210643 2020-04-17 02:32:00 -0700 REGRESSION (r162729): [iOS] WebKitTestRunner over-releases UITextField in WTR::PlatformWebView::removeChromeInputField() 2020-04-17 07:57:20 -0700 1 1 1 Unclassified WebKit Tools / Tests WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=189228 https://bugs.webkit.org/show_bug.cgi?id=189464 InRadar P2 Normal --- 127448 1 ddkilzer ddkilzer ap simon.fraser webkit-bug-importer wenson_hsieh oldest_to_newest 1642612 0 ddkilzer 2020-04-17 02:32:00 -0700 WebKitTestRunner over-releases UITextField in WTR::PlatformWebView::removeChromeInputField() This regressed in r162729 for Bug 127448: <https://trac.webkit.org/r162729> Briefly fixed by r189228 for Bug 189228 before that commit was reverted in r235832 for Bug 189464. Found by clang static analyzer. void PlatformWebView::addChromeInputField() { UITextField* textField = [[UITextField alloc] initWithFrame:CGRectMake(0, 0, 100, 20)]; textField.tag = 1; [m_window addSubview:textField]; [textField release]; } void PlatformWebView::removeChromeInputField() { UITextField* textField = (UITextField*)[m_window viewWithTag:1]; if (textField) { [textField removeFromSuperview]; makeWebViewFirstResponder(); [textField release]; // Over-release. } } NOTE: This may be the cause of some of the autoreleasePool crashes in WebKitTestRunner that we see occasionally. 1642613 1 webkit-bug-importer 2020-04-17 02:32:15 -0700 <rdar://problem/61927190> 1642615 2 ddkilzer 2020-04-17 02:38:13 -0700 (In reply to David Kilzer (:ddkilzer) from comment #0) > NOTE: This may be the cause of some of the autoreleasePool crashes in > WebKitTestRunner that we see occasionally. The reason I say that is because this line will return an autoreleased object from UIKit under ARC: UITextField* textField = (UITextField*)[m_window viewWithTag:1]; And then the -release call over-releases the object. But we won't crash until the autoreleasePool containing the UITextField object is drained, which apparently doesn't happen consistently during test runs. 1642616 3 396749 ddkilzer 2020-04-17 02:38:52 -0700 Created attachment 396749 Patch v1 1642670 4 ews-feeder 2020-04-17 07:57:19 -0700 Committed r260250: <https://trac.webkit.org/changeset/260250> All reviewed patches have been landed. Closing bug and clearing flags on attachment 396749. 396749 2020-04-17 02:38:52 -0700 2020-04-17 07:57:19 -0700 Patch v1 bug-210643-20200417024007.patch text/plain 1307 ddkilzer U3VidmVyc2lvbiBSZXZpc2lvbjogMjYwMjI5CmRpZmYgLS1naXQgYS9Ub29scy9DaGFuZ2VMb2cg Yi9Ub29scy9DaGFuZ2VMb2cKaW5kZXggNTU4OGI4ZDI0ZDI5YWNhZGE3MzRjMzNiNDNlNGM4YTk4 MzA4NDM3ZC4uZjJjZGQ5NTRkNWYyMGQ2MDFjY2JiMDNkMGY1NWY4MjQxNjU1Zjc3NCAxMDA2NDQK LS0tIGEvVG9vbHMvQ2hhbmdlTG9nCisrKyBiL1Rvb2xzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1 IEBACisyMDIwLTA0LTE3ICBEYXZpZCBLaWx6ZXIgIDxkZGtpbHplckBhcHBsZS5jb20+CisKKyAg ICAgICAgUkVHUkVTU0lPTiAocjE2MjcyOSk6IFtpT1NdIFdlYktpdFRlc3RSdW5uZXIgb3Zlci1y ZWxlYXNlcyBVSVRleHRGaWVsZCBpbiBXVFI6OlBsYXRmb3JtV2ViVmlldzo6cmVtb3ZlQ2hyb21l SW5wdXRGaWVsZCgpCisgICAgICAgIDxodHRwczovL3dlYmtpdC5vcmcvYi8yMTA2NDM+CisgICAg ICAgIDxyZGFyOi8vcHJvYmxlbS82MTkyNzE5MD4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICAqIFdlYktpdFRlc3RSdW5uZXIvaW9zL1BsYXRmb3JtV2Vi Vmlld0lPUy5tbToKKyAgICAgICAgKFdUUjo6UGxhdGZvcm1XZWJWaWV3OjpyZW1vdmVDaHJvbWVJ bnB1dEZpZWxkKToKKyAgICAgICAgLSBSZW1vdmUgdW5uZWNlc3NhcnkgLXJlbGVhc2UuCisKIDIw MjAtMDQtMTYgIERhbmllbCBCYXRlcyAgPGRhYmF0ZXNAYXBwbGUuY29tPgogCiAgICAgICAgIFJl bW92ZSB1bnVzZWQgLV9mb2N1c1RleHRJbnB1dENvbnRleHQKZGlmZiAtLWdpdCBhL1Rvb2xzL1dl YktpdFRlc3RSdW5uZXIvaW9zL1BsYXRmb3JtV2ViVmlld0lPUy5tbSBiL1Rvb2xzL1dlYktpdFRl c3RSdW5uZXIvaW9zL1BsYXRmb3JtV2ViVmlld0lPUy5tbQppbmRleCBkZDI3MTJmYTI5OWY4M2Mx ZDAzOTUzZDgyMzMzNjBhYjBkNzk1NjI1Li5kY2VhMzhjZGFjZTc2ODI2NTIwYjBiMWZkOGNlMDA4 YmEzYmM3YTY0IDEwMDY0NAotLS0gYS9Ub29scy9XZWJLaXRUZXN0UnVubmVyL2lvcy9QbGF0Zm9y bVdlYlZpZXdJT1MubW0KKysrIGIvVG9vbHMvV2ViS2l0VGVzdFJ1bm5lci9pb3MvUGxhdGZvcm1X ZWJWaWV3SU9TLm1tCkBAIC0yODUsNyArMjg1LDYgQEAgdm9pZCBQbGF0Zm9ybVdlYlZpZXc6OnJl bW92ZUNocm9tZUlucHV0RmllbGQoKQogICAgIGlmICh0ZXh0RmllbGQpIHsKICAgICAgICAgW3Rl eHRGaWVsZCByZW1vdmVGcm9tU3VwZXJ2aWV3XTsKICAgICAgICAgbWFrZVdlYlZpZXdGaXJzdFJl c3BvbmRlcigpOwotICAgICAgICBbdGV4dEZpZWxkIHJlbGVhc2VdOwogICAgIH0KIH0KIAo=