[Webkit-unassigned] [Bug 13300] New: Reproducible crash opening anekdot.ru

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Apr 7 02:22:36 PDT 2007 

http://bugs.webkit.org/show_bug.cgi?id=13300

           Summary: Reproducible crash opening anekdot.ru
           Product: WebKit
           Version: 522+ (nightly)
          Platform: Macintosh
               URL: http://www.anekdot.ru/last/o.html
        OS/Version: Mac OS X 10.4
            Status: NEW
          Keywords: NeedsReduction, NeedsRadar
          Severity: Major
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ap at webkit.org


This is not even a regression.

Looks like HTMLParser uses an already deallocated form object in getNode().

Thread 0 Crashed:
0   com.apple.WebCore           0x01632edc void
WTF::Vector<WebCore::HTMLGenericFormElement*, (unsigned
long)0>::insert<WebCore::HTMLGenericFormElement*>(unsigned long,
WebCore::HTMLGenericFormElement* const&) + 324 (Vector.h:649)
1   com.apple.WebCore           0x010dd0a4
WebCore::HTMLFormElement::registerFormElement(WebCore::HTMLGenericFormElement*)
+ 476 (HTMLFormElement.cpp:555)
2   com.apple.WebCore           0x010d9e7c
WebCore::HTMLGenericFormElement::HTMLGenericFormElement[not-in-charge](WebCore::QualifiedName
const&, WebCore::Document*, WebCore::HTMLFormElement*) + 224
(HTMLGenericFormElement.cpp:50)
3   com.apple.WebCore           0x010d7f84
WebCore::HTMLInputElement::HTMLInputElement[in-charge](WebCore::Document*,
WebCore::HTMLFormElement*) + 68 (HTMLInputElement.cpp:93)
4   com.apple.WebCore           0x0105eeb4
WebCore::inputConstructor(WebCore::AtomicString const&, WebCore::Document*,
WebCore::HTMLFormElement*, bool) + 76 (HTMLElementFactory.cpp:160)
5   com.apple.WebCore           0x01060ad0
WebCore::HTMLElementFactory::createHTMLElement(WebCore::AtomicString const&,
WebCore::Document*, WebCore::HTMLFormElement*, bool) + 208
(HTMLElementFactory.cpp:475)
6   com.apple.WebCore           0x01023b84
WebCore::HTMLParser::getNode(WebCore::Token*) + 3932 (HTMLParser.cpp:832)
7   com.apple.WebCore           0x010240d4
WebCore::HTMLParser::parseToken(WebCore::Token*) + 1272 (HTMLParser.cpp:224)
8   com.apple.WebCore           0x01027d18
WebCore::HTMLTokenizer::processToken() + 632 (HTMLTokenizer.cpp:1590)
9   com.apple.WebCore           0x0102b420
WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&,
WebCore::HTMLTokenizer::State) + 6076 (HTMLTokenizer.cpp:1163)
10  com.apple.WebCore           0x0102bf88
WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1444
(HTMLTokenizer.cpp:1389)
11  com.apple.WebCore           0x010279fc
WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 876
(HTMLTokenizer.cpp:1682)
12  com.apple.WebCore           0x01128bdc WebCore::CachedScript::checkNotify()
+ 108 (CachedScript.cpp:92)
13  com.apple.WebCore           0x01128db8
WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 336
(CachedScript.cpp:84)
14  com.apple.WebCore           0x0112b2e8
WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 376
(loader.cpp:107)
15  com.apple.WebCore           0x014a779c
WebCore::SubresourceLoader::didFinishLoading() + 204
(SubresourceLoader.cpp:192)
16  com.apple.WebCore           0x014a55e4
WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 60
17  com.apple.WebCore           0x0147af38 -[WebCoreResourceHandleAsDelegate
connectionDidFinishLoading:] + 144 (ResourceHandleMac.mm:370)
18  com.apple.Foundation        0x92c1389c
-[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188
19  com.apple.Foundation        0x92c11b08
-[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556
20  com.apple.Foundation        0x92c11860 _sendCallbacks + 156
21  com.apple.CoreFoundation    0x907df4fc __CFRunLoopDoSources0 + 384
22  com.apple.CoreFoundation    0x907dea2c __CFRunLoopRun + 452
23  com.apple.CoreFoundation    0x907de4ac CFRunLoopRunSpecific + 268
24  com.apple.HIToolbox         0x93298b20 RunCurrentEventLoopInMode + 264
25  com.apple.HIToolbox         0x932981b4 ReceiveNextEventCommon + 380
26  com.apple.HIToolbox         0x93298020
BlockUntilNextEventMatchingListInMode + 96
27  com.apple.AppKit            0x9379eae4 _DPSNextEvent + 384
28  com.apple.AppKit            0x9379e7a8 -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
29  com.apple.Safari            0x00006740 0x1000 + 22336
30  com.apple.AppKit            0x9379acec -[NSApplication run] + 472
31  com.apple.AppKit            0x9388b87c NSApplicationMain + 452


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list