19556 2008-06-15 07:44:43 -0700 REGRESSION (r34544): Crash while visiting bigglook.com 2008-06-15 15:11:40 -0700 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED Regression P1 Critical --- 1 ismail darin beidson darin mitz zwarich oldest_to_newest 83372 0 ismail 2008-06-15 07:44:43 -0700 Visit http://bigglook.com with latest trunk and Safari crashes, I got multiple backtraces: Thread 0 Crashed: 0 com.apple.WebCore 0x0108199b WTF::HashTable<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >::rehash(int) + 107 (PlatformString.h:225) 1 com.apple.WebCore 0x01081ccd WTF::HashTable<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >::expand() + 45 (HashTable.h:874) 2 com.apple.WebCore 0x0108206b std::pair<WTF::HashTableIterator<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >, bool> WTF::HashTable<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >::add<WebCore::String, WebCore::String, WTF::IdentityHashTranslator<WebCore::String, WebCore::String, WebCore::StringHash> >(WebCore::String const&, WebCore::String const&) + 875 3 com.apple.WebCore 0x010820c7 WTF::HashSet<WebCore::String, WebCore::StringHash, WTF::HashTraits<WebCore::String> >::add(WebCore::String const&) + 39 (HashTable.h:1095) 4 com.apple.WebCore 0x013855c3 WebCore::PageURLRecord::setIconRecord(WTF::PassRefPtr<WebCore::IconRecord>) + 163 (PageURLRecord.cpp:55) 5 com.apple.WebCore 0x01222b9f WebCore::IconDatabase::setIconURLForPageURL(WebCore::String const&, WebCore::String const&) + 415 (PassRefPtr.h:44) 6 com.apple.WebCore 0x0118fcdc WebCore::FrameLoader::commitIconURLToIconDatabase(WebCore::KURL const&) + 44 (FrameLoader.cpp:1183) 7 com.apple.WebCore 0x0122c071 WebCore::IconLoader::finishLoading(WebCore::KURL const&, WTF::PassRefPtr<WebCore::SharedBuffer>) + 145 (IconLoader.cpp:159) 8 com.apple.WebCore 0x0122c948 WebCore::IconLoader::didReceiveResponse(WebCore::SubresourceLoader*, WebCore::ResourceResponse const&) + 184 (RefPtr.h:51) 9 com.apple.WebCore 0x0152dbdf WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) + 95 (SubresourceLoader.cpp:150) 10 com.apple.WebCore 0x01437cab -[WebCoreResourceHandleAsDelegate connection:didReceiveResponse:] + 267 (RetainPtr.h:72) 11 com.apple.Foundation 0x9394481a -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveResponse:] + 122 12 com.apple.Foundation 0x9394476a _NSURLConnectionDidReceiveResponse + 154 13 com.apple.CFNetwork 0x92633703 sendDidReceiveDataCallback + 350 14 com.apple.CFNetwork 0x92630cee _CFURLConnectionSendCallbacks + 1586 15 com.apple.CFNetwork 0x9263063f muxerSourcePerform + 283 16 com.apple.CoreFoundation 0x9047460e CFRunLoopRunSpecific + 3166 17 com.apple.CoreFoundation 0x90474cf8 CFRunLoopRunInMode + 88 18 com.apple.HIToolbox 0x93b92da4 