Bug 169855

Summary: Crash when breakpoint hit in unload handler
Product: WebKit Reporter: Daniel Bates <dbates>
Component: Web InspectorAssignee: Matt Baker <mattbaker>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, beidson, cdumez, commit-queue, ddkilzer, ews-watchlist, inspector-bugzilla-changes, japhet, joepeck, koivisto, mattbaker, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Mac   
OS: macOS 10.12   
See Also: https://bugs.webkit.org/show_bug.cgi?id=80427
Attachments:
Description Flags
Test case
none
patch
none
patch
dbates: review+
for landing
none
for landing none

Description Daniel Bates 2017-03-18 16:00:05 PDT 
Created attachment 304883 [details]
Test case

Using Mac nightly r213868 with Safari Version 10.1 (12603.1.30.0.31), hitting a breakpoint in the unload handler of a child frame causes a WebProcess crash. To see this, perform the the following:

1. Download and extract the attached test case archive and open file unload-with-inspector-at-breakpoint-crash.html in Safari.
2. Following the instructions in the test case to reproduce the crash.

The following is the backtrace I see:

[[
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BREAKPOINT (SIGTRAP)
Exception Codes:       0x0000000000000002, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Trace/BPT trap: 5
Termination Reason:    Namespace SIGNAL, Code 0x5
Terminating Process:   exc handler [0]

[...]
 
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000107cb0272 WebCore::DocumentWriter::addData(char const*, unsigned long) + 50
1   com.apple.WebCore             	0x0000000107c98bf5 WebCore::DocumentLoader::commitData(char const*, unsigned long) + 1317
2   com.apple.WebKit              	0x00000001050ad336 WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 50
3   com.apple.WebCore             	0x0000000107c9ad81 WebCore::DocumentLoader::commitLoad(char const*, int) + 145
4   com.apple.WebCore             	0x0000000107a8107c WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) + 172
5   com.apple.WebCore             	0x0000000107a80f41 WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) + 145
6   com.apple.WebCore             	0x00000001089f0132 WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer>&&, long long, WebCore::DataPayloadType) + 210
7   com.apple.WebCore             	0x00000001089f0052 WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) + 34
8   com.apple.WebKit              	0x000000010519632f WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) + 249
9   com.apple.WebKit              	0x0000000105196dd5 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) + 289
10  com.apple.WebKit              	0x0000000104f3779b IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 119
11  com.apple.WebKit              	0x0000000104f3a425 IPC::Connection::dispatchOneMessage() + 175
12  com.apple.JavaScriptCore      	0x000000010668a3a9 WTF::RunLoop::performWork() + 169
13  com.apple.JavaScriptCore      	0x000000010668b4c2 WTF::RunLoop::performWork(void*) + 34
14  com.apple.CoreFoundation      	0x00007fff982843b1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
15  com.apple.CoreFoundation      	0x00007fff9826563c __CFRunLoopDoSources0 + 556
16  com.apple.CoreFoundation      	0x00007fff98264b26 __CFRunLoopRun + 934
17  com.apple.CoreFoundation      	0x00007fff98264524 CFRunLoopRunSpecific + 420
18  com.apple.HIToolbox           	0x00007fff977c4ebc RunCurrentEventLoopInMode + 240
19  com.apple.HIToolbox           	0x00007fff977c4cf1 ReceiveNextEventCommon + 432
20  com.apple.HIToolbox           	0x00007fff977c4b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
21  com.apple.AppKit              	0x00007fff95d5fe24 _DPSNextEvent + 1120
22  com.apple.AppKit              	0x00007fff964db85e -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
23  com.apple.AppKit              	0x00007fff95d547ab -[NSApplication run] + 926
24  com.apple.AppKit              	0x00007fff95d1f1de NSApplicationMain + 1237
25  libxpc.dylib                  	0x00007fffae1ed8c7 _xpc_objc_main + 775
26  libxpc.dylib                  	0x00007fffae1ec2e4 xpc_main + 494
27  com.apple.WebKit.WebContent   	0x0000000104ef96bb main + 468
28  libdyld.dylib                 	0x00007fffadf94235 start + 1

Thread 1:: com.apple.NSEventThread
0   libsystem_kernel.dylib        	0x00007fffae0bb34a mach_msg_trap + 10
1   libsystem_kernel.dylib        	0x00007fffae0ba797 mach_msg + 55
2   com.apple.CoreFoundation      	0x00007fff98265854 __CFRunLoopServiceMachPort + 212
3   com.apple.CoreFoundation      	0x00007fff98264cd1 __CFRunLoopRun + 1361
4   com.apple.CoreFoundation      	0x00007fff98264524 CFRunLoopRunSpecific + 420
5   com.apple.AppKit              	0x00007fff95ead2d2 _NSEventThread + 205
6   libsystem_pthread.dylib       	0x00007fffae1adaab _pthread_body + 180
7   libsystem_pthread.dylib       	0x00007fffae1ad9f7 _pthread_start + 286
8   libsystem_pthread.dylib       	0x00007fffae1ad1fd thread_start + 13

