[Webkit-unassigned] [Bug 16512] Valgrind: Invalid read of size 4

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 19 10:51:45 PST 2007 

http://bugs.webkit.org/show_bug.cgi?id=16512





------- Comment #6 from klobag at gmail.com  2007-12-19 10:51 PDT -------
I was able to reproduce this with Safari with the patch provided. Hope it will
help for your debugging. It always happens to the last <img> with
name="cookieCrumb". As the String is deref while it is not removed from the
Document's HashMap, the program crashed later when the HashMap needs to shrink.

Here is a crash log from our run.

#0  0xaa32d33a in WebCore::StringImpl::computeHash (m_data=0x0, len=1545968) at
libs/WebKitLib/WebKit/WebCore/platform/StringImpl.cpp:1119
#1  0xaa0a9310 in WebCore::StringImpl::hash (this=0x539430) at
libs/WebKitLib/WebKit/WebCore/platform/StringImpl.h:76
#2  0xaa0a9344 in WTF::StrHash<WebCore::StringImpl*>::hash (key=0x539430) at
libs/WebKitLib/WebKit/WebCore/platform/StringHash.h:34
#3  0xaa0a9372 in WTF::IdentityHashTranslator<WebCore::StringImpl*,
std::pair<WebCore::StringImpl*, int>, WTF::StrHash<WebCore::StringImpl*>
>::hash (key=@0x195268)
   at out/target/product/sooner/obj/include/JavaScriptCore/HashTable.h:268
#4  0xaa0a96e4 in WTF::HashTable<WebCore::StringImpl*,
std::pair<WebCore::StringImpl*, int>,
WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >,
WTF::StrHash<WebCore::StringImpl*>,
WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int>
>, WTF::HashTraits<WebCore::StringImpl*>
>::lookupForWriting<WebCore::StringImpl*,
WTF::IdentityHashTranslator<WebCore::StringImpl*,
std::pair<WebCore::StringImpl*, int>, WTF::StrHash<WebCore::StringImpl*> > >
(this=0x1ea4fc, key=@0x195268)
   at out/target/product/sooner/obj/include/JavaScriptCore/HashTable.h:484
#5  0xaa0a983e in WTF::HashTable<WebCore::StringImpl*,
std::pair<WebCore::StringImpl*, int>,
WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >,
WTF::StrHash<WebCore::StringImpl*>,
WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int>
>, WTF::HashTraits<WebCore::StringImpl*> >::lookupForWriting (this=0x1ea4fc,
   key=@0x195268) at
out/target/product/sooner/obj/include/JavaScriptCore/HashTable.h:340
#6  0xaa0a987c in WTF::HashTable<WebCore::StringImpl*,
std::pair<WebCore::StringImpl*, int>,
WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >,
WTF::StrHash<WebCore::StringImpl*>,
WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int>
>, WTF::HashTraits<WebCore::StringImpl*> >::reinsert (this=0x1ea4fc,
entry=@0x195268)
   at out/target/product/sooner/obj/include/JavaScriptCore/HashTable.h:719
#7  0xaa0a9950 in WTF::HashTable<WebCore::StringImpl*,
std::pair<WebCore::StringImpl*, int>,
WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >,
WTF::StrHash<WebCore::StringImpl*>,
WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int>
>, WTF::HashTraits<WebCore::StringImpl*> >::rehash (this=0x1ea4fc,
newTableSize=64)
   at out/target/product/sooner/obj/include/JavaScriptCore/HashTable.h:850
#8  0xaa21675c in WTF::HashTable<WebCore::StringImpl*,
std::pair<WebCore::StringImpl*, int>,
WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >,
WTF::StrHash<WebCore::StringImpl*>,
WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int>
>, WTF::HashTraits<WebCore::StringImpl*> >::shrink (this=0x1ea4fc)
   at out/target/product/sooner/obj/include/JavaScriptCore/HashTable.h:350
#9  0xaa2167de in WTF::HashTable<WebCore::StringImpl*,
std::pair<WebCore::StringImpl*, int>,
WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >,
WTF::StrHash<WebCore::StringImpl*>,
WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int>
>, WTF::HashTraits<WebCore::StringImpl*> >::remove (this=0x1ea4fc,
pos=0x194f98)
   at out/target/product/sooner/obj/include/JavaScriptCore/HashTable.h:775
#10 0xaa21685c in WTF::HashTable<WebCore::StringImpl*,
std::pair<WebCore::StringImpl*, int>,
WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >,
WTF::StrHash<WebCore::StringImpl*>,
WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int>
>, WTF::HashTraits<WebCore::StringImpl*> >::remove (this=0x1ea4fc, it=
       {m_iterator = {m_position = 0x194f98, m_endPosition = 0x195370}}) at
out/target/product/sooner/obj/include/JavaScriptCore/HashTable.h:786
#11 0xaa2168e0 in WTF::HashMap<WebCore::StringImpl*, int,
WTF::StrHash<WebCore::StringImpl*>, WTF::HashTraits<WebCore::StringImpl*>,
WTF::HashTraits<int> >::remove (this=0x1ea4fc,
   it={m_impl = {m_iterator = {m_position = 0x194f98, m_endPosition =
0x195370}}}) at
out/target/product/sooner/obj/include/JavaScriptCore/HashMap.h:311
#12 0xaa21431a in removeItemFromMap (map=@0x1ea4fc, name=@0x1292f4) at
libs/WebKitLib/WebKit/WebCore/html/HTMLDocument.cpp:314
#13 0xaa214374 in WebCore::HTMLDocument::removeDocExtraNamedItem
(this=0x1e9da0, name=@0x1292f4) at
libs/WebKitLib/WebKit/WebCore/html/HTMLDocument.cpp:341
#14 0xaa2334f8 in WebCore::HTMLImageElement::removedFromDocument
(this=0x129290) at libs/WebKitLib/WebKit/WebCore/html/HTMLImageElement.cpp:209
#15 0xaa133f6e in WebCore::ContainerNode::removedFromDocument (this=0x20f6f8)
at libs/WebKitLib/WebKit/WebCore/dom/ContainerNode.cpp:648
#16 0xaa15a372 in WebCore::Element::removedFromDocument (this=0x20f6f8) at
libs/WebKitLib/WebKit/WebCore/dom/Element.cpp:668
#17 0xaa133f6e in WebCore::ContainerNode::removedFromDocument (this=0x58f5a8)
at libs/WebKitLib/WebKit/WebCore/dom/ContainerNode.cpp:648


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list