Bug 19556

Summary: REGRESSION (r34544): Crash while visiting bigglook.com
Product: WebKit Reporter: Ismail Donmez <ismail>
Component: Page LoadingAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Critical CC: beidson, darin, mitz, zwarich
Priority: P1 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
patch mitz: review+

Ismail Donmez
Reported 2008-06-15 07:44:43 PDT
Visit http://bigglook.com with latest trunk and Safari crashes, I got multiple backtraces: Thread 0 Crashed: 0 com.apple.WebCore 0x0108199b WTF::HashTable<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >::rehash(int) + 107 (PlatformString.h:225) 1 com.apple.WebCore 0x01081ccd WTF::HashTable<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >::expand() + 45 (HashTable.h:874) 2 com.apple.WebCore 0x0108206b std::pair<WTF::HashTableIterator<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >, bool> WTF::HashTable<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >::add<WebCore::String, WebCore::String, WTF::IdentityHashTranslator<WebCore::String, WebCore::String, WebCore::StringHash> >(WebCore::String const&, WebCore::String const&) + 875 3 com.apple.WebCore 0x010820c7 WTF::HashSet<WebCore::String, WebCore::StringHash, WTF::HashTraits<WebCore::String> >::add(WebCore::String const&) + 39 (HashTable.h:1095) 4 com.apple.WebCore 0x013855c3 WebCore::PageURLRecord::setIconRecord(WTF::PassRefPtr<WebCore::IconRecord>) + 163 (PageURLRecord.cpp:55) 5 com.apple.WebCore 0x01222b9f WebCore::IconDatabase::setIconURLForPageURL(WebCore::String const&, WebCore::String const&) + 415 (PassRefPtr.h:44) 6 com.apple.WebCore 0x0118fcdc WebCore::FrameLoader::commitIconURLToIconDatabase(WebCore::KURL const&) + 44 (FrameLoader.cpp:1183) 7 com.apple.WebCore 0x0122c071 WebCore::IconLoader::finishLoading(WebCore::KURL const&, WTF::PassRefPtr<WebCore::SharedBuffer>) + 145 (IconLoader.cpp:159) 8 com.apple.WebCore 0x0122c948 WebCore::IconLoader::didReceiveResponse(WebCore::SubresourceLoader*, WebCore::ResourceResponse const&) + 184 (RefPtr.h:51) 9 com.apple.WebCore 0x0152dbdf WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) + 95 (SubresourceLoader.cpp:150) 10 com.apple.WebCore 0x01437cab -[WebCoreResourceHandleAsDelegate connection:didReceiveResponse:] + 267 (RetainPtr.h:72) 11 com.apple.Foundation 0x9394481a -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveResponse:] + 122 12 com.apple.Foundation 0x9394476a _NSURLConnectionDidReceiveResponse + 154 13 com.apple.CFNetwork 0x92633703 sendDidReceiveDataCallback + 350 14 com.apple.CFNetwork 0x92630cee _CFURLConnectionSendCallbacks + 1586 15 com.apple.CFNetwork 0x9263063f muxerSourcePerform + 283 16 com.apple.CoreFoundation 0x9047460e CFRunLoopRunSpecific + 3166 17 com.apple.CoreFoundation 0x90474cf8 CFRunLoopRunInMode + 88 18 com.apple.HIToolbox 0x93b92da4 RunCurrentEventLoopInMode + 283 19 com.apple.HIToolbox 0x93b92bbd ReceiveNextEventCommon + 374 20 com.apple.HIToolbox 0x93b92a31 BlockUntilNextEventMatchingListInMode + 106 21 com.apple.AppKit 0x92c61505 _DPSNextEvent + 657 22 com.apple.AppKit 0x92c60db8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 23 com.apple.Safari 0x00007c7e 0x1000 + 27774 24 com.apple.AppKit 0x92c59df3 -[NSApplication run] + 795 25 com.apple.AppKit 0x92c27030 NSApplicationMain + 574 26 com.apple.Safari 0x000b4de6 0x1000 + 736742 And the other one : Thread 0 Crashed: 0 ??? 