Thread 2:
0   libsystem_kernel.dylib        	0x00007fffae0c2f46 __semwait_signal + 10
1   libsystem_c.dylib             	0x00007fffae049b72 nanosleep + 199
2   libc++.1.dylib                	0x00007fffacb7265b std::__1::this_thread::sleep_for(std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > const&) + 80
3   com.apple.JavaScriptCore      	0x00000001066afc93 bmalloc::Heap::scavenge(std::__1::unique_lock<bmalloc::StaticMutex>&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >) + 275
4   com.apple.JavaScriptCore      	0x00000001066afa46 bmalloc::Heap::concurrentScavenge() + 102
5   com.apple.JavaScriptCore      	0x00000001066b10d1 bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 97
6   com.apple.JavaScriptCore      	0x00000001066b0fdd bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadEntryPoint(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*) + 29
7   com.apple.JavaScriptCore      	0x00000001066b128d void* std::__1::__thread_proxy<std::__1::tuple<void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 93
8   libsystem_pthread.dylib       	0x00007fffae1adaab _pthread_body + 180
9   libsystem_pthread.dylib       	0x00007fffae1ad9f7 _pthread_start + 286
10  libsystem_pthread.dylib       	0x00007fffae1ad1fd thread_start + 13

Thread 3:: com.apple.NSURLConnectionLoader
0   libsystem_kernel.dylib        	0x00007fffae0bb34a mach_msg_trap + 10
1   libsystem_kernel.dylib        	0x00007fffae0ba797 mach_msg + 55
2   com.apple.CoreFoundation      	0x00007fff98265854 __CFRunLoopServiceMachPort + 212
3   com.apple.CoreFoundation      	0x00007fff98264cd1 __CFRunLoopRun + 1361
4   com.apple.CoreFoundation      	0x00007fff98264524 CFRunLoopRunSpecific + 420
5   com.apple.CFNetwork           	0x00007fff973a1604 +[NSURLConnection(Loader) _resourceLoadLoop:] + 313
6   com.apple.Foundation          	0x00007fff99ca4a1d __NSThread__start__ + 1243
7   libsystem_pthread.dylib       	0x00007fffae1adaab _pthread_body + 180
8   libsystem_pthread.dylib       	0x00007fffae1ad9f7 _pthread_start + 286
9   libsystem_pthread.dylib       	0x00007fffae1ad1fd thread_start + 13

Thread 4:: WebCore: Scrolling
0   libsystem_kernel.dylib        	0x00007fffae0bb34a mach_msg_trap + 10
1   libsystem_kernel.dylib        	0x00007fffae0ba797 mach_msg + 55
2   com.apple.CoreFoundation      	0x00007fff98265854 __CFRunLoopServiceMachPort + 212
3   com.apple.CoreFoundation      	0x00007fff98264cd1 __CFRunLoopRun + 1361
4   com.apple.CoreFoundation      	0x00007fff98264524 CFRunLoopRunSpecific + 420
5   com.apple.CoreFoundation      	0x00007fff982a3d01 CFRunLoopRun + 97
6   com.apple.WebCore             	0x00000001088b2ddd WebCore::ScrollingThread::initializeRunLoop() + 253
7   com.apple.JavaScriptCore      	0x00000001066a03b2 WTF::threadEntryPoint(void*) + 178
8   com.apple.JavaScriptCore      	0x00000001066a080f WTF::wtfThreadEntryPoint(void*) + 15
9   libsystem_pthread.dylib       	0x00007fffae1adaab _pthread_body + 180
10  libsystem_pthread.dylib       	0x00007fffae1ad9f7 _pthread_start + 286
11  libsystem_pthread.dylib       	0x00007fffae1ad1fd thread_start + 13

Thread 5:
0   libsystem_kernel.dylib        	0x00007fffae0c344e __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fffae1ad791 _pthread_wqthread + 1426
2   libsystem_pthread.dylib       	0x00007fffae1ad1ed start_wqthread + 13

Thread 6:
0   libsystem_kernel.dylib        	0x00007fffae0c344e __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fffae1ad791 _pthread_wqthread + 1426
2   libsystem_pthread.dylib       	0x00007fffae1ad1ed start_wqthread + 13

Thread 7:
0   libsystem_kernel.dylib        	0x00007fffae0c344e __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fffae1ad791 _pthread_wqthread + 1426
2   libsystem_pthread.dylib       	0x00007fffae1ad1ed start_wqthread + 13

Thread 8:
0   libsystem_kernel.dylib        	0x00007fffae0c344e __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fffae1ad5fe _pthread_wqthread + 1023
2   libsystem_pthread.dylib       	0x00007fffae1ad1ed start_wqthread + 13

