92774 2012-07-31 11:09:16 -0700 Crash in FrameLoader::checkLoadComplete with non-browser client app 2012-08-01 15:37:41 -0700 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 koivisto webkit-unassigned ap cmarcelo inferno macpherson menard webkit.review.bot oldest_to_newest 683274 0 koivisto 2012-07-31 11:09:16 -0700 Seen with a non-browser client app 0 WebCore 0x327aaf3c WebCore::FrameLoader::checkLoadComplete() (FrameLoader.cpp:2399) 1 WebCore 0x32a6cd30 WebCore::CSSFontSelector::beginLoadTimerFired(WebCore::Timer<WebCore::CSSFontSelector>*) (CSSFontSelector.cpp:619) 2 WebCore 0x327e69a6 WebCore::ThreadTimers::sharedTimerFiredInternal() (ThreadTimers.cpp:129) 683276 1 koivisto 2012-07-31 11:13:34 -0700 <rdar://problem/11956222> 683292 2 155591 koivisto 2012-07-31 11:27:54 -0700 Created attachment 155591 speculative fix 683307 3 155591 ap 2012-07-31 11:39:49 -0700 Comment on attachment 155591 speculative fix View in context: https://bugs.webkit.org/attachment.cgi?id=155591&action=review > Source/WebCore/css/CSSFontSelector.cpp:581 > + // It is possible load calls could cause CSSFontSelector to get deleted synchronously. "CSSFontSelector can be deleted via beginLoadIfNeeded() or loadDone() unless protected." (or better something more specific about how that could happen). Both "possible" and "could" make this difficult to read. > Source/WebCore/css/CSSFontSelector.cpp:582 > + // If detached clearDocument() will get called ensuring m_document is null. I think that you're explaining why m_document won't be a dangling pointer, but that seems excessive. We don't make such comment every time we use a member variable pointing to some other object, and don't make it for every variable that has a clearXXX() method. Is there something unusual here that needs to be explained? 683335 4 koivisto 2012-07-31 11:52:24 -0700 http://trac.webkit.org/changeset/124229 684661 5 inferno 2012-08-01 15:32:11 -0700 *** Bug 91701 has been marked as a duplicate of this bug. *** 684664 6 inferno 2012-08-01 15:33:51 -0700 Confirming at the testcase we had at ClusterFuzz got fixed by your AWESOMENESS :) 684670 7 ap 2012-08-01 15:37:41 -0700 Great! Can we have the test case landed then? 155591 2012-07-31 11:27:54 -0700 2012-07-31 11:39:49 -0700 speculative fix checkLoadComplete-crash-speculative.patch text/plain 1697 koivisto SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDEyNDIyMSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBACisyMDEyLTA3LTMxICBBbnR0aSBL b2l2aXN0byAgPGFudHRpQGFwcGxlLmNvbT4KKworICAgICAgICBDcmFzaCBpbiBGcmFtZUxvYWRl cjo6Y2hlY2tMb2FkQ29tcGxldGUgd2l0aCBub24tYnJvd3NlciBjbGllbnQgYXBwCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD05Mjc3NAorCisgICAgICAg IFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFNwZWN1bGF0aXZlIGZpeC4g SXQgaXMgcG9zc2libGUgdGhhdCBDU1NGb250U2VsZWN0b3IgY291bGQgZ2V0IGRlbGV0ZWQgZHVy aW5nIHRoZSB0aW1lciBjYWxsYmFjaworICAgICAgICBhbmQgbWVtb3J5IHJldXNlZCwgbWFraW5n IG1fZG9jdW1lbnQgcG9pbnQgdG8gc29tZSBnYXJiYWdlIHdoZW4gaXQgaXMgdGVzdGVkIGF0IHRo ZSBlbmQuCisKKyAgICAgICAgKiBjc3MvQ1NTRm9udFNlbGVjdG9yLmNwcDoKKyAgICAgICAgKFdl YkNvcmU6OkNTU0ZvbnRTZWxlY3Rvcjo6YmVnaW5Mb2FkVGltZXJGaXJlZCk6CisKIDIwMTItMDct MDcgIFBoaWxpcHBlIE5vcm1hbmQgIDxwbm9ybWFuZEBpZ2FsaWEuY29tPgogCiAgICAgICAgIFtH U3RyZWFtZXJdIExpdmUgc3RyZWFtIHN1cHBvcnQgaXMgd2VhawpJbmRleDogU291cmNlL1dlYkNv cmUvY3NzL0NTU0ZvbnRTZWxlY3Rvci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNvcmUv Y3NzL0NTU0ZvbnRTZWxlY3Rvci5jcHAJKHJldmlzaW9uIDEyMjQ0NikKKysrIFNvdXJjZS9XZWJD b3JlL2Nzcy9DU1NGb250U2VsZWN0b3IuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC01NzgsNiArNTc4 LDEwIEBAIHZvaWQgQ1NTRm9udFNlbGVjdG9yOjpiZWdpbkxvYWRUaW1lckZpcmUKICAgICBWZWN0 b3I8Q2FjaGVkUmVzb3VyY2VIYW5kbGU8Q2FjaGVkRm9udD4gPiBmb250c1RvQmVnaW5Mb2FkaW5n OwogICAgIGZvbnRzVG9CZWdpbkxvYWRpbmcuc3dhcChtX2ZvbnRzVG9CZWdpbkxvYWRpbmcpOwog CisgICAgLy8gSXQgaXMgcG9zc2libGUgbG9hZCBjYWxscyBjb3VsZCBjYXVzZSBDU1NGb250U2Vs ZWN0b3IgdG8gZ2V0IGRlbGV0ZWQgc3luY2hyb25vdXNseS4KKyAgICAvLyBJZiBkZXRhY2hlZCBj bGVhckRvY3VtZW50KCkgd2lsbCBnZXQgY2FsbGVkIGVuc3VyaW5nIG1fZG9jdW1lbnQgaXMgbnVs bC4KKyAgICBSZWZQdHI8Q1NTRm9udFNlbGVjdG9yPiBwcm90ZWN0KHRoaXMpOworCiAgICAgQ2Fj aGVkUmVzb3VyY2VMb2FkZXIqIGNhY2hlZFJlc291cmNlTG9hZGVyID0gbV9kb2N1bWVudC0+Y2Fj aGVkUmVzb3VyY2VMb2FkZXIoKTsKICAgICBmb3IgKHNpemVfdCBpID0gMDsgaSA8IGZvbnRzVG9C ZWdpbkxvYWRpbmcuc2l6ZSgpOyArK2kpIHsKICAgICAgICAgZm9udHNUb0JlZ2luTG9hZGluZ1tp XS0+YmVnaW5Mb2FkSWZOZWVkZWQoY2FjaGVkUmVzb3VyY2VMb2FkZXIpOwo=