Bug 140899 - Plug RenderMultiColumnSpannerPlaceholder leaks seen on bots.
Summary: Plug RenderMultiColumnSpannerPlaceholder leaks seen on bots.
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Andreas Kling
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-26 13:31 PST by Andreas Kling
Modified: 2015-07-29 08:16 PDT (History)
8 users (show)

See Also:


Attachments
Patch (2.48 KB, patch)
2015-01-26 13:32 PST, Andreas Kling
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Kling 2015-01-26 13:31:18 PST
Spotted this leak on leaks bot:

    Call stack: [thread 0x7fff76e85300]:
0x2
start
DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1302
dumpRenderTree(int, char const**) DumpRenderTree.mm:1071
runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:1887
CFRunLoopRunSpecific
__CFRunLoopRun
__CFRunLoopDoSources0
__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
MultiplexerSource::_perform(void*)
MultiplexerSource::perform()
RunloopBlockContext::perform()
CFArrayApplyFunction
RunloopBlockContext::_invoke_block(void const*, void*)
___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2
___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke
-[NSURLConnectionInternal _withActiveConnectionAndDelegate:]
-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]
__65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke
WebCore::SubresourceLoader::didFinishLoading(double) ResourceLoader.h:153
WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) CachedRawResource.cpp:105
WebCore::CachedResource::checkNotify() CachedResourceClientWalker.h:51
WebCore::DocumentLoader::finishedLoading(double) ResourceErrorBase.h:42
WebCore::DocumentWriter::end() type_traits:3204
WebCore::HTMLDocumentParser::prepareToStopParsing() Ref.h:45
WebCore::Document::finishedParsing() Frame.h:377
WebCore::FrameLoader::finishedParsing() FrameLoader.cpp:769
WebCore::FrameLoader::checkCompleted() FrameLoader.cpp:849
WebCore::Document::implicitClose() Document.cpp:3807
WebCore::DOMWindow::dispatchLoadEvent() PassRefPtr.h:58
WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) DOMWindow.cpp:1897
WebCore::EventTarget::fireEventListeners(WebCore::Event*) EventTarget.cpp:207
WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) InspectorInstrumentation.h:283
WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) JSMainThreadExecState.h:56
JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) Register.h:116
JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) Interpreter.cpp:978
JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:78
vmEntryToJavaScript
llint_entry
0x5552e2a01028
WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) JSCJSValue.h:464
WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) Document.cpp:4383
WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const EditorCommand.cpp:1726
WebCore::executeInsertText(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) EditorCommand.cpp:566
WebCore::TypingCommand::insertText(WebCore::Document&, WTF::String const&, WebCore::VisibleSelection const&, unsigned int, WebCore::TypingCommand::TextCompositionType) PassRefPtr.h:58
WebCore::TextInsertionBaseCommand::applyTextInsertionCommand(WebCore::Frame*, WTF::PassRefPtr<WebCore::TextInsertionBaseCommand>, WebCore::VisibleSelection const&, WebCore::VisibleSelection const&) PassRefPtr.h:58
WebCore::CompositeEditCommand::apply() ScopedEventQueue.h:71
WebCore::TypingCommand::doApply() TypingCommand.cpp:286