Thread 9:: WTF::AutomaticThread
0   libsystem_kernel.dylib        	0x00007fffae0c2bf2 __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fffae1ae96a _pthread_cond_wait + 712
2   com.apple.JavaScriptCore      	0x00000001066a17b7 WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 119
3   com.apple.JavaScriptCore      	0x0000000106687bd2 WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) + 2706
4   com.apple.JavaScriptCore      	0x0000000105fc6f06 bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 150
5   com.apple.JavaScriptCore      	0x0000000106669817 std::__1::__function::__func<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, std::__1::allocator<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>, void ()>::operator()() + 199
6   com.apple.JavaScriptCore      	0x00000001066a03b2 WTF::threadEntryPoint(void*) + 178
7   com.apple.JavaScriptCore      	0x00000001066a080f WTF::wtfThreadEntryPoint(void*) + 15
8   libsystem_pthread.dylib       	0x00007fffae1adaab _pthread_body + 180
9   libsystem_pthread.dylib       	0x00007fffae1ad9f7 _pthread_start + 286
10  libsystem_pthread.dylib       	0x00007fffae1ad1fd thread_start + 13

Thread 10:: WTF::AutomaticThread
0   libsystem_kernel.dylib        	0x00007fffae0c2bf2 __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fffae1ae96a _pthread_cond_wait + 712
2   com.apple.JavaScriptCore      	0x00000001066a17b7 WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 119
3   com.apple.JavaScriptCore      	0x0000000106687bd2 WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) + 2706
4   com.apple.JavaScriptCore      	0x0000000105fc6f06 bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 150
5   com.apple.JavaScriptCore      	0x0000000106669817 std::__1::__function::__func<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, std::__1::allocator<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>, void ()>::operator()() + 199
6   com.apple.JavaScriptCore      	0x00000001066a03b2 WTF::threadEntryPoint(void*) + 178
7   com.apple.JavaScriptCore      	0x00000001066a080f WTF::wtfThreadEntryPoint(void*) + 15
8   libsystem_pthread.dylib       	0x00007fffae1adaab _pthread_body + 180
9   libsystem_pthread.dylib       	0x00007fffae1ad9f7 _pthread_start + 286
10  libsystem_pthread.dylib       	0x00007fffae1ad1fd thread_start + 13

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x00000001103ab770  rcx: 0x0000000111eb22a0  rdx: 0x00000001103ab770
  rdi: 0x00000001103ab770  rsi: 0x0000000000000002  rbp: 0x00007fff5ad05d80  rsp: 0x00007fff5ad05d80
   r8: 0x00000000000000a2   r9: 0x0000000000000006  r10: 0x0000000000000001  r11: 0x0000000108d5e830
  r12: 0x0000000000000000  r13: 0x00000001103ab700  r14: 0x00000001103ac350  r15: 0x00000001103ac338
  rip: 0x0000000107cb0272  rfl: 0x0000000000000246  cr2: 0x0000000146de4000
  
Logical CPU:     18
Error Code:      0x00000000
Trap Number:     3
]]
Comment 1 Daniel Bates 2017-03-18 16:00:57 PDT 
<rdar://problem/28683567>
Comment 2 Antti Koivisto 2018-02-12 17:26:44 PST 
Created attachment 333651 [details]
patch
Comment 3 Antti Koivisto 2018-02-12 19:32:28 PST 
Created attachment 333662 [details]
patch
Comment 4 Joseph Pecoraro 2018-02-12 20:24:58 PST 
Comment on attachment 333662 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=333662&action=review

Inspector test looks good to me. The rest too, but should get a more qualified review.

> LayoutTests/inspector/debugger/reload-paused.html:16
> +    let suite = InspectorTest.createAsyncSuite("Reloading paused page");

I'd prefer a name like "ReloadPaused"

> LayoutTests/inspector/debugger/reload-paused.html:19
> +       name: "No crash",

And here "ReloadPausedNoCrash"
Comment 5 Daniel Bates 2018-02-12 21:08:26 PST 
Comment on attachment 333662 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=333662&action=review

Looks sane to me.

r=me

> Source/WebCore/ChangeLog:11
> +        CachedRawResource::updateBuffer may generate unload event in client notify callback. If Inspector was

CachedRawResource::updateBuffer => updateBuffer()

> Source/WebCore/ChangeLog:12
> +        paused, this even would spawn a nested runloop. CachedRawResource::finishLoading would get called in

CachedRawResource::finishLoading => CachedRawResource::finishLoading()

> Source/WebCore/ChangeLog:20
> +        Set a bit when entering the client callback.
> +        Ensure we don't re-enter updateBuffer.
> +        If finishLoading got delayed during client callback, do it at the end.

This is OK as-is. I do not see the need to put each sentence on its own line. I suggest you removing the newlines and use the same approach as you did when writing the description for this ChangeLog and break long lines around 100 characters.

