[Webkit-unassigned] [Bug 184021] New: CachedResource has to remove itself from the m_documentResources hash map before its m_handleCount is decremented

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 26 13:26:43 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=184021

            Bug ID: 184021
           Summary: CachedResource has to remove itself from the
                    m_documentResources hash map before its m_handleCount
                    is decremented
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Images
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com

Repro steps:

1. Open the url http://50.242.117.146/img/video.mjpeg which is a motion jpeg image

Result:
In the release build, the image is not showing new frames.
In the debug build, the following assertion fires. Notice that the destructor CachedResource::~CachedResource() is called from itself another time. The reason for that is the first CachedResource::unregisterHandle() sets m_handleCount to zero. When CachedResourceLoader::removeCachedResource() calls m_documentResources.get(...) in the ASSERT statement, the temporary CachedResourceHandle will increment m_handleCount so its value = 1. But the destructor of the temporary CachedResourceHandle calls the second CachedResource::unregisterHandle() which decrements m_handleCount again to 0 and causes the CachedResource::~CachedResource() for the same object to be called another time.

#0      0x00000001151bca94 in ::WTFCrash() at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/Assertions.cpp:271
#1      0x0000000107d8504c in WebCore::CachedResource::~CachedResource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:169
#2      0x0000000107d91a05 in WebCore::CachedResource::~CachedResource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:165
#3      0x0000000107d91a29 in WebCore::CachedResource::~CachedResource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:165
#4      0x0000000107d928eb in WebCore::CachedResource::deleteIfPossible() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:607
#5      0x0000000107d94456 in WebCore::CachedResource::unregisterHandle(WebCore::CachedResourceHandleBase*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:786
#6      0x0000000107d94aad in WebCore::CachedResourceHandleBase::~CachedResourceHandleBase() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.cpp:55
#7      0x0000000107648305 in WebCore::CachedResourceHandle<WebCore::CachedResource>::~CachedResourceHandle() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.h:61
#8      0x0000000107645605 in WebCore::CachedResourceHandle<WebCore::CachedResource>::~CachedResourceHandle() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.h:61
#9      0x0000000107d9191b in WebCore::CachedResourceLoader::removeCachedResource(WebCore::CachedResource&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceLoader.cpp:1261
#10     0x0000000107d85169 in WebCore::CachedResource::~CachedResource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:178
#11     0x0000000107d89057 in WebCore::CachedImage::~CachedImage() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedImage.cpp:85
#12     0x0000000107d89265 in WebCore::CachedImage::~CachedImage() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedImage.cpp:83
#13     0x0000000107d89289 in WebCore::CachedImage::~CachedImage() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedImage.cpp:83
#14     0x0000000107d928eb in WebCore::CachedResource::deleteIfPossible() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:607
#15     0x0000000107d94456 in WebCore::CachedResource::unregisterHandle(WebCore::CachedResourceHandleBase*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResource.cpp:786
#16     0x0000000107d94b27 in WebCore::CachedResourceHandleBase::setResource(WebCore::CachedResource*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.cpp:63
#17     0x00000001076465a7 in WebCore::CachedResourceHandle<WebCore::CachedResource>::operator=(WebCore::CachedResource*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedResourceHandle.h:72
#18     0x0000000107cea36e in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::String, WTF::KeyValuePair<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource> > >, WTF::StringHash, WTF::HashMap<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource>, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> > >::KeyValuePairTraits, WTF::HashTraits<WTF::String> > > WTF::HashMap<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource>, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> > >::inlineSet<WTF::String const&, WebCore::CachedImage*>(WTF::String const&&&, WebCore::CachedImage*&&) at /volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/HashMap.h:337
#19     0x0000000107ce0534 in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::String, WTF::KeyValuePair<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource> > >, WTF::StringHash, WTF::HashMap<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource>, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> > >::KeyValuePairTraits, WTF::HashTraits<WTF::String> > > WTF::HashMap<WTF::String, WebCore::CachedResourceHandle<WebCore::CachedResource>, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> > >::set<WebCore::CachedImage*>(WTF::String const&, WebCore::CachedImage*&&) at /volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/HashMap.h:360
#20     0x0000000107cdff4f in WebCore::ImageLoader::updateFromElement() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/ImageLoader.cpp:192
#21     0x0000000107ce09d2 in WebCore::ImageLoader::updateFromElementIgnoringPreviousError() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/ImageLoader.cpp:270
#22     0x00000001078be5f5 in WebCore::HTMLImageElement::selectImageSource() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/HTMLImageElement.cpp:201
#23     0x00000001078be787 in WebCore::HTMLImageElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/HTMLImageElement.cpp:210
#24     0x000000010759dd27 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:1380
#25     0x00000001076b25bf in WebCore::StyledElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/StyledElement.cpp:94
#26     0x00000001075a45df in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:3394
#27     0x00000001075a4523 in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:2389
#28     0x000000010759d771 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:1317
#29     0x000000010759d915 in WebCore::Element::setAttributeWithoutSynchronization(WebCore::QualifiedName const&, WTF::AtomicString const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Element.cpp:1299
#30     0x00000001078c04e9 in WebCore::HTMLImageElement::setSrc(WTF::String const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/HTMLImageElement.cpp:509
#31     0x00000001079c3b76 in WebCore::ImageDocument::createDocumentStructure() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/ImageDocument.cpp:239
#32     0x00000001079c37af in WebCore::ImageDocument::updateDuringParsing() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/ImageDocument.cpp:139
#33     0x00000001079c41d9 in WebCore::ImageDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/ImageDocument.cpp:189
#34     0x0000000107ca3819 in WebCore::DocumentWriter::addData(char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/DocumentWriter.cpp:254
#35     0x0000000107c6701b in WebCore::DocumentLoader::commitData(char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/DocumentLoader.cpp:1055

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180326/b920729a/attachment-0001.html>

More information about the webkit-unassigned mailing list