void WebCore::forEachLineInString<WebCore::TypingCommandLineOperation>(WTF::String const&, WebCore::TypingCommandLineOperation const&) RefPtr.h:59
WebCore::TypingCommand::insertTextRunWithoutNewlines(WTF::String const&, bool) PassRefPtr.h:58
WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::CompositeEditCommand>, WebCore::VisibleSelection const&) CompositeEditCommand.cpp:274
WebCore::InsertTextCommand::doApply() VisibleSelection.h:75
WebCore::CompositeEditCommand::deleteSelection(bool, bool, bool, bool, bool) PassRefPtr.h:58
WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) CompositeEditCommand.cpp:259
WebCore::DeleteSelectionCommand::doApply() RefPtr.h:72
WebCore::DeleteSelectionCommand::calculateTypingStyleAfterDelete() RefPtr.h:70
WebCore::EditingStyle::prepareToApplyAt(WebCore::Position const&, WebCore::EditingStyle::ShouldPreserveWritingDirection) RefPtr.h:61
WebCore::EditingStyle::init(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude) StdLibExtras.h:374
WebCore::ComputedStyleExtractor::copyPropertiesInSet(WebCore::CSSPropertyID const*, unsigned int) const StdLibExtras.h:374
WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const RefPtr.h:72
WebCore::Document::recalcStyle(WebCore::Style::Change) Document.cpp:1770
WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) StyleResolveTree.cpp:995
WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:955
WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:955
WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:955
WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:955
WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) PassRefPtr.h:58
WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) StyleResolveTree.cpp:222
WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) RenderObject.h:953
WebCore::RenderElement::insertChildInternal(WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderElement::NotifyChildrenType) RenderObject.h:505
WebCore::RenderBlockFlow::insertedIntoTree() RenderBlockFlow.cpp:138
WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted(WebCore::RenderObject*) RenderMultiColumnFlowThread.cpp:401
WebCore::RenderMultiColumnFlowThread::processPossibleSpannerDescendant(WebCore::RenderObject*&, WebCore::RenderObject*) RenderMultiColumnFlowThread.cpp:307
WebCore::RenderMultiColumnSpannerPlaceholder::createAnonymous(WebCore::RenderMultiColumnFlowThread*, WebCore::RenderBox*, WebCore::RenderStyle*) Ref.h:51
malloc
malloc_zone_malloc
Comment 1 Andreas Kling 2015-01-26 13:32:31 PST
Created attachment 245370 [details]
Patch
Comment 2 Andreas Kling 2015-01-26 13:39:38 PST
Comment on attachment 245370 [details]
Patch

Dave tells me this leak is intentional to avoid a use-after-free. This would be fixed by ref-counting RenderObjects.
Comment 3 zalan 2015-07-29 08:16:20 PDT
Use-after-free happens when we've got nested columns with a spanner descendant. (and we move the spanner placeholder from one flow to the other)
-the RenderMultiColumnSpannerPlaceholder object we are inserting here is the same that we are detaching from the tree in RenderMultiColumnFlowThread::flowThreadDescendantInserted(). 

* thread #1: tid = 0x56ece9, 0x000000010f22546b WebCore`WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted(this=0x000000011a29d8e0, descendant=0x000000011a311e60) + 299 at RenderMultiColumnFlowThread.cpp:379
  * frame #0: 0x000000010f22546b WebCore`WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted(this=0x000000011a29d8e0, descendant=0x000000011a311e60) + 299 at RenderMultiColumnFlowThread.cpp:379