> Source/WebCore/loader/cache/CachedRawResource.cpp:59
> +    // Skip any updateBuffers triggered from nested runloops. We'll have complete buffer in finishLoading.

have => have the
updateBuffers => updateBuffers()
finishLoading => finishLoading()

> Source/WebCore/loader/cache/CachedRawResource.cpp:84
> +        auto buffer = WTFMove(m_delayedFinishLoadingData->buffer);
> +        m_delayedFinishLoadingData = std::nullopt;
> +        finishLoading(buffer.get());

I would have written this as:

auto delayedFinishLoadingData = std::exchange(m_delayedFinishLoadingData, std::nullopt);
finishLoading(delayedFinishLoadingData->buffer.get());

> Source/WebCore/loader/cache/CachedRawResource.h:96
> +    struct DelayedFinishLoadingData {
> +        RefPtr<SharedBuffer> buffer;
> +    };

I take it you feel that this struct improves the readability of the code or makes the code less error prone as opposed to using std::optional<RefPtr<SharedBuffer>> or defining DelayedFinishLoadingData to be a type alias for RefPtr<SharedBuffer>.
Comment 6 Daniel Bates 2018-02-12 21:14:14 PST 
Comment on attachment 333662 [details]
patch

I am assuming that derived classes (e.g. CachedImage) that override CachedResource::{updateBuffer, finishLoading} do not call out to the embedding client or in some way cause reentrancy before calling into the base class (CachedRawResource). Otherwise we would need a similar fix to for derived classes that have this behavior.
Comment 7 David Kilzer (:ddkilzer) 2018-02-13 03:56:15 PST 
<rdar://problem/27828570>
Comment 8 Antti Koivisto 2018-02-13 09:29:00 PST 
This is the stack that messes up the loading state, btw:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
  * frame #0: 0x00000003fa4e93b6 WebCore`WebCore::DocumentWriter::begin(this=0x000000040e6eb0b0, urlReference=0x00007ffeef05aa80, dispatch=false, ownerDocument=0x0000000000000000) at DocumentWriter.cpp:135
    frame #1: 0x00000003fa4ae1ee WebCore`WebCore::DocumentLoader::commitData(this=0x000000040e6eb000, bytes=0x0000000000000000, length=0) at DocumentLoader.cpp:942
    frame #2: 0x00000003fa4adc75 WebCore`WebCore::DocumentLoader::finishedLoading(this=0x000000040e6eb000) at DocumentLoader.cpp:425
    frame #3: 0x00000003fa4ada5d WebCore`WebCore::DocumentLoader::notifyFinished(this=0x000000040e6eb000, resource=0x000000040f2d7700) at DocumentLoader.cpp:379
    frame #4: 0x00000003fa4ade4c WebCore`non-virtual thunk to WebCore::DocumentLoader::notifyFinished(this=0x000000040e6eb000, resource=0x000000040f2d7700) at DocumentLoader.cpp:0
    frame #5: 0x00000003fa5d231d WebCore`WebCore::CachedResource::checkNotify(this=0x000000040f2d7700) at CachedResource.cpp:348
    frame #6: 0x00000003fa5c5041 WebCore`WebCore::CachedResource::finishLoading(this=0x000000040f2d7700, (null)=0x000000040f295a80) at CachedResource.cpp:364
    frame #7: 0x00000003fa5cf41c WebCore`WebCore::CachedRawResource::finishLoading(this=0x000000040f2d7700, data=0x000000040f295a80) at CachedRawResource.cpp:100
    frame #8: 0x00000003fa56c7a9 WebCore`WebCore::SubresourceLoader::didFinishLoading(this=0x000000040d7d3000, networkLoadMetrics=0x00007ffeef05b0c8) at SubresourceLoader.cpp:599
    frame #9: 0x000000010192559d WebKit`WebKit::WebResourceLoader::didFinishResourceLoad(this=0x000000040f299888, networkLoadMetrics=0x00007ffeef05b0c8) at WebResourceLoader.cpp:150
    frame #10: 0x000000010192917a WebKit`void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(object=0x000000040f299888, function=00 54 92 01 01 00 00 00 00 00 00 00 00 00 00 00, args=0x00007ffeef05b0c8, (null)=std::__1::index_sequence<0UL> @ 0x00007ffeef05aff0)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) at HandleMessage.h:40
    frame #11: 0x0000000101928fe0 WebKit`void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(args=0x00007ffeef05b0c8, object=0x000000040f299888, function=00 54 92 01 01 00 00 00 00 00 00 00 00 00 00 00)(WebCore::NetworkLoadMetrics const&)) at HandleMessage.h:46
    frame #12: 0x0000000101928346 WebKit`void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(decoder=0x000000040d722ac8, object=0x000000040f299888, function=00 54 92 01 01 00 00 00 00 00 00 00 00 00 00 00)(WebCore::NetworkLoadMetrics const&)) at HandleMessage.h:126
    frame #13: 0x00000001019279bc WebKit`WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(this=0x000000040f299888, connection=0x000000040d7ee1b8, decoder=0x000000040d722ac8) at WebResourceLoaderMessageReceiver.cpp:65
    frame #14: 0x0000000100f74bd9 WebKit`WebKit::NetworkProcessConnection::didReceiveMessage(this=0x000000040d7dc000, connection=0x000000040d7ee1b8, decoder=0x000000040d722ac8) at NetworkProcessConnection.cpp:69
    frame #15: 0x0000000100cfca83 WebKit`IPC::Connection::dispatchMessage(this=0x000000040d7ee1b8, decoder=0x000000040d722ac8) at Connection.cpp:907
