Bug 81453

Summary:

Actual crash (not assertion failure) underneath WebFrameProxy::removeChild on Lion Intel Debug WebKit2 testers

Product:

WebKit

Reporter:

Jessie Berlin <jberlin>

Component:

WebKit2

Assignee:

Alexey Proskuryakov <ap>

Status:

RESOLVED WORKSFORME

Severity:

Normal

CC:

abarth, andersca, ap, beidson, cgarcia, gustavo, jberlin, menard, sam, webkit-bug-importer, webkit.review.bot, zoltan

Priority:

Keywords:

InRadar, LayoutTestFailure, MakingBotsRed, Regression

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

URL:

http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r111114%20(5002)/fast/frames/iframe-reparenting-crash-log.txt

Bug Depends on:

81590

Bug Blocks:

Attachments:

Description	Flags
proposed fix	beidson: review+

Description Jessie Berlin 2012-03-17 12:04:47 PDT

http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r111114%20(5002)/fast/frames/iframe-reparenting-crash-log.txt
http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r111114%20(5002)/fast/events/before-unload-adopt-within-subframes-crash-log.txt

Unfortunately, due to the state of our tests, I am not sure when this started.

I do suspect fast/frames/iframe-reparenting.html and fast/events/before-unload-adopt-withing-subframes.html, but I have yet to verify that locally (don't have updated source but wanted to document this).

Process:         WebKitTestRunner [71009]
Path:            /Volumes/VOLUME/*/WebKitTestRunner
Identifier:      WebKitTestRunner
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  Python [70835]

Date/Time:       2012-03-17 00:16:47.550 -0700
OS Version:      Mac OS X 10.7.3 (11D50)
Report Version:  9

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000040

VM Regions Near 0x40:
--> 
    __TEXT                 000000010503f000-0000000105056000 [   92K] r-x/rwx SM=COW  /Volumes/VOLUME/*

Application Specific Information:
objc[71009]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebKit2             	0x0000000105268737 WebKit::WebFrameProxy::removeChild(WebKit::WebFrameProxy*) + 231 (type_traits:3028)
1   com.apple.WebKit2             	0x00000001052688b2 WebKit::WebFrameProxy::didRemoveFromHierarchy() + 50 (WebFrameProxy.cpp:264)
2   com.apple.WebKit2             	0x00000001052f0abc WebKit::WebPageProxy::didRemoveFrameFromHierarchy(unsigned long long, CoreIPC::ArgumentDecoder*) + 316 (WebPageProxy.cpp:1967)
3   com.apple.WebKit2             	0x0000000105347a22 void CoreIPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long long, CoreIPC::ArgumentDecoder*), unsigned long long>(CoreIPC::Arguments1<unsigned long long> const&, CoreIPC::ArgumentDecoder*, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long long, CoreIPC::ArgumentDecoder*)) + 146 (HandleMessage.h:230)
4   com.apple.WebKit2             	0x00000001053396f7 void CoreIPC::handleMessageVariadic<Messages::WebPageProxy::DidRemoveFrameFromHierarchy, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long long, CoreIPC::ArgumentDecoder*)>(CoreIPC::ArgumentDecoder*, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long long, CoreIPC::ArgumentDecoder*)) + 119 (HandleMessage.h:327)
5   com.apple.WebKit2             	0x0000000105335b08 WebKit::WebPageProxy::didReceiveWebPageProxyMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 3016 (WebPageProxyMessageReceiver.cpp:258)
6   com.apple.WebKit2             	0x00000001052ee23f WebKit::WebPageProxy::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 271 (WebPageProxy.cpp:1615)
7   com.apple.WebKit2             	0x0000000105389be6 WebKit::WebProcessProxy::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 438 (WebProcessProxy.cpp:332)
8   com.apple.WebKit2             	0x0000000105203735 WebKit::WebConnectionToWebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 405 (WebConnectionToWebProcess.cpp:93)
9   com.apple.WebKit2             	0x000000010520377d non-virtual thunk to WebKit::WebConnectionToWebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 61
10  com.apple.WebKit2             	0x000000010509ed2c CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder>&) + 428 (Connection.cpp:692)
11  com.apple.WebKit2             	0x00000001050a1883 CoreIPC::Connection::dispatchMessages() + 211 (Connection.cpp:720)
12  com.apple.WebKit2             	0x00000001050a8990 WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>::operator()(CoreIPC::Connection*) + 112 (Functional.h:173)
13  com.apple.WebKit2             	0x00000001050a8915 WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void ()(CoreIPC::Connection*)>::operator()() + 53 (Functional.h:373)
14  com.apple.WebCore             	0x00000001087139cd WTF::Function<void ()()>::operator()() const + 141 (Functional.h:581)
15  com.apple.WebCore             	0x0000000108713753 WebCore::RunLoop::performWork() + 147 (RunLoop.cpp:66)
16  com.apple.WebCore             	0x0000000108714b70 WebCore::RunLoop::performWork(void*) + 96 (RunLoopMac.mm:65)
17  com.apple.CoreFoundation      	0x00007fff8b9856e1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
18  com.apple.CoreFoundation      	0x00007fff8b984f4d __CFRunLoopDoSources0 + 253
19  com.apple.CoreFoundation      	0x00007fff8b9abd39 __CFRunLoopRun + 905
20  com.apple.CoreFoundation      	0x00007fff8b9ab676 CFRunLoopRunSpecific + 230
21  com.apple.Foundation          	0x00007fff8a8cdf9f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 267
22  WebKitTestRunner              	0x0000000105049ccc WTR::TestController::platformRunUntil(bool&, double) + 204 (TestControllerMac.mm:60)
23  WebKitTestRunner              	0x00000001050455e5 WTR::TestController::runUntil(bool&, WTR::TestController::TimeoutDuration) + 149 (TestController.cpp:564)
24  WebKitTestRunner              	0x000000010504547c WTR::TestController::resetStateToConsistentValues() + 1564 (TestController.cpp:487)
25  WebKitTestRunner              	0x0000000105045626 WTR::TestController::runTest(char const*) + 54 (TestController.cpp:492)
26  WebKitTestRunner              	0x0000000105045d72 WTR::TestController::runTestingServerLoop() + 178 (TestController.cpp:530)
27  WebKitTestRunner              	0x00000001050443e0 WTR::TestController::run() + 48 (TestController.cpp:538)
28  WebKitTestRunner              	0x00000001050430a6 WTR::TestController::TestController(int, char const**) + 614 (TestController.cpp:88)
29  WebKitTestRunner              	0x0000000105042e33 WTR::TestController::TestController(int, char const**) + 35 (TestController.cpp:89)
30  WebKitTestRunner              	0x0000000105040d8f main + 143 (main.mm:36)
31  WebKitTestRunner              	0x0000000105040cf4 start + 52

