Spotted this leak on leaks bot: Call stack: [thread 0x7fff76e85300]: 0x2 start DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1302 dumpRenderTree(int, char const**) DumpRenderTree.mm:1071 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:1887 CFRunLoopRunSpecific __CFRunLoopRun __CFRunLoopDoSources0 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ MultiplexerSource::_perform(void*) MultiplexerSource::perform() RunloopBlockContext::perform() CFArrayApplyFunction RunloopBlockContext::_invoke_block(void const*, void*) ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke WebCore::SubresourceLoader::didFinishLoading(double) ResourceLoader.h:153 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) CachedRawResource.cpp:105 WebCore::CachedResource::checkNotify() CachedResourceClientWalker.h:51 WebCore::DocumentLoader::finishedLoading(double) ResourceErrorBase.h:42 WebCore::DocumentWriter::end() type_traits:3204 WebCore::HTMLDocumentParser::prepareToStopParsing() Ref.h:45 WebCore::Document::finishedParsing() Frame.h:377 WebCore::FrameLoader::finishedParsing() FrameLoader.cpp:769 WebCore::FrameLoader::checkCompleted() FrameLoader.cpp:849 WebCore::Document::implicitClose() Document.cpp:3807 WebCore::DOMWindow::dispatchLoadEvent() PassRefPtr.h:58 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) DOMWindow.cpp:1897 WebCore::EventTarget::fireEventListeners(WebCore::Event*) EventTarget.cpp:207 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) InspectorInstrumentation.h:283 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) JSMainThreadExecState.h:56 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) Register.h:116 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) Interpreter.cpp:978 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:78 vmEntryToJavaScript llint_entry 0x5552e2a01028 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) JSCJSValue.h:464 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) Document.cpp:4383 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const EditorCommand.cpp:1726 WebCore::executeInsertText(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) EditorCommand.cpp:566 WebCore::TypingCommand::insertText(WebCore::Document&, WTF::String const&, WebCore::VisibleSelection const&, unsigned int, WebCore::TypingCommand::TextCompositionType) PassRefPtr.h:58 WebCore::TextInsertionBaseCommand::applyTextInsertionCommand(WebCore::Frame*, WTF::PassRefPtr<WebCore::TextInsertionBaseCommand>, WebCore::VisibleSelection const&, WebCore::VisibleSelection const&) PassRefPtr.h:58 WebCore::CompositeEditCommand::apply() ScopedEventQueue.h:71 WebCore::TypingCommand::doApply() TypingCommand.cpp:286 void WebCore::forEachLineInString<WebCore::TypingCommandLineOperation>(WTF::String const&, WebCore::TypingCommandLineOperation const&) RefPtr.h:59 WebCore::TypingCommand::insertTextRunWithoutNewlines(WTF::String const&, bool) PassRefPtr.h:58 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::CompositeEditCommand>, WebCore::VisibleSelection const&) CompositeEditCommand.cpp:274 WebCore::InsertTextCommand::doApply() VisibleSelection.h:75 WebCore::CompositeEditCommand::deleteSelection(bool, bool, bool, bool, bool) PassRefPtr.h:58 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) CompositeEditCommand.cpp:259 WebCore::DeleteSelectionCommand::doApply() RefPtr.h:72 WebCore::DeleteSelectionCommand::calculateTypingStyleAfterDelete() RefPtr.h:70 WebCore::EditingStyle::prepareToApplyAt(WebCore::Position const&, WebCore::EditingStyle::ShouldPreserveWritingDirection) RefPtr.h:61 WebCore::EditingStyle::init(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude) StdLibExtras.h:374 WebCore::ComputedStyleExtractor::copyPropertiesInSet(WebCore::CSSPropertyID const*, unsigned int) const StdLibExtras.h:374 WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const RefPtr.h:72 WebCore::Document::recalcStyle(WebCore::Style::Change) Document.cpp:1770 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) StyleResolveTree.cpp:995 WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:955 WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:955 WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:955 WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:955 WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) PassRefPtr.h:58 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) StyleResolveTree.cpp:222 WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) RenderObject.h:953 WebCore::RenderElement::insertChildInternal(WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderElement::NotifyChildrenType) RenderObject.h:505 WebCore::RenderBlockFlow::insertedIntoTree() RenderBlockFlow.cpp:138 WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted(WebCore::RenderObject*) RenderMultiColumnFlowThread.cpp:401 WebCore::RenderMultiColumnFlowThread::processPossibleSpannerDescendant(WebCore::RenderObject*&, WebCore::RenderObject*) RenderMultiColumnFlowThread.cpp:307 WebCore::RenderMultiColumnSpannerPlaceholder::createAnonymous(WebCore::RenderMultiColumnFlowThread*, WebCore::RenderBox*, WebCore::RenderStyle*) Ref.h:51 malloc malloc_zone_malloc
Created attachment 245370 [details] Patch
Comment on attachment 245370 [details] Patch Dave tells me this leak is intentional to avoid a use-after-free. This would be fixed by ref-counting RenderObjects.