    frame #16: 0x0000000100cf2068 WebKit`IPC::Connection::dispatchMessage(this=0x000000040d7ee1b8, message=unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> > @ 0x00007ffeef05b7b0) at Connection.cpp:934
    frame #17: 0x0000000100cfd08a WebKit`IPC::Connection::dispatchOneMessage(this=0x000000040d7ee1b8) at Connection.cpp:965
    frame #18: 0x0000000100d1564d WebKit`IPC::Connection::enqueueIncomingMessage(this=0x000000040d760148)::$_14::operator()() at Connection.cpp:901
    frame #19: 0x0000000100d155a9 WebKit`WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(this=0x000000040d760140)::$_14>::call() at Function.h:101
    frame #20: 0x00000004089dbefb JavaScriptCore`WTF::Function<void ()>::operator(this=0x00007ffeef05bc38)() const at Function.h:56
    frame #21: 0x0000000408a21043 JavaScriptCore`WTF::RunLoop::performWork(this=0x000000040d7f9000) at RunLoop.cpp:106
    frame #22: 0x0000000408a218e4 JavaScriptCore`WTF::RunLoop::performWork(context=0x000000040d7f9000) at RunLoopCF.cpp:38
    frame #23: 0x00007fff2ff8e271 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #24: 0x00007fff30047c6c CoreFoundation`__CFRunLoopDoSource0 + 108
    frame #25: 0x00007fff2ff70db0 CoreFoundation`__CFRunLoopDoSources0 + 208
    frame #26: 0x00007fff2ff7022d CoreFoundation`__CFRunLoopRun + 1293
    frame #27: 0x00007fff2ff6fa93 CoreFoundation`CFRunLoopRunSpecific + 483
    frame #28: 0x00007fff2f260ef6 HIToolbox`RunCurrentEventLoopInMode + 286
    frame #29: 0x00007fff2f260b6f HIToolbox`ReceiveNextEventCommon + 366
    frame #30: 0x00007fff2f2609e4 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 64
    frame #31: 0x00007fff2d4e94db AppKit`_DPSNextEvent + 2085
    frame #32: 0x00007fff2dc7f6f8 AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
    frame #33: 0x00000003f89b5eb8 WebCore`WebCore::EventLoop::cycle(this=0x00007ffeef05d290) at EventLoopMac.mm:40
    frame #34: 0x00000003fa3b35c1 WebCore`WebCore::PageScriptDebugServer::runEventLoopWhilePausedInternal(this=0x000000040d7d5038) at PageScriptDebugServer.cpp:121
    frame #35: 0x00000003fa3b3545 WebCore`WebCore::PageScriptDebugServer::runEventLoopWhilePaused(this=0x000000040d7d5038) at PageScriptDebugServer.cpp:110
    frame #36: 0x00000004081c5624 JavaScriptCore`Inspector::ScriptDebugServer::handlePause(this=0x000000040d7d5038, vmEntryGlobalObject=0x000000040e7fcfb0, (null)=PausedForBreakpoint) at ScriptDebugServer.cpp:301
    frame #37: 0x0000000407a3dee1 JavaScriptCore`JSC::Debugger::pauseIfNeeded(this=0x000000040d7d5038, callFrame=0x00007ffeef05d690) at Debugger.cpp:739
    frame #38: 0x0000000407a3e1de JavaScriptCore`JSC::Debugger::updateCallFrame(this=0x000000040d7d5038, callFrame=0x00007ffeef05d690, action=AttemptPause) at Debugger.cpp:668
    frame #39: 0x0000000407a3e7f3 JavaScriptCore`JSC::Debugger::atStatement(this=0x000000040d7d5038, callFrame=0x00007ffeef05d690) at Debugger.cpp:787
    frame #40: 0x000000040821384a JavaScriptCore`JSC::Interpreter::debug(this=0x000000040d7fe728, callFrame=0x00007ffeef05d690, debugHookType=WillExecuteStatement) at Interpreter.cpp:1375
    frame #41: 0x00000004082e0073 JavaScriptCore`::llint_slow_path_debug(exec=0x00007ffeef05d690, pc=0x000000040d7d2e40) at LLIntSlowPaths.cpp:1596
    frame #42: 0x00000004074f490d JavaScriptCore`llint_entry at LowLevelInterpreter64.asm:58
    frame #43: 0x00000004074f3d65 JavaScriptCore`llint_entry at LowLevelInterpreter.asm:832
    frame #44: 0x00000004074ebc52 JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter64.asm:257
    frame #45: 0x000000040826c3de JavaScriptCore`JSC::JITCode::execute(this=0x000000040f271988, vm=0x000000040e500000, protoCallFrame=0x00007ffeef05d8d8) at JITCode.cpp:81
    frame #46: 0x0000000408211d65 JavaScriptCore`JSC::Interpreter::executeCall(this=0x000000040d7fe728, callFrame=0x000000040e7fd008, function=0x000000040e7ebea0, callType=JS, callData=0x00007ffeef05df20, thisValue=JSValue @ 0x00007ffeef05da00, args=0x00007ffeef05ddf0) at Interpreter.cpp:1028
    frame #47: 0x000000040847af1a JavaScriptCore`JSC::call(exec=0x000000040e7fd008, functionObject=JSValue @ 0x00007ffeef05da80, callType=JS, callData=0x00007ffeef05df20, thisValue=JSValue @ 0x00007ffeef05da78, args=0x00007ffeef05ddf0) at CallData.cpp:41
    frame #48: 0x000000040847aff9 JavaScriptCore`JSC::call(exec=0x000000040e7fd008, functionObject=JSValue @ 0x00007ffeef05db70, callType=JS, callData=0x00007ffeef05df20, thisValue=JSValue @ 0x00007ffeef05db68, args=0x00007ffeef05ddf0, returnedException=0x00007ffeef05de18) at CallData.cpp:48
    frame #49: 0x000000040847b29d JavaScriptCore`JSC::profiledCall(exec=0x000000040e7fd008, reason=Other, functionObject=JSValue @ 0x00007ffeef05dc00, callType=JS, callData=0x00007ffeef05df20, thisValue=JSValue @ 0x00007ffeef05dbf8, args=0x00007ffeef05ddf0, returnedException=0x00007ffeef05de18) at CallData.cpp:67
