAgICBpZiAoIWlzTG9h ZGluZygpKQorICAgICAgICAgICAgcmV0dXJuOworCiAgICAgICAgIGJvb2wgdXNlckNob3NlbjsK ICAgICAgICAgU3RyaW5nIGVuY29kaW5nOwogI2lmIFVTRShDT05URU5UX0ZJTFRFUklORykKSW5k ZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFu Z2VMb2cJKHJldmlzaW9uIDE2OTgyMykKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29ya2lu ZyBjb3B5KQpAQCAtMSwzICsxLDEzIEBACisyMDE0LTA2LTExICBBbGV4ZXkgUHJvc2t1cnlha292 ICA8YXBAYXBwbGUuY29tPgorCisgICAgICAgIGVkaXRpbmcvc2VsZWN0aW9uL3NlbGVjdGlvbi1p bi1pZnJhbWUtcmVtb3ZlZC1jcmFzaC5odG1sIG9yIHNlbGVjdGlvbi1pbnZhbGlkLW9mZnNldC5o dG1sIGNyYXNoZXMgaW50ZXJtaXR0ZW50bHkKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTExMTUyMQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vMTUxNTkz NTE+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBw bGF0Zm9ybS9tYWMvVGVzdEV4cGVjdGF0aW9uczogUmVtb3ZlZCBleHBlY3RhdGlvbnMgZm9yIHRo ZSB0ZXN0cy4KKwogMjAxNC0wNi0xMSAgTG9yZW56byBUaWx2ZSAgPGx0aWx2ZUBpZ2FsaWEuY29t PgogCiAgICAgICAgIFtHVEtdIFVucmV2aWV3ZWQgR1RLIGdhcmRlbmluZwpJbmRleDogTGF5b3V0 VGVzdHMvcGxhdGZvcm0vbWFjL1Rlc3RFeHBlY3RhdGlvbnMKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0 VGVzdHMvcGxhdGZvcm0vbWFjL1Rlc3RFeHBlY3RhdGlvbnMJKHJldmlzaW9uIDE2OTc3MykKKysr IExheW91dFRlc3RzL3BsYXRmb3JtL21hYy9UZXN0RXhwZWN0YXRpb25zCSh3b3JraW5nIGNvcHkp CkBAIC05ODksOSArOTg5LDYgQEAgd2Via2l0Lm9yZy9iLzExMDE4NiBpbnNwZWN0b3ItcHJvdG9j b2wvcAogIyBOZWVkIHN1cHBvcnQgZm9yIFJlc291cmNlSGFuZGxlOjpkaWRDaGFuZ2VQcmlvcml0 eSBhbmQgRFJUIHN1cHBvcnQKIHdlYmtpdC5vcmcvYi8xMTEwMTYgaHR0cC90ZXN0cy9sb2FkaW5n L3Byb21vdGUtaW1nLXByZWxvYWQtcHJpb3JpdHkuaHRtbCBbIEZhaWx1cmUgXQogCi13ZWJraXQu b3JnL2IvMTExNTIxIGVkaXRpbmcvc2VsZWN0aW9uL3NlbGVjdGlvbi1pbnZhbGlkLW9mZnNldC5o dG1sIFsgQ3Jhc2ggUGFzcyBdCi13ZWJraXQub3JnL2IvMTExNTIxIGVkaXRpbmcvc2VsZWN0aW9u L3NlbGVjdGlvbi1pbi1pZnJhbWUtcmVtb3ZlZC1jcmFzaC5odG1sIFsgQ3Jhc2ggUGFzcyBdCi0K IHdlYmtpdC5vcmcvYi8xMTA1NDYgWyBEZWJ1ZyBdIGZhc3QvcGFyc2VyL2RvY3VtZW50LXdyaXRl LWZpZ2h0aW5nLWVvZi5odG1sIFsgU2tpcCBdCiB3ZWJraXQub3JnL2IvMTEwNTQ2IFsgRGVidWcg XSBmYXN0L3BhcnNlci9kb2N1bWVudC13cml0ZS1wYXJ0aWFsLWVudGl0eS1iZWZvcmUtbG9hZC5o dG1sIFsgU2tpcCBdCiAK