Use-after-free happens when we've got nested columns with a spanner descendant. (and we move the spanner placeholder from one flow to the other) -the RenderMultiColumnSpannerPlaceholder object we are inserting here is the same that we are detaching from the tree in RenderMultiColumnFlowThread::flowThreadDescendantInserted(). * thread #1: tid = 0x56ece9, 0x000000010f22546b WebCore`WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted(this=0x000000011a29d8e0, descendant=0x000000011a311e60) + 299 at RenderMultiColumnFlowThread.cpp:379 * frame #0: 0x000000010f22546b WebCore`WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted(this=0x000000011a29d8e0, descendant=0x000000011a311e60) + 299 at RenderMultiColumnFlowThread.cpp:379 frame #1: 0x000000010f24fbbf WebCore`WebCore::RenderObject::insertedIntoTree(this=0x000000011a311e60) + 143 at RenderObject.cpp:1928 frame #2: 0x000000010f10f996 WebCore`WebCore::RenderElement::insertedIntoTree(this=0x000000011a311e60) + 326 at RenderElement.cpp:1038 frame #3: 0x000000010f10da93 WebCore`WebCore::RenderElement::insertChildInternal(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000, notifyChildren=NotifyChildren) + 787 at RenderElement.cpp:578 frame #4: 0x000000010f10d6e6 WebCore`WebCore::RenderElement::addChild(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000) + 598 at RenderElement.cpp:502 frame #5: 0x000000010f0477e0 WebCore`WebCore::RenderBlock::addChildIgnoringContinuation(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000) + 1312 at RenderBlock.cpp:492 frame #6: 0x000000010f0472b8 WebCore`WebCore::RenderBlock::addChild(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000) + 120 at RenderBlock.cpp:407 frame #7: 0x000000010f09118e WebCore`WebCore::RenderBlockFlow::addChild(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000) + 174 at RenderBlockFlow.cpp:3764 frame #8: 0x000000010f0ec67a WebCore`WebCore::RenderBoxModelObject::moveChildTo(this=0x000000011a362c38, toBoxModelObject=0x000000011a29d8e0, child=0x000000011a311e60, beforeChild=0x0000000000000000, fullRemoveInsert=true) + 410 at RenderBoxModelObject.cpp:2551 frame #9: 0x000000010f0ec8c1 WebCore`WebCore::RenderBoxModelObject::moveChildrenTo(this=0x000000011a362c38, toBoxModelObject=0x000000011a29d8e0, startChild=0x000000011a311e60, endChild=0x000000011a29d8e0, beforeChild=0x0000000000000000, fullRemoveInsert=true) + 481 at RenderBoxModelObject.cpp:2590 frame #10: 0x000000010f05ba61 WebCore`WebCore::RenderBoxModelObject::moveChildrenTo(this=0x000000011a362c38, toBoxModelObject=0x000000011a29d8e0, startChild=0x000000011a311e60, endChild=0x000000011a29d8e0, fullRemoveInsert=true) + 65 at RenderBoxModelObject.h:296 frame #11: 0x000000010f2247f4 WebCore`WebCore::RenderMultiColumnFlowThread::populate(this=0x000000011a29d8e0) + 180 at RenderMultiColumnFlowThread.cpp:153 frame #12: 0x000000010f077710 WebCore`WebCore::RenderBlockFlow::createMultiColumnFlowThread(this=0x000000011a362c38) + 192 at RenderBlockFlow.cpp:128 frame #13: 0x000000010f07c68b WebCore`WebCore::RenderBlockFlow::setComputedColumnCountAndWidth(this=0x000000011a362c38, count=1, width=LayoutUnit at 0x00007fff57848388) + 123 at RenderBlockFlow.cpp:3827 frame #14: 0x000000010f07c5fb WebCore`WebCore::RenderBlockFlow::computeColumnCountAndWidth(this=0x000000011a362c38) + 1995 at RenderBlockFlow.cpp:426 frame #15: 0x000000010f07bd8d WebCore`WebCore::RenderBlockFlow::recomputeLogicalWidthAndColumnWidth(this=0x000000011a362c38) + 61 at RenderBlockFlow.cpp:386 frame #16: 0x000000010f07c80b WebCore`WebCore::RenderBlockFlow::layoutBlock(this=0x000000011a362c38, relayoutChildren=false, pageLogicalHeight=LayoutUnit at 0x00007fff578489e8) + 235 at RenderBlockFlow.cpp:438 frame #17: 0x000000010f049839 