Bug 210643

Summary: REGRESSION (r162729): [iOS] WebKitTestRunner over-releases UITextField in WTR::PlatformWebView::removeChromeInputField()
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: Tools / TestsAssignee: David Kilzer (:ddkilzer) <ddkilzer>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, simon.fraser, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=189228
https://bugs.webkit.org/show_bug.cgi?id=189464
Bug Depends on: 127448    
Bug Blocks:    
Attachments:
Description Flags
Patch v1 none

David Kilzer (:ddkilzer)
Reported 2020-04-17 02:32:00 PDT
WebKitTestRunner over-releases UITextField in WTR::PlatformWebView::removeChromeInputField() This regressed in r162729 for Bug 127448: <https://trac.webkit.org/r162729> Briefly fixed by r189228 for Bug 189228 before that commit was reverted in r235832 for Bug 189464. Found by clang static analyzer. void PlatformWebView::addChromeInputField() { UITextField* textField = [[UITextField alloc] initWithFrame:CGRectMake(0, 0, 100, 20)]; textField.tag = 1; [m_window addSubview:textField]; [textField release]; } void PlatformWebView::removeChromeInputField() { UITextField* textField = (UITextField*)[m_window viewWithTag:1]; if (textField) { [textField removeFromSuperview]; makeWebViewFirstResponder(); [textField release]; // Over-release. } } NOTE: This may be the cause of some of the autoreleasePool crashes in WebKitTestRunner that we see occasionally.
Attachments
Patch v1 (1.28 KB, patch)
2020-04-17 02:38 PDT, David Kilzer (:ddkilzer) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-04-17 02:32:15 PDT
<rdar://problem/61927190>
David Kilzer (:ddkilzer)
Comment 2 2020-04-17 02:38:13 PDT
(In reply to David Kilzer (:ddkilzer) from comment #0) > NOTE: This may be the cause of some of the autoreleasePool crashes in > WebKitTestRunner that we see occasionally. The reason I say that is because this line will return an autoreleased object from UIKit under ARC: UITextField* textField = (UITextField*)[m_window viewWithTag:1]; And then the -release call over-releases the object. But we won't crash until the autoreleasePool containing the UITextField object is drained, which apparently doesn't happen consistently during test runs.
David Kilzer (:ddkilzer)
Comment 3 2020-04-17 02:38:52 PDT
Created attachment 396749 [details] Patch v1
EWS
Comment 4 2020-04-17 07:57:19 PDT
Committed r260250: <https://trac.webkit.org/changeset/260250> All reviewed patches have been landed. Closing bug and clearing flags on attachment 396749 [details].
Note You need to log in before you can comment on or make changes to this bug.