RunCurrentEventLoopInMode + 283 19 com.apple.HIToolbox 0x93b92bbd ReceiveNextEventCommon + 374 20 com.apple.HIToolbox 0x93b92a31 BlockUntilNextEventMatchingListInMode + 106 21 com.apple.AppKit 0x92c61505 _DPSNextEvent + 657 22 com.apple.AppKit 0x92c60db8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 23 com.apple.Safari 0x00007c7e 0x1000 + 27774 24 com.apple.AppKit 0x92c59df3 -[NSApplication run] + 795 25 com.apple.AppKit 0x92c27030 NSApplicationMain + 574 26 com.apple.Safari 0x000b4de6 0x1000 + 736742 And the other one : Thread 0 Crashed: 0 ??? 0000000000 0 + 0 1 com.apple.WebKit 0x00215acb -[WebView(WebViewInternal) _dispatchDidReceiveIconFromWebFrame:] + 187 (WebView.mm:4330) 2 com.apple.WebKit 0x001bd759 WebFrameLoaderClient::dispatchDidReceiveIcon() + 57 (WebFrameLoaderClient.mm:473) 3 com.apple.WebCore 0x0122c08f WebCore::IconLoader::finishLoading(WebCore::KURL const&, WTF::PassRefPtr<WebCore::SharedBuffer>) + 175 (IconLoader.cpp:162) 4 com.apple.WebCore 0x0122c948 WebCore::IconLoader::didReceiveResponse(WebCore::SubresourceLoader*, WebCore::ResourceResponse const&) + 184 (RefPtr.h:51) 5 com.apple.WebCore 0x0152dbdf WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) + 95 (SubresourceLoader.cpp:150) 6 com.apple.WebCore 0x01437cab -[WebCoreResourceHandleAsDelegate connection:didReceiveResponse:] + 267 (RetainPtr.h:72) 7 com.apple.Foundation 0x9394481a -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveResponse:] + 122 8 com.apple.Foundation 0x9394476a _NSURLConnectionDidReceiveResponse + 154 9 com.apple.CFNetwork 0x92633703 sendDidReceiveDataCallback + 350 10 com.apple.CFNetwork 0x92630cee _CFURLConnectionSendCallbacks + 1586 11 com.apple.CFNetwork 0x9263063f muxerSourcePerform + 283 12 com.apple.CoreFoundation 0x9047460e CFRunLoopRunSpecific + 3166 13 com.apple.CoreFoundation 0x90474cf8 CFRunLoopRunInMode + 88 14 com.apple.HIToolbox 0x93b92da4 RunCurrentEventLoopInMode + 283 15 com.apple.HIToolbox 0x93b92bbd ReceiveNextEventCommon + 374 16 com.apple.HIToolbox 0x93b92a31 BlockUntilNextEventMatchingListInMode + 106 17 com.apple.AppKit 0x92c61505 _DPSNextEvent + 657 18 com.apple.AppKit 0x92c60db8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 19 com.apple.Safari 0x00007c7e 0x1000 + 27774 20 com.apple.AppKit 0x92c59df3 -[NSApplication run] + 795 21 com.apple.AppKit 0x92c27030 NSApplicationMain + 574 22 com.apple.Safari 0x000b4de6 0x1000 + 736742 83387 1 mitz 2008-06-15 11:14:55 -0700 This is caused by over-releasing the IconRecord in the "create" case of IconDatabase::getOrCreateIconRecord(). 