[Webkit-unassigned] [Bug 7601] New: REGRESSION (r13078-r13093): Reproducible crash dereferencing a deallocated element on google image search

bugzilla-daemon at opendarwin.org bugzilla-daemon at opendarwin.org
Sat Mar 4 11:28:42 PST 2006 

http://bugzilla.opendarwin.org/show_bug.cgi?id=7601

           Summary: REGRESSION (r13078-r13093): Reproducible crash
                    dereferencing a deallocated element on google image
                    search
           Product: WebKit
           Version: 420+ (nightly)
          Platform: Macintosh
               URL: http://images.google.com/images?client=safari&rls=en&q=s
                    treet&ie=UTF-8&oe=UTF-8&sa=N&tab=wi
        OS/Version: Mac OS X 10.4
            Status: NEW
          Keywords: NeedsReduction, Regression
          Severity: major
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: opendarwin.org at mitzpettel.com


I get the following crash when I am signed in to Google and I open the above
URL, wait for it to finish loading, then reload. It doesn't happen when I'm not
signed in nor was Alexey able to reproduce it when signed in to his account.
However, it does not seem to depend on a specific search result, as I have
gotten it with different searches.

>From what I saw in gdb, the crash happens because the HTMLImageElementImpl
called in frame 8 is garbage, so supposedly it was deallocated. I got other
similar crashes where the backtrace was different (e.g. when going back from a
search result to the results page) but the cause was again an HTMLElement
pointing to a bad ElementImpl.

I am able to reproduce reliably with r13093 and later builds but not with
r13078 or earlier.