    frame #50: 0x00000003f990eb3b WebCore`WebCore::JSMainThreadExecState::profiledCall(exec=0x000000040e7fd008, reason=Other, functionObject=JSValue @ 0x00007ffeef05dc90, callType=JS, callData=0x00007ffeef05df20, thisValue=JSValue @ 0x00007ffeef05dc88, args=0x00007ffeef05ddf0, returnedException=0x00007ffeef05de18) at JSMainThreadExecState.h:72
    frame #51: 0x00000003f994c752 WebCore`WebCore::JSEventListener::handleEvent(this=0x000000040f2cd548, scriptExecutionContext=0x000000040f2cf000, event=0x000000040f2946e0) at JSEventListener.cpp:169
    frame #52: 0x00000003f9ebb392 WebCore`WebCore::EventTarget::fireEventListeners(this=0x000000040d7e1d40, event=0x000000040f2946e0, listeners=WebCore::EventListenerVector @ 0x00007ffeef05e158) at EventTarget.cpp:290
    frame #53: 0x00000003f9eb2dea WebCore`WebCore::EventTarget::fireEventListeners(this=0x000000040d7e1d40, event=0x000000040f2946e0) at EventTarget.cpp:232
    frame #54: 0x00000003fa63dab1 WebCore`WebCore::DOMWindow::dispatchEvent(this=0x000000040d7e1d40, event=0x000000040f2946e0, target=0x000000040f2cf000) at DOMWindow.cpp:2064
    frame #55: 0x00000003fa4f91ec WebCore`WebCore::FrameLoader::dispatchUnloadEvents(this=0x00007fd8c5436100, unloadEventPolicy=UnloadEventPolicyUnloadAndPageHide) at FrameLoader.cpp:3039
    frame #56: 0x00000003fa4f8db5 WebCore`WebCore::FrameLoader::stopLoading(this=0x00007fd8c5436100, unloadEventPolicy=UnloadEventPolicyUnloadAndPageHide) at FrameLoader.cpp:472
    frame #57: 0x00000003fa4f96e5 WebCore`WebCore::FrameLoader::closeURL(this=0x00007fd8c5436100) at FrameLoader.cpp:537
    frame #58: 0x00000003fa5055a5 WebCore`WebCore::FrameLoader::detachFromParent(this=0x00007fd8c5436100) at FrameLoader.cpp:2585
    frame #59: 0x00000003fa4fd890 WebCore`WebCore::FrameLoader::detachChildren(this=0x00007fd8c5538310) at FrameLoader.cpp:2504
    frame #60: 0x00000003fa4f764b WebCore`WebCore::FrameLoader::setDocumentLoader(this=0x00007fd8c5538310, loader=0x000000040e6eb000) at FrameLoader.cpp:1775
    frame #61: 0x00000003fa503046 WebCore`WebCore::FrameLoader::transitionToCommitted(this=0x00007fd8c5538310, cachedPage=0x0000000000000000) at FrameLoader.cpp:1998
    frame #62: 0x00000003fa50235a WebCore`WebCore::FrameLoader::commitProvisionalLoad(this=0x00007fd8c5538310) at FrameLoader.cpp:1871
    frame #63: 0x00000003fa4ad8ec WebCore`WebCore::DocumentLoader::commitIfReady(this=0x000000040e6eb000) at DocumentLoader.cpp:354
    frame #64: 0x00000003fa4b1fec WebCore`WebCore::DocumentLoader::commitLoad(this=0x000000040e6eb000, data="<!DOCTYPE html>\n<html>\n<head>\n</head>\n<body>\n<iframe src=\"unload-with-inspector-at-breakpoint-crash-frame.html\" width=\"500\" height=\"500\"></iframe>\n</body>\n</html>", length=162) at DocumentLoader.cpp:903
    frame #65: 0x00000003fa4b1f8f WebCore`WebCore::DocumentLoader::dataReceived(this=0x000000040e6eb000, data="<!DOCTYPE html>\n<html>\n<head>\n</head>\n<body>\n<iframe src=\"unload-with-inspector-at-breakpoint-crash-frame.html\" width=\"500\" height=\"500\"></iframe>\n</body>\n</html>", length=162) at DocumentLoader.cpp:1050
    frame #66: 0x00000003fa4b2894 WebCore`WebCore::DocumentLoader::dataReceived(this=0x000000040e6eb000, resource=0x000000040f2d7700, data="<!DOCTYPE html>\n<html>\n<head>\n</head>\n<body>\n<iframe src=\"unload-with-inspector-at-breakpoint-crash-frame.html\" width=\"500\" height=\"500\"></iframe>\n</body>\n</html>", length=162) at DocumentLoader.cpp:1023
    frame #67: 0x00000003fa4b28da WebCore`non-virtual thunk to WebCore::DocumentLoader::dataReceived(this=0x000000040e6eb000, resource=0x000000040f2d7700, data="<!DOCTYPE html>\n<html>\n<head>\n</head>\n<body>\n<iframe src=\"unload-with-inspector-at-breakpoint-crash-frame.html\" width=\"500\" height=\"500\"></iframe>\n</body>\n</html>", length=162) at DocumentLoader.cpp:0
    frame #68: 0x00000003fa5cf178 WebCore`WebCore::CachedRawResource::notifyClientsDataWasReceived(this=0x000000040f2d7700, data="<!DOCTYPE html>\n<html>\n<head>\n</head>\n<body>\n<iframe src=\"unload-with-inspector-at-breakpoint-crash-frame.html\" width=\"500\" height=\"500\"></iframe>\n</body>\n</html>", length=162) at CachedRawResource.cpp:116
    frame #69: 0x00000003fa5cf00d WebCore`WebCore::CachedRawResource::updateBuffer(this=0x000000040f2d7700, data=0x000000040f295a80) at CachedRawResource.cpp:65
    frame #70: 0x00000003fa56de6a WebCore`WebCore::SubresourceLoader::didReceiveDataOrBuffer(this=0x000000040d7d3000, data="<!DOCTYPE html>\n<html>\n<head>\n</head>\n<body>\n<iframe src=\"unload-with-inspector-at-breakpoint-crash-frame.html\" width=\"500\" height=\"500\"></iframe>\n</body>\n</html>", length=162, buffer=0x00007ffeef05f3f0, encodedDataLength=162, dataPayloadType=DataPayloadBytes) at SubresourceLoader.cpp:430
