Bug 111521 - editing/selection/selection-in-iframe-removed-crash.html or selection-invalid-offset.html crashes intermittently
Summary: editing/selection/selection-in-iframe-removed-crash.html or selection-invalid...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords: InRadar
: 112220 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-03-05 21:45 PST by Ryosuke Niwa
Modified: 2014-06-11 17:31 PDT (History)
7 users (show)

See Also:

Attachments
proposed fix (3.02 KB, patch)
2014-06-11 13:27 PDT, Alexey Proskuryakov 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2013-03-05 21:45:18 PST 
editing/selection/selection-invalid-offset.html has been crashing with the following stack trace intermittently.

http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK1%20(Tests)/r144874%20(7586)/results.html

Application Specific Information:
CRASHING TEST: editing/selection/selection-in-iframe-removed-crash.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001103ee057 WebCore::FrameLoader::dispatchDidCommitLoad() + 135 (RefPtr.h:58)
1   com.apple.WebCore             	0x00000001103eddc5 WebCore::FrameLoader::receivedFirstData() + 21 (FrameLoader.cpp:602)
2   com.apple.WebCore             	0x000000011025ccef WebCore::DocumentLoader::commitData(char const*, unsigned long) + 239 (RefPtr.h:43)
3   com.apple.WebKit              	0x000000010fda9bf4 -[WebHTMLRepresentation receivedData:withDataSource:] + 100 (WebHTMLRepresentation.mm:186)
4   com.apple.WebKit              	0x000000010fd7cded -[WebDataSource(WebInternal) _receivedData:] + 77 (WebDataSource.mm:216)
5   com.apple.WebKit              	0x000000010fd94c47 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 103 (WebFrameLoaderClient.mm:848)
6   com.apple.WebCore             	0x000000011025cea0 WebCore::DocumentLoader::commitLoad(char const*, int) + 144 (RefCounted.h:148)
7   com.apple.WebCore             	0x000000011097d5b3 WebCore::MainResourceLoader::dataReceived(WebCore::CachedResource*, char const*, int) + 819 (MainResourceLoader.cpp:529)
8   com.apple.WebCore             	0x000000011097c729 WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction, WebCore::ResourceResponse const&) + 1257 (RefPtr.h:64)
9   com.apple.WebCore             	0x000000011097d0c5 WebCore::MainResourceLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&) + 1749 (RefCounted.h:148)
10  com.apple.WebCore             	0x000000011097b516 WebCore::MainResourceLoader::handleSubstituteDataLoadNow(WebCore::RunLoopTimer<WebCore::MainResourceLoader>*) + 710 (RetainPtr.h:84)
11  com.apple.WebCore             	0x0000000110bc1818 WebCore::timerFired(__CFRunLoopTimer*, void*) + 40 (RunLoopTimerCF.cpp:52)
12  com.apple.CoreFoundation      	0x00007fff92ac7da4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
13  com.apple.CoreFoundation      	0x00007fff92ac78bd __CFRunLoopDoTimer + 557
14  com.apple.CoreFoundation      	0x00007fff92aad099 __CFRunLoopRun + 1513
15  com.apple.CoreFoundation      	0x00007fff92aac6b2 CFRunLoopRunSpecific + 290
16  com.apple.Foundation          	0x00007fff87a8089e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268
17  DumpRenderTree                	0x000000010f641122 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 1639 (DumpRenderTree.mm:1375)
18  DumpRenderTree                	0x000000010f6408b6 dumpRenderTree(int, char const**) + 1727 (DumpRenderTree.mm:832)
19  DumpRenderTree                	0x000000010f64148b main + 86 (DumpRenderTree.mm:925)
20  libdyld.dylib                 	0x00007fff895837e1 start + 1
Comment 1 Alexey Proskuryakov 2013-03-05 21:51:45 PST 
Any idea when this could start? Is this reproducible manually in browser?
Comment 2 Ryosuke Niwa 2013-03-05 21:58:58 PST 
(In reply to comment #1)
> Any idea when this could start? Is this reproducible manually in browser?

I think it's caused by http://trac.webkit.org/changeset/144400. Note that even though NRWT thinks selection-invalid-offset.html is crashing, the crash log indicates that editing/selection/selection-in-iframe-removed-crash.html is the one crashing.
Comment 3 Ryosuke Niwa 2013-03-06 12:03:04 PST 
Also see https://bugs.webkit.org/show_bug.cgi?id=111451.
editing/selection/selection-in-iframe-removed-crash.html is hitting an assertion.
Comment 4 Levi Weintraub 2013-03-06 15:35:08 PST 
I'm having no luck reproducing this locally. I've tried release and debug, running just editing/selection/selection-in-iframe-removed-crash.html and editing/selection/selection-invalid-offset.html with a lot of iterations as well as the whole suite of tests, over and over again.
Comment 5 Alexey Proskuryakov 2013-03-12 11:05:33 PDT 
In a debug build, an assertion failure occurs:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000109426f6c WTF::RefPtr<WebCore::Frame>::get() const + 12 (RefPtr.h:58)
1   com.apple.WebCore             	0x0000000109558e6c WebCore::Page::mainFrame() const + 28 (Page.h:156)
2   com.apple.WebCore             	0x0000000109ba13a2 WebCore::FrameLoader::dispatchDidCommitLoad() + 194 (FrameLoader.cpp:3292)
3   com.apple.WebCore             	0x0000000109ba10bc WebCore::FrameLoader::receivedFirstData() + 28 (FrameLoader.cpp:602)
4   com.apple.WebCore             	0x00000001098ba8a2 WebCore::DocumentLoader::commitData(char const*, unsigned long) + 210 (DocumentLoader.cpp:362)
Comment 6 Ryosuke Niwa 2013-03-12 19:12:03 PDT 
*** Bug 112220 has been marked as a duplicate of this bug. ***
Comment 7 Ryosuke Niwa 2013-03-12 19:16:56 PDT 
Updated the test expectation per https://bugs.webkit.org/show_bug.cgi?id=112220:
http://trac.webkit.org/changeset/145671
Comment 8 Alexey Proskuryakov 2013-08-30 16:42:18 PDT 
Still happens, just got this crash today.
Comment 9 Alexey Proskuryakov 2014-06-11 13:19:58 PDT 
This is a pretty bad bug, which could be a root cause of certain common crashers.

<rdar://problem/15159351>
Comment 10 Alexey Proskuryakov 2014-06-11 13:27:35 PDT 
Created attachment 232895 [details]
proposed fix

Let's see what EWS thinks, I'm not entirely sure what's the right way to check for cancellation here.
Comment 11 WebKit Commit Bot 2014-06-11 17:30:56 PDT 
Comment on attachment 232895 [details]
proposed fix

Clearing flags on attachment: 232895

Committed r169866: <http://trac.webkit.org/changeset/169866>
Comment 12 WebKit Commit Bot 2014-06-11 17:31:01 PDT 
All reviewed patches have been landed.  Closing bug.