[Webkit-unassigned] [Bug 20508] New: Concurrency issues while performing page transition
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Aug 25 06:27:29 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20508
Summary: Concurrency issues while performing page transition
Product: WebKit
Version: 526+ (Nightly build)
Platform: PC
OS/Version: Windows XP
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebKit Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: robert.swiecki+wkbugs at gmail.com
Build: Safari 3.1.2 (525.21), nightly webkit: 35904
Hi, when fuzzing http header response Safari often crashes while performing a
page transition.
===
<SCRIPT>
var timer;
var loaded = 0;
var noload = 0;
function begin_tests() {
timer = setInterval('frame_check()', 5);
}
function frame_check() {
if (loaded || noload >= 20) {
document.getElementById('f').src = document.getElementById('i').value + "?"
+ Math.random();
loaded = noload = 0;
} else {
noload++;
}
}
function stop_tests() {
clearInterval(timer);
}
</SCRIPT>
<B>Response Fuzzing</B>
<INPUT TYPE=INPUT ID=i VALUE="http://aaaa.fuzz.site:8080/">
<INPUT TYPE=SUBMIT VALUE="Begin testing" ONCLICK="begin_tests()">
<INPUT TYPE=SUBMIT VALUE="STOP NOW!" ONCLICK="stop_tests()">
<P>
<IFRAME ID=f HEIGHT=90% WIDTH=90% onload="loaded = 1" onerror="loaded = 1">
====
and my fuzzer working on aaaa.fuzz.site:8080 (run as: while [ 1 ]; do
./genheaders | nc -l -p 8080; done); it works better with a few fuzzing
sessions in separate tabs.
The problem is related more to page transition (forced via setInterval) rather
than to invalid headers (crashes are not reproductible with header sets that
crashed Safari in fuzz mode). A few stack dumps below. I suspect, that some
structures might be not properly locked while performing page transition, and
that might lead to crashes.
(1314.ca4): Access violation - code c0000005 (!!! second chance !!!)
eax=00000032 ebx=00340032 ecx=00000ffc edx=00000000 esi=7fec3000 edi=00340032
eip=78145078 esp=0012e8dc ebp=0012e8e4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
-
MSVCR80!memcpy+0xc8:
78145078 8807 mov byte ptr [edi],al ds:0023:00340032=02
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e8e4 00869c34 00340032 7fec3000 00000ffe MSVCR80!memcpy+0xc8
0012e904 00869efc 7fec3000 000007ff 03bc4e10
WebKit!WebCore::StringImpl::StringImpl+0x34
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\text\stringimpl.cpp
@ 80]
0012e91c 0086f65a 0012e94c 7fec3000 000007ff
WebKit!WebCore::StringImpl::create+0x2c
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\text\stringimpl.cpp
@ 1019]
0012f15c 008a0a41 03bc4e10 0012f620 7fb03280
WebKit!WebCore::String::String+0x7a
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\text\cf\stringcf.cpp
@ 41]
0012f5e4 00882958 7faff750 008361ec 00453f4e
WebKit!WebCore::ResourceResponse::platformLazyInit+0x2b1
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\network\cf\resourceresponsecfnet.cpp
@ 106]
0012f5ec 008361ec 00453f4e 7fb03280 0012f608
WebKit!WebCore::ResourceResponseBase::expectedContentLength+0x8
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\network\resourceresponsebase.cpp
@ 76]
*** ERROR: Module load completed but symbols could not be loaded for
C:\DOCUME~1\swiecki\LOCALS~1\Temp\WebKitNightly\Safari.exe
0012f5f0 00453f4e 7fb03280 0012f608 7fabcf40
WebKit!WebURLResponse::expectedContentLength+0xc
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webkit\win\weburlresponse.cpp
@ 282]
0012f620 00451c6a 7feb9bd4 7fabcf40 7fb03280 Safari+0x53f4e
0012f768 00824bf7 6556a504 03bc32e0 03bb2fa8 Safari+0x51c6a
0012f7d0 00824e00 7fe9c1d0 7fefcaa0 7fefca18 WebKit!WebDownload::init+0xf7
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webkit\win\webdownload.cpp
@ 100]
0012f7e8 00827129 7fe9c1d0 7fefcaa0 7fefca18
WebKit!WebDownload::createInstance+0x60
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webkit\win\webdownload.cpp
@ 156]
0012f804 0091e5d9 7fe9c1d0 7fefcaa0 7faeb008 WebKit!WebFrame::download+0x69
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webkit\win\webframe.cpp
@ 1426]
0012f878 0091e875 7fe9c1d0 7fefca18 7febe0c8
WebKit!WebCore::MainResourceLoader::continueAfterContentPolicy+0x89
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\mainresourceloader.cpp
@ 213]
0012f888 0091e8ae 00000001 00896aa6 7fefca00
WebKit!WebCore::MainResourceLoader::continueAfterContentPolicy+0x35
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\mainresourceloader.cpp
@ 266]
0012f890 00896aa6 7fefca00 00000001 7fb6fb60
WebKit!WebCore::MainResourceLoader::callContinueAfterContentPolicy+0xe
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\mainresourceloader.cpp
@ 258]
0012f950 0082700d 00000001 0012f9b8 7f971080
WebKit!WebCore::FrameLoader::continueAfterContentPolicy+0x46
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp
@ 3137]
0012f960 0082a302 00000001 0018a9fc 0082a35b
WebKit!WebFrame::receivedPolicyDecision+0x3d
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webkit\win\webframe.cpp
@ 1344]
0012f96c 0082a35b 00000001 004b6ec5 7f971270
WebKit!WebFramePolicyListener::receivedPolicyDecision+0x32
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webkit\win\webframepolicylistener.cpp
@ 127]
0012f974 004b6ec5 7f971270 0018a9fc 7fafec60
WebKit!WebFramePolicyListener::download+0xb
[c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webkit\win\webframepolicylistener.cpp
@ 104]
0012f9e8 004afe18 7feb09a0 0018a9fc 7fafec60 Safari+0xb6ec5
(a58.c94): Access violation - code c0000005 (!!! second chance !!!)
eax=00000027 ebx=00340027 ecx=00000d5b edx=00000003 esi=7fe9f000 edi=00340027
eip=7814509c esp=0012f924 ebp=0012f92c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
-
MSVCR80!memcpy+0xec:
7814509c 8807 mov byte ptr [edi],al ds:0023:00340027=02
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f92c 6aa7c000 00340027 7fe9f000 00000d5c MSVCR80!memcpy+0xec
0012f968 6ac09260 7fc306e0 0012f9f8 7fc03160 WebKit!WebLocalizedLPCTSTR+0x49e70
0012f9c8 6aad4b10 0012f9f8 00000001 7fbe2234 WebKit!JSValueMakeNull+0xd2aa0
0012fa18 6aa16ce0 7fbe2000 02b324c0 000006af
WebKit!SetWebLocalizedStringMainBundle+0x3cd70
0012fa40 6aa16e36 02b324c0 000006af 7fbfdd78 WebKit!progIDForClass+0xdc20
00000000 00000000 00000000 00000000 00000000 WebKit!progIDForClass+0xdd76
(44c.9fc): Access violation - code c0000005 (!!! second chance !!!)
eax=00000690 ebx=0069004d ecx=00000069 edx=00000000 esi=6ae0e2d4 edi=00000000
eip=6ad3cd35 esp=0012f710 ebp=ffffffff iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\Safari\WebKit.dll -
WebKit!WTF::fastFree+0x55:
6ad3cd35 8b2c82 mov ebp,dword ptr [edx+eax*4]
ds:0023:00001a40=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f71c 6aa0c6dd 0069004d 7fabd310 7fa8a910 WebKit!WTF::fastFree+0x55
0012f72c 6ac7da32 6ab479b8 00000000 6ab6c381 WebKit!progIDForClass+0x361d
0012f730 6ab479b8 00000000 6ab6c381 00000001
WebKit!JSValueMakeUndefined+0x165f2
0012f738 6ab6c381 00000001 00000000 7fc3fd00 WebKit!JSValueMakeNull+0x111f8
00000000 00000000 00000000 00000000 00000000 WebKit!JSValueMakeNull+0x35bc1
(44c.9fc): Access violation - code c0000005 (!!! second chance !!!)
eax=00000690 ebx=0069004d ecx=00000069 edx=00000000 esi=6ae0e2d4 edi=00000000
eip=6ad3cd35 esp=0012f710 ebp=ffffffff iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\Safari\WebKit.dll -
WebKit!WTF::fastFree+0x55:
6ad3cd35 8b2c82 mov ebp,dword ptr [edx+eax*4]
ds:0023:00001a40=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f71c 6aa0c6dd 0069004d 7fabd310 7fa8a910 WebKit!WTF::fastFree+0x55
0012f72c 6ac7da32 6ab479b8 00000000 6ab6c381 WebKit!progIDForClass+0x361d
0012f730 6ab479b8 00000000 6ab6c381 00000001
WebKit!JSValueMakeUndefined+0x165f2
0012f738 6ab6c381 00000001 00000000 7fc3fd00 WebKit!JSValueMakeNull+0x111f8
00000000 00000000 00000000 00000000 00000000 WebKit!JSValueMakeNull+0x35bc1
(ba4.ab8): Access violation - code c0000005 (!!! second chance !!!)
eax=00000038 ebx=002d0073 ecx=00001f2d edx=00000001 esi=7fd83000 edi=002d0073
eip=7814509c esp=0012ed64 ebp=0012ed6c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
-
MSVCR80!memcpy+0xec:
7814509c 8807 mov byte ptr [edi],al ds:0023:002d0073=00
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ed6c 0086cd04 002d0073 7fd83000 00001f2e MSVCR80!memcpy+0xec
0012ed8c 0086cfc9 7fd83000 00000f97 048bf008 WebKit!WebLocalizedLPCTSTR+0x19af4
0012f684 7e429135 7e429165 0051c940 7feb0c60 WebKit!WebLocalizedLPCTSTR+0x19db9
0012f6b0 7e429d4b 7e429d36 00300356 00000000 USER32!GetParent+0x22
*** ERROR: Module load completed but symbols could not be loaded for
C:\DOCUME~1\swiecki\LOCALS~1\Temp\WebKitNightly\Safari.exe
0012f6d0 004ce181 00300356 0012f6f4 00000100 USER32!NtUserGetClassName+0xc
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\Safari\CoreFoundation.dll -
0012f6e0 655421cb 04366ca0 6553b7d5 00000000 Safari+0xce181
0012f6e8 6553b7d5 00000000 00000001 00000000
CoreFoundation!CFStringGetFileSystemRepresentation+0x3a5
0012f704 6553c2ec 00420033 0034002d 00380061
CoreFoundation!CFStringCompare+0x162
00000000 00000000 00000000 00000000 00000000
CoreFoundation!CFStringCompare+0xc79
(1744.1368): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=00000630 edx=00000000 esi=00000630 edi=00630041
eip=007abe53 esp=0012f8cc ebp=7f8baa98 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Documents and Settings\swiecki\Desktop\WebKit-r35904\WebKit.dll -
WebKit!WTF::fastFree+0x2a3:
007abe53 8b1c8a mov ebx,dword ptr [edx+ecx*4]
ds:0023:000018c0=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f8d8 007abf35 00000015 007abbe3 7f365820 WebKit!WTF::fastFree+0x2a3
00000000 00000000 00000000 00000000 00000000 WebKit!WTF::fastFree+0x385
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list