    frame #71: 0x00000003fa56dc32 WebCore`WebCore::SubresourceLoader::didReceiveData(this=0x000000040d7d3000, data="<!DOCTYPE html>\n<html>\n<head>\n</head>\n<body>\n<iframe src=\"unload-with-inspector-at-breakpoint-crash-frame.html\" width=\"500\" height=\"500\"></iframe>\n</body>\n</html>", length=162, encodedDataLength=162, dataPayloadType=DataPayloadBytes) at SubresourceLoader.cpp:398
    frame #72: 0x00000001019252d4 WebKit`WebKit::WebResourceLoader::didReceiveData(this=0x000000040f299888, data=0x00007ffeef05f5f0, encodedDataLength=162) at WebResourceLoader.cpp:134
    frame #73: 0x0000000101928f40 WebKit`void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, 0ul, 1ul>(object=0x000000040f299888, function=e0 50 92 01 01 00 00 00 00 00 00 00 00 00 00 00, args=0x00007ffeef05f5f0, (null)=std::__1::index_sequence<0UL, 1UL> @ 0x00007ffeef05f4f8)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) at HandleMessage.h:40
    frame #74: 0x0000000101928e70 WebKit`void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(args=0x00007ffeef05f5f0, object=0x000000040f299888, function=e0 50 92 01 01 00 00 00 00 00 00 00 00 00 00 00)(IPC::DataReference const&, long long)) at HandleMessage.h:46
    frame #75: 0x0000000101928201 WebKit`void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(decoder=0x000000040d722a50, object=0x000000040f299888, function=e0 50 92 01 01 00 00 00 00 00 00 00 00 00 00 00)(IPC::DataReference const&, long long)) at HandleMessage.h:126
    frame #76: 0x0000000101927936 WebKit`WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(this=0x000000040f299888, connection=0x000000040d7ee1b8, decoder=0x000000040d722a50) at WebResourceLoaderMessageReceiver.cpp:61
    frame #77: 0x0000000100f74bd9 WebKit`WebKit::NetworkProcessConnection::didReceiveMessage(this=0x000000040d7dc000, connection=0x000000040d7ee1b8, decoder=0x000000040d722a50) at NetworkProcessConnection.cpp:69
    frame #78: 0x0000000100cfca83 WebKit`IPC::Connection::dispatchMessage(this=0x000000040d7ee1b8, decoder=0x000000040d722a50) at Connection.cpp:907
    frame #79: 0x0000000100cf2068 WebKit`IPC::Connection::dispatchMessage(this=0x000000040d7ee1b8, message=unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> > @ 0x00007ffeef05fbe0) at Connection.cpp:934
    frame #80: 0x0000000100cfd08a WebKit`IPC::Connection::dispatchOneMessage(this=0x000000040d7ee1b8) at Connection.cpp:965
    frame #81: 0x0000000100d1564d WebKit`IPC::Connection::enqueueIncomingMessage(this=0x000000040d760138)::$_14::operator()() at Connection.cpp:901
    frame #82: 0x0000000100d155a9 WebKit`WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(this=0x000000040d760130)::$_14>::call() at Function.h:101
    frame #83: 0x00000004089dbefb JavaScriptCore`WTF::Function<void ()>::operator(this=0x00007ffeef060068)() const at Function.h:56
    frame #84: 0x0000000408a21043 JavaScriptCore`WTF::RunLoop::performWork(this=0x000000040d7f9000) at RunLoop.cpp:106
    frame #85: 0x0000000408a218e4 JavaScriptCore`WTF::RunLoop::performWork(context=0x000000040d7f9000) at RunLoopCF.cpp:38
    frame #86: 0x00007fff2ff8e271 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #87: 0x00007fff30047c6c CoreFoundation`__CFRunLoopDoSource0 + 108
    frame #88: 0x00007fff2ff70db0 CoreFoundation`__CFRunLoopDoSources0 + 208
    frame #89: 0x00007fff2ff7022d CoreFoundation`__CFRunLoopRun + 1293
    frame #90: 0x00007fff2ff6fa93 CoreFoundation`CFRunLoopRunSpecific + 483
    frame #91: 0x00007fff2f260ef6 HIToolbox`RunCurrentEventLoopInMode + 286
    frame #92: 0x00007fff2f260c66 HIToolbox`ReceiveNextEventCommon + 613
    frame #93: 0x00007fff2f2609e4 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 64
    frame #94: 0x00007fff2d4e94db AppKit`_DPSNextEvent + 2085
    frame #95: 0x00007fff2dc7f6f8 AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
    frame #96: 0x00007fff2d4de2ed AppKit`-[NSApplication run] + 764
    frame #97: 0x00007fff2d4ad4c6 AppKit`NSApplicationMain + 804
    frame #98: 0x00007fff58a75f83 libxpc.dylib`_xpc_objc_main + 580
    frame #99: 0x00007fff58a74bd6 libxpc.dylib`xpc_main + 417
    frame #100: 0x0000000100b9f13b com.apple.WebKit.WebContent.Development`main(argc=1, argv=0x00007ffeef061a18) at XPCServiceMain.mm:148
    frame #101: 0x00007fff58727015 libdyld.dylib`start + 1
    frame #102: 0x00007fff58727015 libdyld.dylib`start + 1
Comment 9 Antti Koivisto 2018-02-13 09:31:17 PST 
> > I take it you feel that this struct improves the readability of the code or
> makes the code less error prone as opposed to using
> std::optional<RefPtr<SharedBuffer>> or defining DelayedFinishLoadingData to
> be a type alias for RefPtr<SharedBuffer>.

