Bug 111521

Summary: editing/selection/selection-in-iframe-removed-crash.html or selection-invalid-offset.html crashes intermittently
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Page LoadingAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, beidson, commit-queue, enrica, japhet, leviw, simon.fraser
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed fix none

Description Ryosuke Niwa 2013-03-05 21:45:18 PST
editing/selection/selection-invalid-offset.html has been crashing with the following stack trace intermittently.

http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK1%20(Tests)/r144874%20(7586)/results.html

Application Specific Information:
CRASHING TEST: editing/selection/selection-in-iframe-removed-crash.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001103ee057 WebCore::FrameLoader::dispatchDidCommitLoad() + 135 (RefPtr.h:58)
1   com.apple.WebCore             	0x00000001103eddc5 WebCore::FrameLoader::receivedFirstData() + 21 (FrameLoader.cpp:602)
2   com.apple.WebCore             	0x000000011025ccef WebCore::DocumentLoader::commitData(char const*, unsigned long) + 239 (RefPtr.h:43)
3   com.apple.WebKit              	0x000000010fda9bf4 -[WebHTMLRepresentation receivedData:withDataSource:] + 100 (WebHTMLRepresentation.mm:186)
4   com.apple.WebKit              	0x000000010fd7cded -[WebDataSource(WebInternal) _receivedData:] + 77 (WebDataSource.mm:216)
5   com.apple.WebKit              	0x000000010fd94c47 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 103 (WebFrameLoaderClient.mm:848)
6   com.apple.WebCore             	0x000000011025cea0 WebCore::DocumentLoader::commitLoad(char const*, int) + 144 (RefCounted.h:148)
7   com.apple.WebCore             	0x000000011097d5b3 WebCore::MainResourceLoader::dataReceived(WebCore::CachedResource*, char const*, int) + 819 (MainResourceLoader.cpp:529)
8   com.apple.WebCore             	0x000000011097c729 WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction, WebCore::ResourceResponse const&) + 1257 (RefPtr.h:64)
9   com.apple.WebCore             	0x000000011097d0c5 WebCore::MainResourceLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&) + 1749 (RefCounted.h:148)
10  com.apple.WebCore             	0x000000011097b516 WebCore::MainResourceLoader::handleSubstituteDataLoadNow(WebCore::RunLoopTimer<WebCore::MainResourceLoader>*) + 710 (RetainPtr.h:84)
11  com.apple.WebCore             	0x0000000110bc1818 WebCore::timerFired(__CFRunLoopTimer*, void*) + 40 (RunLoopTimerCF.cpp:52)
12  com.apple.CoreFoundation      	0x00007fff92ac7da4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
13  com.apple.CoreFoundation      	0x00007fff92ac78bd __CFRunLoopDoTimer + 557
14  com.apple.CoreFoundation      	0x00007fff92aad099 __CFRunLoopRun + 1513
15  com.apple.CoreFoundation      	0x00007fff92aac6b2 CFRunLoopRunSpecific + 290
16  com.apple.Foundation          	0x00007fff87a8089e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268
17  DumpRenderTree                	0x000000010f641122 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 1639 (DumpRenderTree.mm:1375)
18  DumpRenderTree                	0x000000010f6408b6 dumpRenderTree(int, char const**) + 1727 (DumpRenderTree.mm:832)
19  DumpRenderTree                	0x000000010f64148b main + 86 (DumpRenderTree.mm:925)
20  libdyld.dylib                 	0x00007fff895837e1 start + 1
Comment 1 Alexey Proskuryakov 2013-03-05 21:51:45 PST
Any idea when this could start? Is this reproducible manually in browser?
Comment 2 Ryosuke Niwa 2013-03-05 21:58:58 PST
(In reply to comment #1)
> Any idea when this could start? Is this reproducible manually in browser?

I think it's caused by http://trac.webkit.org/changeset/144400. Note that even though NRWT thinks selection-invalid-offset.html is crashing, the crash log indicates that editing/selection/selection-in-iframe-removed-crash.html is the one crashing.
Comment 3 Ryosuke Niwa 2013-03-06 12:03:04 PST
Also see https://bugs.webkit.org/show_bug.cgi?id=111451.
editing/selection/selection-in-iframe-removed-crash.html is hitting an assertion.
Comment 4 Levi Weintraub 2013-03-06 15:35:08 PST
I'm having no luck reproducing this locally. I've tried release and debug, running just editing/selection/selection-in-iframe-removed-crash.html and editing/selection/selection-invalid-offset.html with a lot of iterations as well as the whole suite of tests, over and over again.
Comment 5 Alexey Proskuryakov 2013-03-12 11:05:33 PDT
In a debug build, an assertion failure occurs:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000109426f6c WTF::RefPtr<WebCore::Frame>::get() const + 12 (RefPtr.h:58)
1   com.apple.WebCore             	0x0000000109558e6c WebCore::Page::mainFrame() const + 28 (Page.h:156)
2   com.apple.WebCore             	0x0000000109ba13a2 WebCore::FrameLoader::dispatchDidCommitLoad() + 194 (FrameLoader.cpp:3292)
3   com.apple.WebCore             	0x0000000109ba10bc WebCore::FrameLoader::receivedFirstData() + 28 (FrameLoader.cpp:602)
4   com.apple.WebCore             	0x00000001098ba8a2 WebCore::DocumentLoader::commitData(char const*, unsigned long) + 210 (DocumentLoader.cpp:362)
Comment 6 Ryosuke Niwa 2013-03-12 19:12:03 PDT
*** Bug 112220 has been marked as a duplicate of this bug. ***
Comment 7 Ryosuke Niwa 2013-03-12 19:16:56 PDT
Updated the test expectation per https://bugs.webkit.org/show_bug.cgi?id=112220:
http://trac.webkit.org/changeset/145671
Comment 8 Alexey Proskuryakov 2013-08-30 16:42:18 PDT
Still happens, just got this crash today.
Comment 9 Alexey Proskuryakov 2014-06-11 13:19:58 PDT
This is a pretty bad bug, which could be a root cause of certain common crashers.

<rdar://problem/15159351>
Comment 10 Alexey Proskuryakov 2014-06-11 13:27:35 PDT
Created attachment 232895 [details]
proposed fix

Let's see what EWS thinks, I'm not entirely sure what's the right way to check for cancellation here.
Comment 11 WebKit Commit Bot 2014-06-11 17:30:56 PDT
Comment on attachment 232895 [details]
proposed fix

Clearing flags on attachment: 232895

Committed r169866: <http://trac.webkit.org/changeset/169866>
Comment 12 WebKit Commit Bot 2014-06-11 17:31:01 PDT
All reviewed patches have been landed.  Closing bug.