RESOLVED FIXED 111521
editing/selection/selection-in-iframe-removed-crash.html or selection-invalid-offset.html crashes intermittently 
https://bugs.webkit.org/show_bug.cgi?id=111521
Summary editing/selection/selection-in-iframe-removed-crash.html or selection-invalid...
Ryosuke Niwa
Reported 2013-03-05 21:45:18 PST
editing/selection/selection-invalid-offset.html has been crashing with the following stack trace intermittently. http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK1%20(Tests)/r144874%20(7586)/results.html Application Specific Information: CRASHING TEST: editing/selection/selection-in-iframe-removed-crash.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001103ee057 WebCore::FrameLoader::dispatchDidCommitLoad() + 135 (RefPtr.h:58) 1 com.apple.WebCore 0x00000001103eddc5 WebCore::FrameLoader::receivedFirstData() + 21 (FrameLoader.cpp:602) 2 com.apple.WebCore 0x000000011025ccef WebCore::DocumentLoader::commitData(char const*, unsigned long) + 239 (RefPtr.h:43) 3 com.apple.WebKit 0x000000010fda9bf4 -[WebHTMLRepresentation receivedData:withDataSource:] + 100 (WebHTMLRepresentation.mm:186) 4 com.apple.WebKit 0x000000010fd7cded -[WebDataSource(WebInternal) _receivedData:] + 77 (WebDataSource.mm:216) 5 com.apple.WebKit 0x000000010fd94c47 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 103 (WebFrameLoaderClient.mm:848) 6 com.apple.WebCore 0x000000011025cea0 WebCore::DocumentLoader::commitLoad(char const*, int) + 144 (RefCounted.h:148) 7 com.apple.WebCore 0x000000011097d5b3 WebCore::MainResourceLoader::dataReceived(WebCore::CachedResource*, char const*, int) + 819 (MainResourceLoader.cpp:529) 8 com.apple.WebCore 0x000000011097c729 WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction, WebCore::ResourceResponse const&) + 1257 (RefPtr.h:64) 9 com.apple.WebCore 0x000000011097d0c5 WebCore::MainResourceLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&) + 1749 (RefCounted.h:148) 10 com.apple.WebCore 0x000000011097b516 WebCore::MainResourceLoader::handleSubstituteDataLoadNow(WebCore::RunLoopTimer<WebCore::MainResourceLoader>*) + 710 (RetainPtr.h:84) 11 com.apple.WebCore 0x0000000110bc1818 WebCore::timerFired(__CFRunLoopTimer*, void*) + 40 (RunLoopTimerCF.cpp:52) 12 com.apple.CoreFoundation 0x00007fff92ac7da4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 13 com.apple.CoreFoundation 0x00007fff92ac78bd __CFRunLoopDoTimer + 557 14 com.apple.CoreFoundation 0x00007fff92aad099 __CFRunLoopRun + 1513 15 com.apple.CoreFoundation 0x00007fff92aac6b2 CFRunLoopRunSpecific + 290 16 com.apple.Foundation 0x00007fff87a8089e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268 17 DumpRenderTree 0x000000010f641122 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 1639 (DumpRenderTree.mm:1375) 18 DumpRenderTree 0x000000010f6408b6 dumpRenderTree(int, char const**) + 1727 (DumpRenderTree.mm:832) 19 DumpRenderTree 0x000000010f64148b main + 86 (DumpRenderTree.mm:925) 20 libdyld.dylib 0x00007fff895837e1 start + 1
Attachments
proposed fix (3.02 KB, patch)
2014-06-11 13:27 PDT, Alexey Proskuryakov 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2013-03-05 21:51:45 PST
Any idea when this could start? Is this reproducible manually in browser?
Ryosuke Niwa
Comment 2 2013-03-05 21:58:58 PST
(In reply to comment #1) > Any idea when this could start? Is this reproducible manually in browser? I think it's caused by http://trac.webkit.org/changeset/144400. Note that even though NRWT thinks selection-invalid-offset.html is crashing, the crash log indicates that editing/selection/selection-in-iframe-removed-crash.html is the one crashing.
Ryosuke Niwa
Comment 3 2013-03-06 12:03:04 PST
Also see https://bugs.webkit.org/show_bug.cgi?id=111451. editing/selection/selection-in-iframe-removed-crash.html is hitting an assertion.
Levi Weintraub
Comment 4 2013-03-06 15:35:08 PST
I'm having no luck reproducing this locally. I've tried release and debug, running just editing/selection/selection-in-iframe-removed-crash.html and editing/selection/selection-invalid-offset.html with a lot of iterations as well as the whole suite of tests, over and over again.
Alexey Proskuryakov
Comment 5 2013-03-12 11:05:33 PDT
In a debug build, an assertion failure occurs: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000109426f6c WTF::RefPtr<WebCore::Frame>::get() const + 12 (RefPtr.h:58) 1 com.apple.WebCore 0x0000000109558e6c WebCore::Page::mainFrame() const + 28 (Page.h:156) 2 com.apple.WebCore 0x0000000109ba13a2 WebCore::FrameLoader::dispatchDidCommitLoad() + 194 (FrameLoader.cpp:3292) 3 com.apple.WebCore 0x0000000109ba10bc WebCore::FrameLoader::receivedFirstData() + 28 (FrameLoader.cpp:602) 4 com.apple.WebCore 0x00000001098ba8a2 WebCore::DocumentLoader::commitData(char const*, unsigned long) + 210 (DocumentLoader.cpp:362)
Ryosuke Niwa
Comment 6 2013-03-12 19:12:03 PDT
*** Bug 112220 has been marked as a duplicate of this bug. ***
Ryosuke Niwa
Comment 7 2013-03-12 19:16:56 PDT
Updated the test expectation per https://bugs.webkit.org/show_bug.cgi?id=112220: http://trac.webkit.org/changeset/145671
Alexey Proskuryakov
Comment 8 2013-08-30 16:42:18 PDT
Still happens, just got this crash today.
Alexey Proskuryakov
Comment 9 2014-06-11 13:19:58 PDT
This is a pretty bad bug, which could be a root cause of certain common crashers. <rdar://problem/15159351>
Alexey Proskuryakov
Comment 10 2014-06-11 13:27:35 PDT
Created attachment 232895 [details] proposed fix Let's see what EWS thinks, I'm not entirely sure what's the right way to check for cancellation here.
WebKit Commit Bot
Comment 11 2014-06-11 17:30:56 PDT
Comment on attachment 232895 [details] proposed fix Clearing flags on attachment: 232895 Committed r169866: <http://trac.webkit.org/changeset/169866>
WebKit Commit Bot
Comment 12 2014-06-11 17:31:01 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.