83393 2 mitz 2008-06-15 12:31:40 -0700 Prior to r34544, the code relied on the ability of m_iconURLToRecordMap to keep weak references to newly-created IconRecords with a 0 reference count. I don't think it's possible to just change m_iconURLToRecordMap to use strong references, because of the hasOneRef() checks in other places in the code. 83394 3 darin 2008-06-15 12:33:31 -0700 Damn! I wonder what should we do about this. 83399 4 zwarich 2008-06-15 12:52:23 -0700 *** Bug 19563 has been marked as a duplicate of this bug. *** 83404 5 darin 2008-06-15 14:37:38 -0700 (In reply to comment #2) > Prior to r34544, the code relied on the ability of m_iconURLToRecordMap to keep > weak references to newly-created IconRecords with a 0 reference count. I don't > think it's possible to just change m_iconURLToRecordMap to use strong > references, because of the hasOneRef() checks in other places in the code. I think we can fix this without changing the map so it can keep strong references, as long as nobody is relying on the IconRecord being kept alive indefinitely with a 0 reference count. I need to figure out more precisely what's going wrong. I've set aside my other work so I can concentrate on this now. 83406 6 21718 darin 2008-06-15 15:04:03 -0700 Created attachment 21718 patch 83407 7 21718 mitz 2008-06-15 15:05:34 -0700 Comment on attachment 21718 patch r=me 83408 8 darin 2008-06-15 15:11:40 -0700 Committed revision 34575. 21718 2008-06-15 15:04:03 -0700 2008-06-15 15:05:34 -0700 patch IconCrashPatch.txt text/plain 3161 darin SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAzNDU3NCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjAgQEAKKzIwMDgtMDYtMTUgIERhcmluIEFkbGVyICA8ZGFyaW5AYXBwbGUuY29t PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIC0gZml4 IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xOTU1NgorICAgICAgICAg IFJFR1JFU1NJT04gKHIzNDU0NCk6IENyYXNoIHdoaWxlIHZpc2l0aW5nIGJpZ2dsb29rLmNvbQor CisgICAgICAgIFRoaXMgZml4IGVsaW1pbmF0ZXMgdGhlIGNyYXNoLCBidXQgdGhlIGxvZ2ljIHJl bWFpbmluZyBzZWVtcyBhIGxpdHRsZSBzdHJhbmdlLgorICAgICAgICBXZSBjcmVhdGUgYW4gSWNv blJlY29yZCBhbmQgdGhlbiBpbW1lZGlhdGVseSBkZXN0cm95IGl0LiBXb3J0aCB0YWtpbmcgYW5v dGhlcgorICAgICAgICBsb29rIGF0IHRoaXMgbGF0ZXIuCisKKyAgICAgICAgKiBsb2FkZXIvaWNv bi9JY29uRGF0YWJhc2UuY3BwOgorICAgICAgICAoV2ViQ29yZTo6SWNvbkRhdGFiYXNlOjpzZXRJ Y29uRGF0YUZvckljb25VUkwpOiBBZGRlZCBjb2RlIHRvIHJlbW92ZSB0aGUgaWNvbgorICAgICAg ICBqdXN0IGFzIGluIHRoZSBvdGhlciBjYXNlcyB3aGVyZSB3ZSBtaWdodCBiZSBob2xkaW5nIHRo ZSBzaW5nbGUgcmVmZXJlbmNlIHRvIGl0LgorICAgICAgICAoV2ViQ29yZTo6SWNvbkRhdGFiYXNl OjpzZXRJY29uVVJMRm9yUGFnZVVSTCk6IEZpeGVkIGNvbW1lbnQgdHlwby4KKyAgICAgICAgKFdl YkNvcmU6Okljb25EYXRhYmFzZTo6d3JpdGVUb0RhdGFiYXNlKTogUmVtb3ZlZCB1bnVzZWQgbG9j YWwgdmFyaWFibGUuCisKIDIwMDgtMDYtMTUgIERhcmluIEFkbGVyICA8ZGFyaW5AYXBwbGUuY29t PgogCiAgICAgICAgIFJldmlld2VkIGFuZCB0d2Vha2VkIGJ5IFNhbSBXZWluaWcuCkluZGV4OiBX