    frame #1: 0x000000010f24fbbf WebCore`WebCore::RenderObject::insertedIntoTree(this=0x000000011a311e60) + 143 at RenderObject.cpp:1928
    frame #2: 0x000000010f10f996 WebCore`WebCore::RenderElement::insertedIntoTree(this=0x000000011a311e60) + 326 at RenderElement.cpp:1038
    frame #3: 0x000000010f10da93 WebCore`WebCore::RenderElement::insertChildInternal(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000, notifyChildren=NotifyChildren) + 787 at RenderElement.cpp:578
    frame #4: 0x000000010f10d6e6 WebCore`WebCore::RenderElement::addChild(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000) + 598 at RenderElement.cpp:502
    frame #5: 0x000000010f0477e0 WebCore`WebCore::RenderBlock::addChildIgnoringContinuation(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000) + 1312 at RenderBlock.cpp:492
    frame #6: 0x000000010f0472b8 WebCore`WebCore::RenderBlock::addChild(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000) + 120 at RenderBlock.cpp:407
    frame #7: 0x000000010f09118e WebCore`WebCore::RenderBlockFlow::addChild(this=0x000000011a29d8e0, newChild=0x000000011a311e60, beforeChild=0x0000000000000000) + 174 at RenderBlockFlow.cpp:3764
    frame #8: 0x000000010f0ec67a WebCore`WebCore::RenderBoxModelObject::moveChildTo(this=0x000000011a362c38, toBoxModelObject=0x000000011a29d8e0, child=0x000000011a311e60, beforeChild=0x0000000000000000, fullRemoveInsert=true) + 410 at RenderBoxModelObject.cpp:2551
    frame #9: 0x000000010f0ec8c1 WebCore`WebCore::RenderBoxModelObject::moveChildrenTo(this=0x000000011a362c38, toBoxModelObject=0x000000011a29d8e0, startChild=0x000000011a311e60, endChild=0x000000011a29d8e0, beforeChild=0x0000000000000000, fullRemoveInsert=true) + 481 at RenderBoxModelObject.cpp:2590
    frame #10: 0x000000010f05ba61 WebCore`WebCore::RenderBoxModelObject::moveChildrenTo(this=0x000000011a362c38, toBoxModelObject=0x000000011a29d8e0, startChild=0x000000011a311e60, endChild=0x000000011a29d8e0, fullRemoveInsert=true) + 65 at RenderBoxModelObject.h:296
    frame #11: 0x000000010f2247f4 WebCore`WebCore::RenderMultiColumnFlowThread::populate(this=0x000000011a29d8e0) + 180 at RenderMultiColumnFlowThread.cpp:153
    frame #12: 0x000000010f077710 WebCore`WebCore::RenderBlockFlow::createMultiColumnFlowThread(this=0x000000011a362c38) + 192 at RenderBlockFlow.cpp:128
    frame #13: 0x000000010f07c68b WebCore`WebCore::RenderBlockFlow::setComputedColumnCountAndWidth(this=0x000000011a362c38, count=1, width=LayoutUnit at 0x00007fff57848388) + 123 at RenderBlockFlow.cpp:3827
    frame #14: 0x000000010f07c5fb WebCore`WebCore::RenderBlockFlow::computeColumnCountAndWidth(this=0x000000011a362c38) + 1995 at RenderBlockFlow.cpp:426
    frame #15: 0x000000010f07bd8d WebCore`WebCore::RenderBlockFlow::recomputeLogicalWidthAndColumnWidth(this=0x000000011a362c38) + 61 at RenderBlockFlow.cpp:386
    frame #16: 0x000000010f07c80b WebCore`WebCore::RenderBlockFlow::layoutBlock(this=0x000000011a362c38, relayoutChildren=false, pageLogicalHeight=LayoutUnit at 0x00007fff578489e8) + 235 at RenderBlockFlow.cpp:438
    frame #17: 0x000000010f049839 WebCore`WebCore::RenderBlock::layout(this=0x000000011a362c38) + 105 at RenderBlock.cpp:926
    frame #18: 0x000000010f08037c WebCore`WebCore::RenderBlockFlow::layoutBlockChild(this=0x000000011a29d6a8, child=0x000000011a362c38, marginInfo=0x00007fff57848e48, previousFloatLogicalBottom=0x00007fff57848e28, maxFloatLogicalBottom=0x00007fff57849110) + 1276 at RenderBlockFlow.cpp:709