WebCore`WebCore::RenderBlock::layout(this=0x000000011a362c38) + 105 at RenderBlock.cpp:926 frame #18: 0x000000010f08037c WebCore`WebCore::RenderBlockFlow::layoutBlockChild(this=0x000000011a29d6a8, child=0x000000011a362c38, marginInfo=0x00007fff57848e48, previousFloatLogicalBottom=0x00007fff57848e28, maxFloatLogicalBottom=0x00007fff57849110) + 1276 at RenderBlockFlow.cpp:709 frame #19: 0x000000010f07dd76 WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(this=0x000000011a29d6a8, relayoutChildren=false, maxFloatLogicalBottom=0x00007fff57849110) + 598 at RenderBlockFlow.cpp:632 frame #20: 0x000000010f07cb8e WebCore`WebCore::RenderBlockFlow::layoutBlock(this=0x000000011a29d6a8, relayoutChildren=false, pageLogicalHeight=LayoutUnit at 0x00007fff578491b8) + 1134 at RenderBlockFlow.cpp:485 frame #21: 0x000000010f049839 WebCore`WebCore::RenderBlock::layout(this=0x000000011a29d6a8) + 105 at RenderBlock.cpp:926 frame #22: 0x000000010f12db6f WebCore`WebCore::RenderFlowThread::layout(this=0x000000011a29d6a8) + 303 at RenderFlowThread.cpp:202 frame #23: 0x000000010f224628 WebCore`WebCore::RenderMultiColumnFlowThread::layout(this=0x000000011a29d6a8) + 200 at RenderMultiColumnFlowThread.cpp:126 frame #24: 0x000000010f09109c WebCore`WebCore::RenderBlockFlow::layoutSpecialExcludedChild(this=0x000000011a362e60, relayoutChildren=true) + 284 at RenderBlockFlow.cpp:3739 frame #25: 0x000000010f07dc35 WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(this=0x000000011a362e60, relayoutChildren=true, maxFloatLogicalBottom=0x00007fff578496e0) + 277 at RenderBlockFlow.cpp:604 frame #26: 0x000000010f07cb8e WebCore`WebCore::RenderBlockFlow::layoutBlock(this=0x000000011a362e60, relayoutChildren=true, pageLogicalHeight=LayoutUnit at 0x00007fff57849788) + 1134 at RenderBlockFlow.cpp:485 frame #27: 0x000000010f049839 WebCore`WebCore::RenderBlock::layout(this=0x000000011a362e60) + 105 at RenderBlock.cpp:926 frame #28: 0x000000010f08037c WebCore`WebCore::RenderBlockFlow::layoutBlockChild(this=0x000000011bafb7e0, child=0x000000011a362e60, marginInfo=0x00007fff57849be8, previousFloatLogicalBottom=0x00007fff57849bc8, maxFloatLogicalBottom=0x00007fff57849eb0) + 1276 at RenderBlockFlow.cpp:709 frame #29: 0x000000010f07dd76 WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(this=0x000000011bafb7e0, relayoutChildren=true, maxFloatLogicalBottom=0x00007fff57849eb0) + 598 at RenderBlockFlow.cpp:632 frame #30: 0x000000010f07cb8e WebCore`WebCore::RenderBlockFlow::layoutBlock(this=0x000000011bafb7e0, relayoutChildren=true, pageLogicalHeight=LayoutUnit at 0x00007fff57849f58) + 1134 at RenderBlockFlow.cpp:485 frame #31: 0x000000010f049839 WebCore`WebCore::RenderBlock::layout(this=0x000000011bafb7e0) + 105 at RenderBlock.cpp:926 frame #32: 0x000000010f37215d WebCore`WebCore::RenderView::layoutContent(this=0x000000011bafb7e0, state=0x000000011a37de00) + 93 at RenderView.cpp:255 frame #33: 0x000000010f372fba WebCore`WebCore::RenderView::layout(this=0x000000011bafb7e0) + 1866 at RenderView.cpp:380 frame #34: 0x000000010e1ce942 WebCore`WebCore::FrameView::layout(this=0x000000011a0bea40, allowSubtree=true) + 3874 at FrameView.cpp:1372 frame #35: 0x000000010de141c4 WebCore`WebCore::Document::implicitClose(this=0x000000011a0b6500) + 1284 at Document.cpp:2654 frame #36: 0x000000010e196e9b WebCore`WebCore::FrameLoader::checkCallImplicitClose(this=0x000000011a2f60a0) + 155 at FrameLoader.cpp:890 frame #37: 0x000000010e196b6e WebCore`WebCore::FrameLoader::checkCompleted(this=0x000000011a2f60a0) + 270 at FrameLoader.cpp:836 frame #38: 0x000000010e195682 WebCore`WebCore::FrameLoader::finishedParsing(this=0x000000011a2f60a0) + 178 at FrameLoader.cpp:756 frame #39: 0x000000010de21af3 WebCore`WebCore::Document::finishedParsing(this=0x000000011a0b6500) + 483 at Document.cpp:4851