Comment 1 Radar WebKit Bug Importer 2012-03-17 12:05:06 PDT

<rdar://problem/11069393>

Comment 2 Alexey Proskuryakov 2012-03-19 16:56:47 PDT

Created attachment 132723 [details]
proposed fix

Comment 3 Alexey Proskuryakov 2012-03-19 17:00:29 PDT

*** Bug 81525 has been marked as a duplicate of this bug. ***

Comment 4 WebKit Review Bot 2012-03-19 17:01:52 PDT

Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API

Comment 5 Brady Eidson 2012-03-19 17:11:27 PDT

Comment on attachment 132723 [details]
proposed fix

Yikes.

Comment 6 Alexey Proskuryakov 2012-03-19 20:20:10 PDT

And now it looks like the whole concept of magic frame is being removed today. Nice timing...

Comment 7 Adam Barth 2012-03-19 20:39:03 PDT

Do you want to land this, or should we wait to see if we remove magic iframe in the next couple of days?

Comment 8 Jessie Berlin 2012-03-19 20:51:44 PDT

(In reply to comment #7)
> Do you want to land this, or should we wait to see if we remove magic iframe in the next couple of days?

This patch an update the WK API struct, so Alexey has to make that change before he lands it.

Is there still a question about whether or not we are going to remove "magic frames"? What is the timeline for removing it? We are trying to get the bots green as soon as possible ...

Comment 9 Alexey Proskuryakov 2012-03-19 20:54:38 PDT

I don't think that we should land this.

We could skip the frame reparenting tests in WK2 for now. Do you expect to remove any tests? The current patch in bug 81590 doesn't touch any.

Comment 10 Adam Barth 2012-03-19 21:15:56 PDT

> Is there still a question about whether or not we are going to remove "magic frames"? What is the timeline for removing it? We are trying to get the bots green as soon as possible ...

There seemed to be consensus on webkit-dev, so I think the timeline we're going to remove it relatively soon (as in, someone should feel free to R+ my patch and I can land it whenever).

> We could skip the frame reparenting tests in WK2 for now. Do you expect to remove any tests? The current patch in bug 81590 doesn't touch any.

I've updated the patch to remove the reparenting tests.  I don't think there's much (any?) value in keeping them without the feature.

Comment 11 Adam Barth 2012-03-19 23:05:40 PDT

Support for "magic" iframe has been removed.

Comment 12 Alexey Proskuryakov 2012-03-19 23:10:03 PDT

All is well that ends well.