Thread 0 Crashed:
0   com.apple.WebCore           0x01bcd1e4
KXMLCore::HashTable<WebCore::NodeListImpl*, WebCore::NodeListImpl*,
KXMLCore::IdentityExtractor<WebCore::NodeListImpl*>,
KXMLCore::PtrHash<WebCore::NodeListImpl*>,
KXMLCore::HashTraits<WebCore::NodeListImpl*>,
KXMLCore::HashTraits<WebCore::NodeListImpl*> >::end() + 36 (HashTable.h:277)
1   com.apple.WebCore           0x01bcd250
KXMLCore::HashSet<WebCore::NodeListImpl*,
KXMLCore::PtrHash<WebCore::NodeListImpl*>,
KXMLCore::HashTraits<WebCore::NodeListImpl*> >::end() + 48 (HashSet.h:133)
2   com.apple.WebCore           0x019169e0
WebCore::NodeImpl::notifyLocalNodeListsAttributeChanged() + 60
(NodeImpl.cpp:756)
3   com.apple.WebCore           0x01916aa8
WebCore::NodeImpl::notifyNodeListsAttributeChanged() + 44 (NodeImpl.cpp:762)
4   com.apple.WebCore           0x01916b6c
WebCore::NodeImpl::dispatchSubtreeModifiedEvent(bool) + 148 (NodeImpl.cpp:793)
5   com.apple.WebCore           0x017e5ac8
WebCore::NamedAttrMapImpl::addAttribute(WebCore::AttributeImpl*) + 452
(dom_elementimpl.cpp:1100)
6   com.apple.WebCore           0x017e9678
WebCore::ElementImpl::setAttribute(WebCore::QualifiedName const&,
WebCore::StringImpl*, int&) + 488 (dom_elementimpl.cpp:430)
7   com.apple.WebCore           0x017e9744
WebCore::ElementImpl::setAttribute(WebCore::QualifiedName const&,
WebCore::String const&) + 72 (dom_elementimpl.cpp:316)
8   com.apple.WebCore           0x017ba1b0
WebCore::HTMLImageElementImpl::setSrc(WebCore::String const&) + 60
(html_imageimpl.cpp:398)
9   com.apple.WebCore           0x01770324
KJS::HTMLElement::imageSetter(KJS::ExecState*, int, KJS::JSValue*,
WebCore::String const&) + 396 (kjs_html.cpp:2890)
10  com.apple.WebCore           0x01789a9c
KJS::HTMLElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) +
756 (kjs_html.cpp:3171)
11  com.apple.WebCore           0x01789db0
KJS::HTMLElement::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*,
int) + 740 (kjs_html.cpp:2463)
12  com.apple.JavaScriptCore    0x0103e0ac
KJS::AssignDotNode::evaluate(KJS::ExecState*) + 1740 (nodes.cpp:1374)
13  com.apple.JavaScriptCore    0x010379c4
KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1641)
14  com.apple.JavaScriptCore    0x01033f28
KJS::SourceElementsNode::execute(KJS::ExecState*) + 280 (nodes.cpp:2381)
15  com.apple.JavaScriptCore    0x01031280
KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1618)
16  com.apple.JavaScriptCore    0x01019154
KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:331)
17  com.apple.JavaScriptCore    0x01018780
KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List
const&) + 700 (function.cpp:102)
18  com.apple.JavaScriptCore    0x0104483c KJS::JSObject::call(KJS::ExecState*,
KJS::JSObject*, KJS::List const&) + 288 (object.cpp:94)
19  com.apple.JavaScriptCore    0x0103b86c
KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 820 (nodes.cpp:593)
20  com.apple.JavaScriptCore    0x010379c4
KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1641)
21  com.apple.JavaScriptCore    0x01034078
KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2387)
22  com.apple.JavaScriptCore    0x01031280
KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1618)
23  com.apple.JavaScriptCore    0x01019154
KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:331)
24  com.apple.JavaScriptCore    0x01018780
KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List
const&) + 700 (function.cpp:102)
25  com.apple.JavaScriptCore    0x0104483c KJS::JSObject::call(KJS::ExecState*,
KJS::JSObject*, KJS::List const&) + 288 (object.cpp:94)
26  com.apple.JavaScriptCore    0x0103b004
KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 908 (nodes.cpp:686)
27  com.apple.JavaScriptCore    0x010379c4
KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1641)
28  com.apple.JavaScriptCore    0x01034078
KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2387)
29  com.apple.JavaScriptCore    0x01031280
KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1618)
30  com.apple.JavaScriptCore    0x0102746c
KJS::InterpreterImp::evaluate(KJS::UChar const*, int, KJS::JSValue*,
KJS::UString const&, int) + 1028 (internal.cpp:591)
31  com.apple.JavaScriptCore    0x0102964c
KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int,
KJS::JSValue*) + 100 (interpreter.cpp:122)
32  com.apple.WebCore           0x0178f198
WebCore::KJSProxyImpl::evaluate(WebCore::String const&, int, WebCore::String
const&, WebCore::NodeImpl*) + 380 (kjs_proxy.cpp:69)
33  com.apple.WebCore           0x018d6448
WebCore::Frame::executeScript(QString const&, int, WebCore::NodeImpl*, QString
const&) + 144 (Frame.cpp:2080)
34  com.apple.WebCore           0x017d997c
WebCore::HTMLTokenizer::scriptExecution(QString const&,
WebCore::HTMLTokenizer::State, QString, int) + 468 (htmltokenizer.cpp:470)
35  com.apple.WebCore           0x017dca98
WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1632
(htmltokenizer.cpp:409)
36  com.apple.WebCore           0x017dd1a8
WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&,
WebCore::HTMLTokenizer::State) + 1340 (htmltokenizer.cpp:277)
37  com.apple.WebCore           0x017dfdec
WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 924
(htmltokenizer.cpp:1389)
38  com.apple.WebCore           0x018d9354 WebCore::Frame::write(char const*,
int) + 952 (Frame.cpp:681)
39  com.apple.WebCore           0x018d0414 WebCore::Frame::addData(char const*,
int) + 340 (Frame.cpp:2684)
40  com.apple.WebCore           0x0191e744 -[WebCoreFrameBridge addData:] + 224
(WebCoreFrameBridge.mm:653)
41  com.apple.WebKit            0x00334090 -[WebFrameBridge
receivedData:textEncodingName:] + 236 (WebFrameBridge.m:479)
42  com.apple.WebKit            0x0036c788 -[WebHTMLRepresentation
receivedData:withDataSource:] + 248 (WebHTMLRepresentation.m:122)
43  com.apple.WebKit            0x003578f4 -[WebDataSource(WebPrivate)
_commitLoadWithData:] + 164 (WebDataSource.m:895)
44  com.apple.WebKit            0x00355f78 -[WebDataSource(WebPrivate)
_receivedData:] + 196 (WebDataSource.m:646)
45  com.apple.WebKit            0x00391054 -[WebMainResourceLoader addData:] +
136 (WebMainResourceLoader.m:163)
46  com.apple.WebKit            0x00350c68 -[WebLoader
didReceiveData:lengthReceived:] + 108 (WebLoader.m:535)
47  com.apple.WebKit            0x00392638 -[WebMainResourceLoader
didReceiveData:lengthReceived:] + 724 (WebMainResourceLoader.m:378)
48  com.apple.WebKit            0x003517cc -[WebLoader
connection:didReceiveData:lengthReceived:] + 188 (WebLoader.m:645)
49  com.apple.Foundation        0x9299c5d4
-[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564
50  com.apple.Foundation        0x9299aa74
-[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488
51  com.apple.Foundation        0x9299a810 _sendCallbacks + 156
52  com.apple.CoreFoundation    0x907e4a68 __CFRunLoopDoSources0 + 384
53  com.apple.CoreFoundation    0x907e3f98 __CFRunLoopRun + 452
54  com.apple.CoreFoundation    0x907e3a18 CFRunLoopRunSpecific + 268
55  com.apple.HIToolbox         0x93211980 RunCurrentEventLoopInMode + 264
56  com.apple.HIToolbox         0x93211014 ReceiveNextEventCommon + 380
57  com.apple.HIToolbox         0x93210e80
BlockUntilNextEventMatchingListInMode + 96
58  com.apple.AppKit            0x93713104 _DPSNextEvent + 384
59  com.apple.AppKit            0x93712dc8 -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
60  com.apple.Safari            0x00006fd4 0x1000 + 24532
61  com.apple.AppKit            0x9370f30c -[NSApplication run] + 472
62  com.apple.AppKit            0x937ffe68 NSApplicationMain + 452
63  com.apple.Safari            0x0005cd08 0x1000 + 376072
64  com.apple.Safari            0x0005cbb0 0x1000 + 375728


-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list