0000000000 0 + 0 1 com.apple.WebKit 0x00215acb -[WebView(WebViewInternal) _dispatchDidReceiveIconFromWebFrame:] + 187 (WebView.mm:4330) 2 com.apple.WebKit 0x001bd759 WebFrameLoaderClient::dispatchDidReceiveIcon() + 57 (WebFrameLoaderClient.mm:473) 3 com.apple.WebCore 0x0122c08f WebCore::IconLoader::finishLoading(WebCore::KURL const&, WTF::PassRefPtr<WebCore::SharedBuffer>) + 175 (IconLoader.cpp:162) 4 com.apple.WebCore 0x0122c948 WebCore::IconLoader::didReceiveResponse(WebCore::SubresourceLoader*, WebCore::ResourceResponse const&) + 184 (RefPtr.h:51) 5 com.apple.WebCore 0x0152dbdf WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) + 95 (SubresourceLoader.cpp:150) 6 com.apple.WebCore 0x01437cab -[WebCoreResourceHandleAsDelegate connection:didReceiveResponse:] + 267 (RetainPtr.h:72) 7 com.apple.Foundation 0x9394481a -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveResponse:] + 122 8 com.apple.Foundation 0x9394476a _NSURLConnectionDidReceiveResponse + 154 9 com.apple.CFNetwork 0x92633703 sendDidReceiveDataCallback + 350 10 com.apple.CFNetwork 0x92630cee _CFURLConnectionSendCallbacks + 1586 11 com.apple.CFNetwork 0x9263063f muxerSourcePerform + 283 12 com.apple.CoreFoundation 0x9047460e CFRunLoopRunSpecific + 3166 13 com.apple.CoreFoundation 0x90474cf8 CFRunLoopRunInMode + 88 14 com.apple.HIToolbox 0x93b92da4 RunCurrentEventLoopInMode + 283 15 com.apple.HIToolbox 0x93b92bbd ReceiveNextEventCommon + 374 16 com.apple.HIToolbox 0x93b92a31 BlockUntilNextEventMatchingListInMode + 106 17 com.apple.AppKit 0x92c61505 _DPSNextEvent + 657 18 com.apple.AppKit 0x92c60db8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 19 com.apple.Safari 0x00007c7e 0x1000 + 27774 20 com.apple.AppKit 0x92c59df3 -[NSApplication run] + 795 21 com.apple.AppKit 0x92c27030 NSApplicationMain + 574 22 com.apple.Safari 0x000b4de6 0x1000 + 736742
Attachments
patch (3.09 KB, patch)
2008-06-15 15:04 PDT, Darin Adler 		mitz: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2008-06-15 11:14:55 PDT
This is caused by over-releasing the IconRecord in the "create" case of IconDatabase::getOrCreateIconRecord().
mitz
Comment 2 2008-06-15 12:31:40 PDT
Prior to r34544, the code relied on the ability of m_iconURLToRecordMap to keep weak references to newly-created IconRecords with a 0 reference count. I don't think it's possible to just change m_iconURLToRecordMap to use strong references, because of the hasOneRef() checks in other places in the code.
Darin Adler
Comment 3 2008-06-15 12:33:31 PDT
Damn! I wonder what should we do about this.
Cameron Zwarich (cpst)
Comment 4 2008-06-15 12:52:23 PDT
*** Bug 19563 has been marked as a duplicate of this bug. ***
Darin Adler
Comment 5 2008-06-15 14:37:38 PDT
(In reply to comment #2) > Prior to r34544, the code relied on the ability of m_iconURLToRecordMap to keep > weak references to newly-created IconRecords with a 0 reference count. I don't > think it's possible to just change m_iconURLToRecordMap to use strong > references, because of the hasOneRef() checks in other places in the code. I think we can fix this without changing the map so it can keep strong references, as long as nobody is relying on the IconRecord being kept alive indefinitely with a 0 reference count. I need to figure out more precisely what's going wrong. I've set aside my other work so I can concentrate on this now.
Darin Adler
Comment 6 2008-06-15 15:04:03 PDT
Created attachment 21718 [details] patch
mitz
Comment 7 2008-06-15 15:05:34 PDT
Comment on attachment 21718 [details] patch r=me
Darin Adler
Comment 8 2008-06-15 15:11:40 PDT
Committed revision 34575.
Note You need to log in before you can comment on or make changes to this bug.