ZWJDb3JlL2xvYWRlci9pY29uL0ljb25EYXRhYmFzZS5jcHAKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29y ZS9sb2FkZXIvaWNvbi9JY29uRGF0YWJhc2UuY3BwCShyZXZpc2lvbiAzNDU3NCkKKysrIFdlYkNv cmUvbG9hZGVyL2ljb24vSWNvbkRhdGFiYXNlLmNwcAkod29ya2luZyBjb3B5KQpAQCAtNTMyLDYg KzUzMiwxMiBAQCB2b2lkIEljb25EYXRhYmFzZTo6c2V0SWNvbkRhdGFGb3JJY29uVVJMCiAgICAg ICAgICAgICBNdXRleExvY2tlciBsb2NrZXIobV9wZW5kaW5nU3luY0xvY2spOwogICAgICAgICAg ICAgbV9pY29uc1BlbmRpbmdTeW5jLnNldChpY29uVVJMLCBpY29uLT5zbmFwc2hvdCgpKTsKICAg ICAgICAgfQorCisgICAgICAgIGlmIChpY29uLT5oYXNPbmVSZWYoKSkgeworICAgICAgICAgICAg QVNTRVJUKGljb24tPnJldGFpbmluZ1BhZ2VVUkxzKCkuaXNFbXB0eSgpKTsKKyAgICAgICAgICAg IExPRyhJY29uRGF0YWJhc2UsICJJY29uIGZvciBpY29uIHVybCAlcyBpcyBhYm91dCB0byBiZSBk ZXN0cm95ZWQgLSByZW1vdmluZyBtYXBwaW5nIGZvciBpdCIsIHVybEZvckxvZ2dpbmcoaWNvbi0+ aWNvblVSTCgpKS5hc2NpaSgpLmRhdGEoKSk7CisgICAgICAgICAgICBtX2ljb25VUkxUb1JlY29y ZE1hcC5yZW1vdmUoaWNvbi0+aWNvblVSTCgpKTsKKyAgICAgICAgfQogICAgIH0KIAogICAgIC8v IFNlbmQgbm90aWZpY2F0aW9uIG91dCByZWdhcmRpbmcgYWxsIFBhZ2VVUkxzIHRoYXQgcmV0YWlu IHRoaXMgaWNvbgpAQCAtNjA1LDcgKzYxMSw3IEBAIHZvaWQgSWNvbkRhdGFiYXNlOjpzZXRJY29u VVJMRm9yUGFnZVVSTCgKICAgICAgICAgICAgIE11dGV4TG9ja2VyIGxvY2tlcihtX3BlbmRpbmdT eW5jTG9jayk7CiAgICAgICAgICAgICBtX3BhZ2VVUkxzUGVuZGluZ1N5bmMuc2V0KHBhZ2VVUkws IHBhZ2VSZWNvcmQtPnNuYXBzaG90KCkpOwogICAgICAgICAgICAgCi0gICAgICAgICAgICAvLyBJ ZiB0aGUgaWNvbiBpcyBvbiBpdCdzIGxhc3QgcmVmLCBtYXJrIGl0IGZvciBkZWxldGlvbgorICAg ICAgICAgICAgLy8gSWYgdGhlIGljb24gaXMgb24gaXRzIGxhc3QgcmVmLCBtYXJrIGl0IGZvciBk ZWxldGlvbgogICAgICAgICAgICAgaWYgKGljb25SZWNvcmQgJiYgaWNvblJlY29yZC0+aGFzT25l UmVmKCkpCiAgICAgICAgICAgICAgICAgbV9pY29uc1BlbmRpbmdTeW5jLnNldChpY29uUmVjb3Jk LT5pY29uVVJMKCksIGljb25SZWNvcmQtPnNuYXBzaG90KHRydWUpKTsKICAgICAgICAgfQpAQCAt MTUzMCwxNSArMTUzNiwxMiBAQCBib29sIEljb25EYXRhYmFzZTo6d3JpdGVUb0RhdGFiYXNlKCkK ICAgICB9CiAgICAgCiAgICAgZm9yICh1bnNpZ25lZCBpID0gMDsgaSA8IHBhZ2VTbmFwc2hvdHMu c2l6ZSgpOyArK2kpIHsKLSAgICAgICAgU3RyaW5nIGljb25VUkwgPSBwYWdlU25hcHNob3RzW2ld Lmljb25VUkw7Ci0KICAgICAgICAgLy8gSWYgdGhlIGljb24gVVJMIGlzIGVtcHR5LCB0aGlzIHBh Z2UgaXMgbWVhbnQgdG8gYmUgZGVsZXRlZAogICAgICAgICAvLyBBU1NFUlRzIGFyZSBzYW5pdHkg Y2hlY2tzIHRvIG1ha2Ugc3VyZSB0aGUgbWFwcGluZ3MgZXhpc3QgaWYgdGhleSBzaG91bGQgYW5k IGRvbid0IGlmIHRoZXkgc2hvdWxkbid0CiAgICAgICAgIGlmIChwYWdlU25hcHNob3RzW2ldLmlj b25VUkwuaXNFbXB0eSgpKQogICAgICAgICAgICAgcmVtb3ZlUGFnZVVSTEZyb21TUUxEYXRhYmFz ZShwYWdlU25hcHNob3RzW2ldLnBhZ2VVUkwpOwotICAgICAgICBlbHNlIHsKKyAgICAgICAgZWxz ZQogICAgICAgICAgICAgc2V0SWNvblVSTEZvclBhZ2VVUkxJblNRTERhdGFiYXNlKHBhZ2VTbmFw c2hvdHNbaV0uaWNvblVSTCwgcGFnZVNuYXBzaG90c1tpXS5wYWdlVVJMKTsKLSAgICAgICAgfQog ICAgICAgICBMT0coSWNvbkRhdGFiYXNlLCAiQ29tbWl0dGVkIEljb25VUkwgZm9yIFBhZ2VVUkwg JXMgdG8gZGF0YWJhc2UiLCB1cmxGb3JMb2dnaW5nKHBhZ2VTbmFwc2hvdHNbaV0ucGFnZVVSTCku YXNjaWkoKS5kYXRhKCkpOwogICAgIH0KIAo=