Bug 144401

Summary: Use-after-free when invalidating WKPageForceRepaint callback
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: Tools / TestsAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, thorton
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed fix none

Description Alexey Proskuryakov 2015-04-29 11:18:28 PDT 
This happens on bots frequently:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   WebKitTestRunner              	0x0000000102be0e14 0x102bd4000 + 52756
1   com.apple.WebKit              	0x0000000103654023 std::__1::__function::__func<WKPageForceRepaint::$_1, std::__1::allocator<WKPageForceRepaint::$_1>, void (WebKit::CallbackBase::Error)>::operator()(WebKit::CallbackBase::Error&&) + 53
2   com.apple.WebKit              	0x00000001035db54c WebKit::GenericCallback<>::invalidate(WebKit::CallbackBase::Error) + 40
3   com.apple.WebKit              	0x0000000103513ea1 void WebKit::invalidateCallbackMap<WTF::RefPtr<WebKit::CallbackBase> >(WTF::HashMap<unsigned long long, WTF::RefPtr<WebKit::CallbackBase>, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebKit::CallbackBase> > >&, WebKit::CallbackBase::Error) + 231
4   com.apple.WebKit              	0x00000001035cd457 WebKit::WebPageProxy::resetState(WebKit::WebPageProxy::ResetStateReason) + 517
5   com.apple.WebKit              	0x0000000103414c0e WebKit::WebPageProxy::close() + 118
6   com.apple.WebKit              	0x0000000103415d4b -[WKView dealloc] + 106
7   libobjc.A.dylib               	0x00007fff8c41dc64 (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 476
8   com.apple.CoreFoundation      	0x00007fff981bbf22 _CFAutoreleasePoolPop + 50
9   com.apple.Foundation          	0x00007fff8b30e352 -[NSAutoreleasePool drain] + 153
10  WebKitTestRunner              	0x0000000102bd8234 0x102bd4000 + 16948
11  libdyld.dylib                 	0x00007fff988535ad start + 1

rdar://problem/20741111
Comment 1 Alexey Proskuryakov 2015-04-29 11:20:45 PDT 
Created attachment 251971 [details]
proposed fix
Comment 2 WebKit Commit Bot 2015-04-29 12:56:49 PDT 
Comment on attachment 251971 [details]
proposed fix

Clearing flags on attachment: 251971

Committed r183572: <http://trac.webkit.org/changeset/183572>
Comment 3 WebKit Commit Bot 2015-04-29 12:56:54 PDT 
All reviewed patches have been landed.  Closing bug.