144401 – Use-after-free when invalidating WKPageForceRepaint callback

Bug 144401 - Use-after-free when invalidating WKPageForceRepaint callback

Summary: Use-after-free when invalidating WKPageForceRepaint callback

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Tools / Tests (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Alexey Proskuryakov

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2015-04-29 11:18 PDT by Alexey Proskuryakov
Modified:	2015-04-29 12:56 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
proposed fix (2.31 KB, patch) 2015-04-29 11:20 PDT, Alexey Proskuryakov	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexey Proskuryakov 2015-04-29 11:18:28 PDT

This happens on bots frequently:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   WebKitTestRunner              	0x0000000102be0e14 0x102bd4000 + 52756
1   com.apple.WebKit              	0x0000000103654023 std::__1::__function::__func<WKPageForceRepaint::$_1, std::__1::allocator<WKPageForceRepaint::$_1>, void (WebKit::CallbackBase::Error)>::operator()(WebKit::CallbackBase::Error&&) + 53
2   com.apple.WebKit              	0x00000001035db54c WebKit::GenericCallback<>::invalidate(WebKit::CallbackBase::Error) + 40
3   com.apple.WebKit              	0x0000000103513ea1 void WebKit::invalidateCallbackMap<WTF::RefPtr<WebKit::CallbackBase> >(WTF::HashMap<unsigned long long, WTF::RefPtr<WebKit::CallbackBase>, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebKit::CallbackBase> > >&, WebKit::CallbackBase::Error) + 231
4   com.apple.WebKit              	0x00000001035cd457 WebKit::WebPageProxy::resetState(WebKit::WebPageProxy::ResetStateReason) + 517
5   com.apple.WebKit              	0x0000000103414c0e WebKit::WebPageProxy::close() + 118
6   com.apple.WebKit              	0x0000000103415d4b -[WKView dealloc] + 106
7   libobjc.A.dylib               	0x00007fff8c41dc64 (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 476
8   com.apple.CoreFoundation      	0x00007fff981bbf22 _CFAutoreleasePoolPop + 50
9   com.apple.Foundation          	0x00007fff8b30e352 -[NSAutoreleasePool drain] + 153
10  WebKitTestRunner              	0x0000000102bd8234 0x102bd4000 + 16948
11  libdyld.dylib                 	0x00007fff988535ad start + 1

rdar://problem/20741111

Comment 1 Alexey Proskuryakov 2015-04-29 11:20:45 PDT

Created attachment 251971 [details]
proposed fix

Comment 2 WebKit Commit Bot 2015-04-29 12:56:49 PDT

Comment on attachment 251971 [details]
proposed fix

Clearing flags on attachment: 251971

Committed r183572: <http://trac.webkit.org/changeset/183572>

Comment 3 WebKit Commit Bot 2015-04-29 12:56:54 PDT

All reviewed patches have been landed.  Closing bug.