146478 – Crash at WebCore::MemoryCache::remove(WebCore::CachedResource&)

Bug 146478 - Crash at WebCore::MemoryCache::remove(WebCore::CachedResource&)

Summary: Crash at WebCore::MemoryCache::remove(WebCore::CachedResource&)

Status:	ASSIGNED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-06-30 16:05 PDT by Chris Dumez
Modified:	2015-07-03 09:58 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2015-06-30 16:05:18 PDT

Flaky crash on webgl/1.0.2/conformance/ogles/GL/floor/floor_001_to_006.html:
Time Awake Since Boot: 820000 seconds

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000004

VM Regions Near 0x4:
--> 
    __TEXT                 000000010d9f8000-000000010da96000 [  632K] r-x/rwx SM=COW  /Volumes/VOLUME/*

Application Specific Information:
CRASHING TEST: webgl/1.0.2/conformance/ogles/GL/floor/floor_001_to_006.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010dd8640c WTF::StringImpl::length() const + 12
1   com.apple.JavaScriptCore      	0x000000010e82d8e9 bool WTF::equalCommon<WTF::StringImpl, WTF::StringImpl>(WTF::StringImpl const&, WTF::StringImpl const&) + 25
2   com.apple.JavaScriptCore      	0x000000010e8290dd WTF::equal(WTF::StringImpl const&, WTF::StringImpl const&) + 29
3   com.apple.WebCore             	0x000000011288508d WTF::StringHash::equal(WTF::StringImpl const*, WTF::StringImpl const*) + 29 (StringHash.h:48)
4   com.apple.WebCore             	0x0000000112885062 WTF::StringHash::equal(WTF::String const&, WTF::String const&) + 50 (StringHash.h:68)
5   com.apple.WebCore             	0x0000000112b6e882 WebCore::URLHash::equal(WebCore::URL const&, WebCore::URL const&) + 50 (URLHash.h:43)
6   com.apple.WebCore             	0x0000000113dd091d WTF::PairHash<WebCore::URL, WTF::String>::equal(std::__1::pair<WebCore::URL, WTF::String> const&, std::__1::pair<WebCore::URL, WTF::String> const&) + 29 (HashFunctions.h:163)
7   com.apple.WebCore             	0x0000000113dd08ed bool WTF::IdentityHashTranslator<WTF::PairHash<WebCore::URL, WTF::String> >::equal<std::__1::pair<WebCore::URL, WTF::String>, std::__1::pair<WebCore::URL, WTF::String> >(std::__1::pair<WebCore::URL, WTF::String> const&, std::__1::pair<WebCore::URL, WTF::String> const&) + 29 (HashTable.h:282)
8   com.apple.WebCore             	0x0000000113dd081c WTF::KeyValuePair<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*>* WTF::HashTable<std::__1::pair<WebCore::URL, WTF::String>, WTF::KeyValuePair<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*> >, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashMap<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> >, WTF::HashTraits<WebCore::CachedResource*> >::KeyValuePairTraits, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> > >::lookup<WTF::IdentityHashTranslator<WTF::PairHash<WebCore::URL, WTF::String> >, std::__1::pair<WebCore::URL, WTF::String> >(std::__1::pair<WebCore::URL, WTF::String> const&) + 220 (HashTable.h:624)
9   com.apple.WebCore             	0x0000000113dd06ff WTF::HashTableIterator<std::__1::pair<WebCore::URL, WTF::String>, WTF::KeyValuePair<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*> >, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashMap<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> >, WTF::HashTraits<WebCore::CachedResource*> >::KeyValuePairTraits, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> > > WTF::HashTable<std::__1::pair<WebCore::URL, WTF::String>, WTF::KeyValuePair<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*> >, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashMap<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> >, WTF::HashTraits<WebCore::CachedResource*> >::KeyValuePairTraits, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> > >::find<WTF::IdentityHashTranslator<WTF::PairHash<WebCore::URL, WTF::String> >, std::__1::pair<WebCore::URL, WTF::String> >(std::__1::pair<WebCore::URL, WTF::String> const&) + 79 (HashTable.h:939)
