WebKitTestRunner over-releases UITextField in WTR::PlatformWebView::removeChromeInputField() This regressed in r162729 for Bug 127448: <https://trac.webkit.org/r162729> Briefly fixed by r189228 for Bug 189228 before that commit was reverted in r235832 for Bug 189464. Found by clang static analyzer. void PlatformWebView::addChromeInputField() { UITextField* textField = [[UITextField alloc] initWithFrame:CGRectMake(0, 0, 100, 20)]; textField.tag = 1; [m_window addSubview:textField]; [textField release]; } void PlatformWebView::removeChromeInputField() { UITextField* textField = (UITextField*)[m_window viewWithTag:1]; if (textField) { [textField removeFromSuperview]; makeWebViewFirstResponder(); [textField release]; // Over-release. } } NOTE: This may be the cause of some of the autoreleasePool crashes in WebKitTestRunner that we see occasionally.
<rdar://problem/61927190>
(In reply to David Kilzer (:ddkilzer) from comment #0) > NOTE: This may be the cause of some of the autoreleasePool crashes in > WebKitTestRunner that we see occasionally. The reason I say that is because this line will return an autoreleased object from UIKit under ARC: UITextField* textField = (UITextField*)[m_window viewWithTag:1]; And then the -release call over-releases the object. But we won't crash until the autoreleasePool containing the UITextField object is drained, which apparently doesn't happen consistently during test runs.
Created attachment 396749 [details] Patch v1
Committed r260250: <https://trac.webkit.org/changeset/260250> All reviewed patches have been landed. Closing bug and clearing flags on attachment 396749 [details].