[Webkit-unassigned] [Bug 22672] New: ASSERT(m_table) when xhr.onabort creates another xhr or calls setTimeout

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Dec 4 22:22:22 PST 2008 

https://bugs.webkit.org/show_bug.cgi?id=22672

           Summary: ASSERT(m_table) when xhr.onabort creates another xhr or
                    calls setTimeout
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dimich at chromium.org
                CC: ap at webkit.org


While stopping active dom objects we iterate over a set of them and call
'stop()'.
XmlHttpRequest, while stopping, synchronously invokes onabort event. If any
other active object is created or removed, the iterator is invalidated
underneath on the stack and ASSERT fires.
This stack shows how it happens (repro file is coming):

#0      0x0410f44f in WebCore::ScriptExecutionContext::createdActiveDOMObject
at ScriptExecutionContext.cpp:160
#1      0x04106822 in WebCore::ActiveDOMObject::ActiveDOMObject at
ActiveDOMObject.cpp:45
#2      0x03f014fc in WebCore::XMLHttpRequest::XMLHttpRequest at
XMLHttpRequest.cpp:334
#3      0x03f01762 in WebCore::XMLHttpRequest::XMLHttpRequest at
XMLHttpRequest.cpp:338
#4      0x0403ab1d in WebCore::XMLHttpRequest::create at XMLHttpRequest.h:41
#5      0x0403a8bb in constructXMLHttpRequest at
JSXMLHttpRequestConstructor.cpp:46
#6      0x00581e0e in JSC::Interpreter::cti_op_construct_NotJSConstruct at
Interpreter.cpp:5116
#7      0x0057b60c in JSC::Interpreter::retrieveCaller at Interpreter.cpp:4032
#8      0x0058052a in JSC::Interpreter::execute at Interpreter.cpp:1006
#9      0x004a2297 in JSC::JSFunction::call at JSFunction.cpp:82
#10     0x004a234f in JSC::call at CallData.cpp:39
#11     0x03f503a0 in WebCore::JSAbstractEventListener::handleEvent at
JSEventListener.cpp:109
#12     0x03f01842 in
WebCore::XMLHttpRequest::dispatchXMLHttpRequestProgressEvent at
XMLHttpRequest.cpp:1387
#13     0x03f02abc in WebCore::XMLHttpRequest::dispatchAbortEvent at
XMLHttpRequest.cpp:1397
#14     0x03f02c6f in WebCore::XMLHttpRequest::abort at XMLHttpRequest.cpp:872
#15     0x03f02cf5 in WebCore::XMLHttpRequest::stop at XMLHttpRequest.cpp:1429
#16     0x0410ece7 in WebCore::ScriptExecutionContext::stopActiveDOMObjects at
ScriptExecutionContext.cpp:152
#17     0x03ab9456 in WebCore::FrameLoader::clear at FrameLoader.cpp:819
#18     0x03ab9727 in WebCore::FrameLoader::begin at FrameLoader.cpp:916
#19     0x03abbe5e in WebCore::FrameLoader::receivedFirstData at
FrameLoader.cpp:866


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list