10  com.apple.WebCore             	0x0000000113dd06a4 WTF::HashTable<std::__1::pair<WebCore::URL, WTF::String>, WTF::KeyValuePair<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*> >, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashMap<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> >, WTF::HashTraits<WebCore::CachedResource*> >::KeyValuePairTraits, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> > >::find(std::__1::pair<WebCore::URL, WTF::String> const&) + 36 (HashTable.h:387)
11  com.apple.WebCore             	0x0000000113dd065f WTF::HashMap<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> >, WTF::HashTraits<WebCore::CachedResource*> >::find(std::__1::pair<WebCore::URL, WTF::String> const&) + 47 (HashMap.h:242)
12  com.apple.WebCore             	0x0000000113dca988 WTF::HashMap<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> >, WTF::HashTraits<WebCore::CachedResource*> >::remove(std::__1::pair<WebCore::URL, WTF::String> const&) + 40 (HashMap.h:377)
13  com.apple.WebCore             	0x0000000113dc544d WebCore::MemoryCache::remove(WebCore::CachedResource&) + 413 (MemoryCache.cpp:435)
14  com.apple.WebCore             	0x0000000113dc6a95 WebCore::MemoryCache::pruneDeadResourcesToSize(unsigned int) + 1221 (MemoryCache.cpp:395)
15  com.apple.WebCore             	0x0000000113dc65ca WebCore::MemoryCache::pruneDeadResources() + 106 (MemoryCache.cpp:338)
16  com.apple.WebCore             	0x0000000113dc6cef WebCore::MemoryCache::prune() + 47 (MemoryCache.cpp:758)
17  com.apple.WebCore             	0x0000000113dc4725 WebCore::MemoryCache::pruneTimerFired() + 21 (MemoryCache.cpp:765)
18  com.apple.WebCore             	0x0000000113dd3db3 std::__1::__function::__func<std::__1::__bind<void (WebCore::MemoryCache::*&)(), WebCore::MemoryCache*>, std::__1::allocator<std::__1::__bind<void (WebCore::MemoryCache::*&)(), WebCore::MemoryCache*> >, void ()>::operator()() + 259 (functional:1370)
19  com.apple.WebCore             	0x0000000112841aca std::__1::function<void ()>::operator()() const + 26 (functional:1756)
20  com.apple.WebCore             	0x0000000112841a7c WebCore::Timer::fired() + 28 (Timer.h:134)
21  com.apple.WebCore             	0x00000001147c5b6e WebCore::ThreadTimers::sharedTimerFiredInternal() + 398 (ThreadTimers.cpp:135)
22  com.apple.WebCore             	0x00000001147c5829 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:108)
23  com.apple.WebCore             	0x00000001144773b2 WebCore::timerFired(__CFRunLoopTimer*, void*) + 34 (SharedTimerCF.cpp:82)
24  com.apple.CoreFoundation      	0x00007fff961172e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
25  com.apple.CoreFoundation      	0x00007fff96116f73 __CFRunLoopDoTimer + 1059
26  com.apple.CoreFoundation      	0x00007fff9618a53d __CFRunLoopDoTimers + 301
27  com.apple.CoreFoundation      	0x00007fff960d2608 __CFRunLoopRun + 2024
28  com.apple.CoreFoundation      	0x00007fff960d1bd8 CFRunLoopRunSpecific + 296
29  DumpRenderTree                	0x000000010da16818 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 6536 (DumpRenderTree.mm:2012)
30  DumpRenderTree                	0x000000010da14e2a runTestingServerLoop() + 330 (DumpRenderTree.mm:1176)
31  DumpRenderTree                	0x000000010da143a0 dumpRenderTree(int, char const**) + 448 (DumpRenderTree.mm:1285)
32  DumpRenderTree                	0x000000010da1710d DumpRenderTreeMain(int, char const**) + 125 (DumpRenderTree.mm:1420)
33  DumpRenderTree                	0x000000010da6c722 main + 34 (DumpRenderTreeMain.mm:30)
34  libdyld.dylib                 	0x00007fff9ab6d5c9 start + 1

Comment 1 Alexey Proskuryakov 2015-07-03 02:09:41 PDT

Is webgl/1.0.2/conformance/ogles/GL/floor/floor_001_to_006.html the culprit, or is it some other test that leaves the cache in a broken state?

Comment 2 Chris Dumez 2015-07-03 09:58:08 PDT

This is a crash when pruning the memory cache it is likely unrelated to this particular test. It looks like we have a bug in the memory cache implementation.