    frame #19: 0x000000010f07dd76 WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(this=0x000000011a29d6a8, relayoutChildren=false, maxFloatLogicalBottom=0x00007fff57849110) + 598 at RenderBlockFlow.cpp:632
    frame #20: 0x000000010f07cb8e WebCore`WebCore::RenderBlockFlow::layoutBlock(this=0x000000011a29d6a8, relayoutChildren=false, pageLogicalHeight=LayoutUnit at 0x00007fff578491b8) + 1134 at RenderBlockFlow.cpp:485
    frame #21: 0x000000010f049839 WebCore`WebCore::RenderBlock::layout(this=0x000000011a29d6a8) + 105 at RenderBlock.cpp:926
    frame #22: 0x000000010f12db6f WebCore`WebCore::RenderFlowThread::layout(this=0x000000011a29d6a8) + 303 at RenderFlowThread.cpp:202
    frame #23: 0x000000010f224628 WebCore`WebCore::RenderMultiColumnFlowThread::layout(this=0x000000011a29d6a8) + 200 at RenderMultiColumnFlowThread.cpp:126
    frame #24: 0x000000010f09109c WebCore`WebCore::RenderBlockFlow::layoutSpecialExcludedChild(this=0x000000011a362e60, relayoutChildren=true) + 284 at RenderBlockFlow.cpp:3739
    frame #25: 0x000000010f07dc35 WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(this=0x000000011a362e60, relayoutChildren=true, maxFloatLogicalBottom=0x00007fff578496e0) + 277 at RenderBlockFlow.cpp:604
    frame #26: 0x000000010f07cb8e WebCore`WebCore::RenderBlockFlow::layoutBlock(this=0x000000011a362e60, relayoutChildren=true, pageLogicalHeight=LayoutUnit at 0x00007fff57849788) + 1134 at RenderBlockFlow.cpp:485
    frame #27: 0x000000010f049839 WebCore`WebCore::RenderBlock::layout(this=0x000000011a362e60) + 105 at RenderBlock.cpp:926
    frame #28: 0x000000010f08037c WebCore`WebCore::RenderBlockFlow::layoutBlockChild(this=0x000000011bafb7e0, child=0x000000011a362e60, marginInfo=0x00007fff57849be8, previousFloatLogicalBottom=0x00007fff57849bc8, maxFloatLogicalBottom=0x00007fff57849eb0) + 1276 at RenderBlockFlow.cpp:709
    frame #29: 0x000000010f07dd76 WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(this=0x000000011bafb7e0, relayoutChildren=true, maxFloatLogicalBottom=0x00007fff57849eb0) + 598 at RenderBlockFlow.cpp:632
    frame #30: 0x000000010f07cb8e WebCore`WebCore::RenderBlockFlow::layoutBlock(this=0x000000011bafb7e0, relayoutChildren=true, pageLogicalHeight=LayoutUnit at 0x00007fff57849f58) + 1134 at RenderBlockFlow.cpp:485
    frame #31: 0x000000010f049839 WebCore`WebCore::RenderBlock::layout(this=0x000000011bafb7e0) + 105 at RenderBlock.cpp:926
    frame #32: 0x000000010f37215d WebCore`WebCore::RenderView::layoutContent(this=0x000000011bafb7e0, state=0x000000011a37de00) + 93 at RenderView.cpp:255
    frame #33: 0x000000010f372fba WebCore`WebCore::RenderView::layout(this=0x000000011bafb7e0) + 1866 at RenderView.cpp:380
    frame #34: 0x000000010e1ce942 WebCore`WebCore::FrameView::layout(this=0x000000011a0bea40, allowSubtree=true) + 3874 at FrameView.cpp:1372
    frame #35: 0x000000010de141c4 WebCore`WebCore::Document::implicitClose(this=0x000000011a0b6500) + 1284 at Document.cpp:2654
    frame #36: 0x000000010e196e9b WebCore`WebCore::FrameLoader::checkCallImplicitClose(this=0x000000011a2f60a0) + 155 at FrameLoader.cpp:890
    frame #37: 0x000000010e196b6e WebCore`WebCore::FrameLoader::checkCompleted(this=0x000000011a2f60a0) + 270 at FrameLoader.cpp:836
    frame #38: 0x000000010e195682 WebCore`WebCore::FrameLoader::finishedParsing(this=0x000000011a2f60a0) + 178 at FrameLoader.cpp:756
    frame #39: 0x000000010de21af3 WebCore`WebCore::Document::finishedParsing(this=0x000000011a0b6500) + 483 at Document.cpp:4851