RESOLVED DUPLICATE of bug 184268 184021
CachedResource has to remove itself from the m_documentResources hash map before its m_handleCount is decremented 
https://bugs.webkit.org/show_bug.cgi?id=184021
Summary CachedResource has to remove itself from the m_documentResources hash map bef...
Said Abou-Hallawa
Reported 2018-03-26 13:26:43 PDT
Repro steps: 1. Open the url http://50.242.117.146/img/video.mjpeg which is a motion jpeg image Result: In the release build, the image is not showing new frames. In the debug build, the following assertion fires. Notice that the destructor CachedResource::~CachedResource() is called from itself another time. The reason for that is the first CachedResource::unregisterHandle() sets m_handleCount to zero. When CachedResourceLoader::removeCachedResource() calls m_documentResources.get(...) in the ASSERT statement, the temporary CachedResourceHandle will increment m_handleCount so its value = 1. But the destructor of the temporary CachedResourceHandle calls the second CachedResource::unregisterHandle() which decrements m_handleCount again to 0 and causes the CachedResource::~CachedResource() for the same object to be called another time. #0 0x00000001151bca94 in ::WTFCrash() at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/Assertions.cpp:271 #1 0x0000000107d8504c in WebCore::CachedResource::~CachedResource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:169 #2 0x0000000107d91a05 in WebCore::CachedResource::~CachedResource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:165 #3 0x0000000107d91a29 in WebCore::CachedResource::~CachedResource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:165 #4 0x0000000107d928eb in WebCore::CachedResource::deleteIfPossible() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:607 #5 0x0000000107d94456 in WebCore::CachedResource::unregisterHandle(WebCore::CachedResourceHandleBase*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:786 #6 0x0000000107d94aad in WebCore::CachedResourceHandleBase::~CachedResourceHandleBase() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.cpp:55 #7 0x0000000107648305 in WebCore::CachedResourceHandle<WebCore::CachedResource>::~CachedResourceHandle() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.h:61 #8 0x0000000107645605 in WebCore::CachedResourceHandle<WebCore::CachedResource>::~CachedResourceHandle() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.h:61 #9 0x0000000107d9191b in WebCore::CachedResourceLoader::removeCachedResource(WebCore::CachedResource&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceLoader.cpp:1261 #10 0x0000000107d85169 in WebCore::CachedResource::~CachedResource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:178 #11 0x0000000107d89057 in WebCore::CachedImage::~CachedImage() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedImage.cpp:85 #12 0x0000000107d89265 in WebCore::CachedImage::~CachedImage() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedImage.cpp:83 #13 0x0000000107d89289 in WebCore::CachedImage::~CachedImage() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedImage.cpp:83 #14 0x0000000107d928eb in WebCore::CachedResource::deleteIfPossible() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:607 #15 0x0000000107d94456 in WebCore::CachedResource::unregisterHandle(WebCore::CachedResourceHandleBase*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:786 #16 0x0000000107d94b27 in WebCore::CachedResourceHandleBase::setResource(WebCore::CachedResource*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.cpp:63 #17 0x00000001076465a7 in WebCore::CachedResourceHandle<WebCore::CachedResource>::operator=(WebCore::CachedResource*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.h:72 #18 0x0000000107cea36e in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::String, WTF::KeyValuePair<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource> > >, WTF::StringHash, WTF::HashMap<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource>, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> > >::KeyValuePairTraits, WTF::HashTraits<WTF::String> > > WTF::HashMap<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource>, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> > >::inlineSet<WTF::String const&, WebCore::CachedImage*>(WTF::String const&&&, WebCore::CachedImage*&&) at /volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/HashMap.h:337 #19 0x0000000107ce0534 in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::String, WTF::KeyValuePair<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource> > >, WTF::StringHash, WTF::HashMap<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource>, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> > >::KeyValuePairTraits, WTF::HashTraits<WTF::String> > > WTF::HashMap<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource>, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> > >::set<WebCore::CachedImage*>(WTF::String const&, WebCore::CachedImage*&&) at /volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/HashMap.h:360 #20 0x0000000107cdff4f in WebCore::ImageLoader::updateFromElement() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/ImageLoader.cpp:192 #21 0x0000000107ce09d2 in WebCore::ImageLoader::updateFromElementIgnoringPreviousError() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/ImageLoader.cpp:270 #22 0x00000001078be5f5 in WebCore::HTMLImageElement::selectImageSource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/HTMLImageElement.cpp:201 #23 0x00000001078be787 in WebCore::HTMLImageElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/HTMLImageElement.cpp:210 #24 0x000000010759dd27 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:1380 #25 0x00000001076b25bf in WebCore::StyledElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/StyledElement.cpp:94 #26 0x00000001075a45df in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:3394 #27 0x00000001075a4523 in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:2389 #28 0x000000010759d771 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:1317 #29 0x000000010759d915 in WebCore::Element::setAttributeWithoutSynchronization(WebCore::QualifiedName const&, WTF::AtomicString const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:1299 #30 0x00000001078c04e9 in WebCore::HTMLImageElement::setSrc(WTF::String const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/HTMLImageElement.cpp:509 #31 0x00000001079c3b76 in WebCore::ImageDocument::createDocumentStructure() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/ImageDocument.cpp:239 #32 0x00000001079c37af in WebCore::ImageDocument::updateDuringParsing() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/ImageDocument.cpp:139 #33 0x00000001079c41d9 in WebCore::ImageDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/ImageDocument.cpp:189 #34 0x0000000107ca3819 in WebCore::DocumentWriter::addData(char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/DocumentWriter.cpp:254 #35 0x0000000107c6701b in WebCore::DocumentLoader::commitData(char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/DocumentLoader.cpp:1055
Attachments
Patch (2.61 KB, patch)
2018-03-26 13:37 PDT, Said Abou-Hallawa 		ews-watchlist: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews206 for win-future (12.15 MB, application/zip)
2018-03-26 17:40 PDT, EWS Watchlist 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1 2018-03-26 13:37:13 PDT
Created attachment 336538 [details] Patch
Said Abou-Hallawa
Comment 2 2018-03-26 13:42:28 PDT
<rdar://problem/38845917>
EWS Watchlist
Comment 3 2018-03-26 17:40:24 PDT
Comment on attachment 336538 [details] Patch Attachment 336538 [details] did not pass win-ews (win): Output: http://webkit-queues.webkit.org/results/7107889 New failing tests: http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html
EWS Watchlist
Comment 4 2018-03-26 17:40:35 PDT
Created attachment 336559 [details] Archive of layout-test-results from ews206 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Said Abou-Hallawa
Comment 5 2018-04-27 16:24:40 PDT
The assertion was removed in <https://trac.webkit.org/changeset/230489>.
Said Abou-Hallawa
Comment 6 2018-04-27 18:48:37 PDT
This does not happen anymore after <https://trac.webkit.org/changeset/230489>. *** This bug has been marked as a duplicate of bug 184268 ***
Daniel Bates
Comment 7 2018-04-27 19:23:47 PDT
Comment on attachment 336538 [details] Patch Clearing review flag.
Note You need to log in before you can comment on or make changes to this bug.