Bug 19556

Summary: REGRESSION (r34544): Crash while visiting bigglook.com
Product: WebKit Reporter: Ismail Donmez <ismail>
Component: Page LoadingAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Critical CC: beidson, darin, mitz, zwarich
Priority: P1 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
patch mitz: review+

Description Ismail Donmez 2008-06-15 07:44:43 PDT 
Visit http://bigglook.com with latest trunk and Safari crashes, I got multiple backtraces:

Thread 0 Crashed:
0   com.apple.WebCore             	0x0108199b WTF::HashTable<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >::rehash(int) + 107 (PlatformString.h:225)
1   com.apple.WebCore             	0x01081ccd WTF::HashTable<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >::expand() + 45 (HashTable.h:874)
2   com.apple.WebCore             	0x0108206b std::pair<WTF::HashTableIterator<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >, bool> WTF::HashTable<WebCore::String, WebCore::String, WTF::IdentityExtractor<WebCore::String>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::String> >::add<WebCore::String, WebCore::String, WTF::IdentityHashTranslator<WebCore::String, WebCore::String, WebCore::StringHash> >(WebCore::String const&, WebCore::String const&) + 875
3   com.apple.WebCore             	0x010820c7 WTF::HashSet<WebCore::String, WebCore::StringHash, WTF::HashTraits<WebCore::String> >::add(WebCore::String const&) + 39 (HashTable.h:1095)
4   com.apple.WebCore             	0x013855c3 WebCore::PageURLRecord::setIconRecord(WTF::PassRefPtr<WebCore::IconRecord>) + 163 (PageURLRecord.cpp:55)
5   com.apple.WebCore             	0x01222b9f WebCore::IconDatabase::setIconURLForPageURL(WebCore::String const&, WebCore::String const&) + 415 (PassRefPtr.h:44)
6   com.apple.WebCore             	0x0118fcdc WebCore::FrameLoader::commitIconURLToIconDatabase(WebCore::KURL const&) + 44 (FrameLoader.cpp:1183)
7   com.apple.WebCore             	0x0122c071 WebCore::IconLoader::finishLoading(WebCore::KURL const&, WTF::PassRefPtr<WebCore::SharedBuffer>) + 145 (IconLoader.cpp:159)
8   com.apple.WebCore             	0x0122c948 WebCore::IconLoader::didReceiveResponse(WebCore::SubresourceLoader*, WebCore::ResourceResponse const&) + 184 (RefPtr.h:51)
9   com.apple.WebCore             	0x0152dbdf WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) + 95 (SubresourceLoader.cpp:150)
10  com.apple.WebCore             	0x01437cab -[WebCoreResourceHandleAsDelegate connection:didReceiveResponse:] + 267 (RetainPtr.h:72)
11  com.apple.Foundation          	0x9394481a -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveResponse:] + 122
12  com.apple.Foundation          	0x9394476a _NSURLConnectionDidReceiveResponse + 154
13  com.apple.CFNetwork           	0x92633703 sendDidReceiveDataCallback + 350
14  com.apple.CFNetwork           	0x92630cee _CFURLConnectionSendCallbacks + 1586
15  com.apple.CFNetwork           	0x9263063f muxerSourcePerform + 283
16  com.apple.CoreFoundation      	0x9047460e CFRunLoopRunSpecific + 3166
17  com.apple.CoreFoundation      	0x90474cf8 CFRunLoopRunInMode + 88
18  com.apple.HIToolbox           	0x93b92da4 RunCurrentEventLoopInMode + 283
19  com.apple.HIToolbox           	0x93b92bbd ReceiveNextEventCommon + 374
20  com.apple.HIToolbox           	0x93b92a31 BlockUntilNextEventMatchingListInMode + 106
21  com.apple.AppKit              	0x92c61505 _DPSNextEvent + 657
22  com.apple.AppKit              	0x92c60db8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
23  com.apple.Safari              	0x00007c7e 0x1000 + 27774
24  com.apple.AppKit              	0x92c59df3 -[NSApplication run] + 795
25  com.apple.AppKit              	0x92c27030 NSApplicationMain + 574
26  com.apple.Safari              	0x000b4de6 0x1000 + 736742


And the other one :

