RESOLVED FIXED 101211
Protect against resource deletion during iteration in MemoryCache::pruneDeadResourcesToSize 
https://bugs.webkit.org/show_bug.cgi?id=101211
Summary Protect against resource deletion during iteration in MemoryCache::pruneDeadR...
Antti Koivisto
Reported 2012-11-05 06:05:01 PST
There have been some crashes that look like this: 1 0x000000000000003f 0 + 63 2 com.apple.WebCore 0x7fff86c26b47 WebCore::MemoryCache::pruneDeadResourcesToSize(unsigned int) + 0x1f7 3 com.apple.WebCore 0x7fff86ba8507 WebCore::MemoryCache::prune() + 0x67 4 com.apple.WebCore 0x7fff8733cbe6 WebCore::BitmapImage::draw(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ColorSpace, WebCore::CompositeOperator, WebCore::RespectImageOrientationEnum) + 0xf6 5 com.apple.WebCore 0x7fff86ccc364 WebCore::BitmapImage::draw(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ColorSpace, WebCore::CompositeOperator) + 0x14 6 com.apple.WebCore 0x7fff86d50297 WebCore::Image::drawTiled(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::FloatPoint const&, WebCore::FloatSize const&, WebCore::ColorSpace, WebCore::CompositeOperator) + 0x277 7 com.apple.WebCore 0x7fff86d50011 A possible cause is that call to destroyDecodedData() causes other resources besides the current one to be evicted from cache.
Attachments
patch (3.85 KB, patch)
2012-11-05 06:20 PST, Antti Koivisto 		kling: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2012-11-05 06:05:26 PST
<rdar://problem/11615488>
Antti Koivisto
Comment 2 2012-11-05 06:20:23 PST
Created attachment 172325 [details] patch
Andreas Kling
Comment 3 2012-11-05 06:39:01 PST
Comment on attachment 172325 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=172325&action=review Looks safe and mostly reasonable. r=me > Source/WebCore/loader/cache/MemoryCache.cpp:311 > + // Protect prev so it can't get deleted during destroyDecodedData(). prev -> 'previous'
Antti Koivisto
Comment 4 2012-11-05 07:03:02 PST
http://trac.webkit.org/changeset/133469
James Robinson
Comment 5 2012-12-11 11:06:23 PST
This appears to have changed the eviction behavior on some of our performance tests, e.g. the spike here: http://build.chromium.org/f/chromium/perf/gpu-mac-release-intel/gpu_throughput/report.html?rev=166239&graph=many_images&trace=software&history=150 Is that expected?
Antti Koivisto
Comment 6 2012-12-11 11:20:51 PST
The crashing/memory corruption case turns into a case where we interrupt the eviction in the middle, so this can affect eviction behavior. This is not ideal but it was the safest and simplest fix I could think of.
Vangelis Kokkevis
Comment 7 2012-12-11 17:31:54 PST
Antti, This looks like it introduced a significant perf regression in Chromium that points to additional calls to WebCore::CachedResource::registerHandle and WebCore::CachedResource::unregisterHandle See: http://code.google.com/p/chromium/issues/detail?id=159555 It may have similar perf implications to other parts of WebKit as well.
Mustafizur Rahaman( :rahaman)
Comment 8 2013-04-11 00:57:12 PDT
Can anyone please tell me if this fix is integrated in the UIWebView that we use in iPad3? I am seeing a similar crash in iPad3 & wanted to know if this patch is already used there? I tried to find in apple bug report (https://bugreport.apple.com) but could not find much details..
Alexey Proskuryakov
Comment 9 2013-04-11 08:51:25 PDT
We do not comment about products based on WebKit.
Note You need to log in before you can comment on or make changes to this bug.