144401 – Use-after-free when invalidating WKPageForceRepaint callback

RESOLVED FIXED 144401

Use-after-free when invalidating WKPageForceRepaint callback

https://bugs.webkit.org/show_bug.cgi?id=144401

Summary Use-after-free when invalidating WKPageForceRepaint callback

Alexey Proskuryakov

Reported 2015-04-29 11:18:28 PDT

This happens on bots frequently: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebKitTestRunner 0x0000000102be0e14 0x102bd4000 + 52756 1 com.apple.WebKit 0x0000000103654023 std::__1::__function::__func<WKPageForceRepaint::$_1, std::__1::allocator<WKPageForceRepaint::$_1>, void (WebKit::CallbackBase::Error)>::operator()(WebKit::CallbackBase::Error&&) + 53 2 com.apple.WebKit 0x00000001035db54c WebKit::GenericCallback<>::invalidate(WebKit::CallbackBase::Error) + 40 3 com.apple.WebKit 0x0000000103513ea1 void WebKit::invalidateCallbackMap<WTF::RefPtr<WebKit::CallbackBase> >(WTF::HashMap<unsigned long long, WTF::RefPtr<WebKit::CallbackBase>, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebKit::CallbackBase> > >&, WebKit::CallbackBase::Error) + 231 4 com.apple.WebKit 0x00000001035cd457 WebKit::WebPageProxy::resetState(WebKit::WebPageProxy::ResetStateReason) + 517 5 com.apple.WebKit 0x0000000103414c0e WebKit::WebPageProxy::close() + 118 6 com.apple.WebKit 0x0000000103415d4b -[WKView dealloc] + 106 7 libobjc.A.dylib 0x00007fff8c41dc64 (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 476 8 com.apple.CoreFoundation 0x00007fff981bbf22 _CFAutoreleasePoolPop + 50 9 com.apple.Foundation 0x00007fff8b30e352 -[NSAutoreleasePool drain] + 153 10 WebKitTestRunner 0x0000000102bd8234 0x102bd4000 + 16948 11 libdyld.dylib 0x00007fff988535ad start + 1 rdar://problem/20741111

Attachments
proposed fix (2.31 KB, patch) 2015-04-29 11:20 PDT, Alexey Proskuryakov	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2015-04-29 11:20:45 PDT

Created attachment 251971 [details] proposed fix

WebKit Commit Bot

Comment 2 2015-04-29 12:56:49 PDT

Comment on attachment 251971 [details] proposed fix Clearing flags on attachment: 251971 Committed r183572: <http://trac.webkit.org/changeset/183572>

WebKit Commit Bot

Comment 3 2015-04-29 12:56:54 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Tools / Tests

Assignee

Alexey Proskuryakov

Reported

2015-04-29 11:18 PDT

Modified

2015-04-29 12:56 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks