RESOLVED FIXED 138750
[iOS] Crash due to null m_webPageProxyForBackForwardListForCurrentSwipe in ViewGestureController::endSwipeGesture 
https://bugs.webkit.org/show_bug.cgi?id=138750
Summary [iOS] Crash due to null m_webPageProxyForBackForwardListForCurrentSwipe in Vi...
mitz
Reported 2014-11-14 11:41:20 PST
<rdar://problem/18905383> Despite the fix for bug 137770, endSwipeGesture still dereferences a null m_webPageProxyForBackForwardListForCurrentSwipe.
Attachments
Add some tracing (6.91 KB, patch)
2014-11-14 11:48 PST, mitz 		no flags
DetailsFormatted DiffDiff
Ignore callbacks from dispatchAfterEnsuringDrawing for earlier swipes (4.84 KB, patch)
2014-12-08 16:27 PST, mitz 		thorton: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2014-11-14 11:48:03 PST
Created attachment 241609 [details] Add some tracing
WebKit Commit Bot
Comment 2 2014-11-14 11:50:13 PST
Attachment 241609 [details] did not pass style-queue: ERROR: Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm:194: Missing space around : in range-based for statement [whitespace/colon] [4] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
Tim Horton
Comment 3 2014-11-14 12:03:10 PST
Comment on attachment 241609 [details] Add some tracing View in context: https://bugs.webkit.org/attachment.cgi?id=241609&action=review > Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm:179 > + WTFGetBacktrace(stack, &size); I have long wanted a WTFStringifyBacktrace for reasons similar to this. Maybe we should put this there?
mitz
Comment 4 2014-11-14 12:05:49 PST
Committed attachment 241609 [details] as <http://trac.webkit.org/r176133>.
mitz
Comment 5 2014-11-22 04:47:19 PST
This is not fixed yet.
mitz
Comment 6 2014-12-01 13:50:43 PST
The tracing code revealed that this is probably what’s happening: 1. A first swipe gesture ends, and endSwipeGesture() schedules a call to willCommitPostSwipeTransitionLayerTree() to happen after ensuring drawing, and schedules the watchdog timer 2. Some time passes and no drawing happens, and the watchdog timer fires 3. A second swipe gesture begins 4. The second swipe gesture ends 4.1. Some drawing happens, so willCommitPostSwipeTransitionLayerTree() is finally called 4.2. setRenderTreeSize() is called, and it calls removeSwipeSnapshot() 4.3. endSwipGesture() is called and the crash happens
mitz
Comment 7 2014-12-08 14:46:25 PST
(In reply to comment #6) > The tracing code revealed that this is probably what’s happening: > > 1. A first swipe gesture ends, and endSwipeGesture() schedules a call to > willCommitPostSwipeTransitionLayerTree() to happen after ensuring drawing, > and schedules the watchdog timer > 2. Some time passes and no drawing happens, and the watchdog timer fires > 3. A second swipe gesture begins > 4. The second swipe gesture ends > 4.1. Some drawing happens, so willCommitPostSwipeTransitionLayerTree() is > finally called > 4.2. setRenderTreeSize() is called, and it calls removeSwipeSnapshot() > 4.3. endSwipGesture() is called and the crash happens It is actually necessary that 4.1 happen before the swipe gesture ends. I was able to reproduce this crash with a page whose loading timing I could control by making the page not load until the swipe in step 3 above started, then letting it load before the swipe ended.
mitz
Comment 8 2014-12-08 16:27:30 PST
Created attachment 242862 [details] Ignore callbacks from dispatchAfterEnsuringDrawing for earlier swipes
mitz
Comment 9 2014-12-08 17:20:31 PST
Fixed in <http://trac.webkit.org/r176996>.
Note You need to log in before you can comment on or make changes to this bug.