Thread 0 Crashed:
0   ???                           	0000000000 0 + 0
1   com.apple.WebKit              	0x00215acb -[WebView(WebViewInternal) _dispatchDidReceiveIconFromWebFrame:] + 187 (WebView.mm:4330)
2   com.apple.WebKit              	0x001bd759 WebFrameLoaderClient::dispatchDidReceiveIcon() + 57 (WebFrameLoaderClient.mm:473)
3   com.apple.WebCore             	0x0122c08f WebCore::IconLoader::finishLoading(WebCore::KURL const&, WTF::PassRefPtr<WebCore::SharedBuffer>) + 175 (IconLoader.cpp:162)
4   com.apple.WebCore             	0x0122c948 WebCore::IconLoader::didReceiveResponse(WebCore::SubresourceLoader*, WebCore::ResourceResponse const&) + 184 (RefPtr.h:51)
5   com.apple.WebCore             	0x0152dbdf WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) + 95 (SubresourceLoader.cpp:150)
6   com.apple.WebCore             	0x01437cab -[WebCoreResourceHandleAsDelegate connection:didReceiveResponse:] + 267 (RetainPtr.h:72)
7   com.apple.Foundation          	0x9394481a -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveResponse:] + 122
8   com.apple.Foundation          	0x9394476a _NSURLConnectionDidReceiveResponse + 154
9   com.apple.CFNetwork           	0x92633703 sendDidReceiveDataCallback + 350
10  com.apple.CFNetwork           	0x92630cee _CFURLConnectionSendCallbacks + 1586
11  com.apple.CFNetwork           	0x9263063f muxerSourcePerform + 283
12  com.apple.CoreFoundation      	0x9047460e CFRunLoopRunSpecific + 3166
13  com.apple.CoreFoundation      	0x90474cf8 CFRunLoopRunInMode + 88
14  com.apple.HIToolbox           	0x93b92da4 RunCurrentEventLoopInMode + 283
15  com.apple.HIToolbox           	0x93b92bbd ReceiveNextEventCommon + 374
16  com.apple.HIToolbox           	0x93b92a31 BlockUntilNextEventMatchingListInMode + 106
17  com.apple.AppKit              	0x92c61505 _DPSNextEvent + 657
18  com.apple.AppKit              	0x92c60db8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
19  com.apple.Safari              	0x00007c7e 0x1000 + 27774
20  com.apple.AppKit              	0x92c59df3 -[NSApplication run] + 795
21  com.apple.AppKit              	0x92c27030 NSApplicationMain + 574
22  com.apple.Safari              	0x000b4de6 0x1000 + 736742
Comment 1 mitz 2008-06-15 11:14:55 PDT 
This is caused by over-releasing the IconRecord in the "create" case of IconDatabase::getOrCreateIconRecord().
Comment 2 mitz 2008-06-15 12:31:40 PDT 
Prior to r34544, the code relied on the ability of m_iconURLToRecordMap to keep weak references to newly-created IconRecords with a 0 reference count. I don't think it's possible to just change m_iconURLToRecordMap to use strong references, because of the hasOneRef() checks in other places in the code.
Comment 3 Darin Adler 2008-06-15 12:33:31 PDT 
Damn! I wonder what should we do about this.
Comment 4 Cameron Zwarich (cpst) 2008-06-15 12:52:23 PDT 
*** Bug 19563 has been marked as a duplicate of this bug. ***
Comment 5 Darin Adler 2008-06-15 14:37:38 PDT 
(In reply to comment #2)
> Prior to r34544, the code relied on the ability of m_iconURLToRecordMap to keep
> weak references to newly-created IconRecords with a 0 reference count. I don't
> think it's possible to just change m_iconURLToRecordMap to use strong
> references, because of the hasOneRef() checks in other places in the code.

I think we can fix this without changing the map so it can keep strong references, as long as nobody is relying on the IconRecord being kept alive indefinitely with a 0 reference count. I need to figure out more precisely what's going wrong.

I've set aside my other work so I can concentrate on this now.
Comment 6 Darin Adler 2008-06-15 15:04:03 PDT 
Created attachment 21718 [details]
patch
Comment 7 mitz 2008-06-15 15:05:34 PDT 
Comment on attachment 21718 [details]
patch

r=me
Comment 8 Darin Adler 2008-06-15 15:11:40 PDT 
Committed revision 34575.