Yeah, nullable types as optionals can be bit awkward and confusing.
Comment 10 Antti Koivisto 2018-02-13 09:34:05 PST 
(In reply to Daniel Bates from comment #6)
> Comment on attachment 333662 [details]
> patch
> 
> I am assuming that derived classes (e.g. CachedImage) that override
> CachedResource::{updateBuffer, finishLoading} do not call out to the
> embedding client or in some way cause reentrancy before calling into the
> base class (CachedRawResource). Otherwise we would need a similar fix to for
> derived classes that have this behavior.

Most subtypes don't stream the data at all or the streaming won't cause events to be sent. It is still possible that something else has the same problem, however it is better to do a conservative fix at this point.
Comment 11 Antti Koivisto 2018-02-13 09:56:36 PST 
Created attachment 333697 [details]
for landing
Comment 12 Antti Koivisto 2018-02-13 09:58:59 PST 
Created attachment 333698 [details]
for landing
Comment 13 WebKit Commit Bot 2018-02-13 14:39:52 PST 
Comment on attachment 333698 [details]
for landing

Clearing flags on attachment: 333698

Committed r228435: <https://trac.webkit.org/changeset/228435>
Comment 14 WebKit Commit Bot 2018-02-13 14:39:54 PST 
All reviewed patches have been landed.  Closing bug.