[Webkit-unassigned] [Bug 21329] New: REGRESSION: crash in ScriptElement::notifyFinished
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 3 01:05:23 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=21329
Summary: REGRESSION: crash in ScriptElement::notifyFinished
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
URL: http://www.kino.de/kinosuche.php4
OS/Version: Windows XP
Status: NEW
Severity: Critical
Priority: P1
Component: HTML DOM
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: darin at chromium.org
CC: eric at webkit.org
REGRESSION: crash in ScriptElement::notifyFinished
I observed this crash on http://www.kino.de/kinosuche.php4
(you might have to load that site a couple times to repro the crash)
I found that some code changed recently that probably explains the crash.
Compare:
-void HTMLScriptElement::notifyFinished(CachedResource* o)
-{
- CachedScript* cs = static_cast<CachedScript*>(o);
-
- ASSERT(cs == m_cachedScript);
-
- // Evaluating the script could lead to a garbage collection which
- // can delete the script element so we need to protect it.
- RefPtr<HTMLScriptElement> protect(this);
-
- if (cs->errorOccurred())
- dispatchHTMLEvent(errorEvent, true, false);
- else {
- evaluateScript(cs->url(), cs->script());
- dispatchHTMLEvent(loadEvent, false, false);
- }
-
- // script evaluation may have dereffed it already
- if (m_cachedScript) {
- m_cachedScript->removeClient(this);
- m_cachedScript = 0;
- }
-}
To:
void ScriptElementData::notifyFinished(CachedResource* o)
{
CachedScript* cs = static_cast<CachedScript*>(o);
ASSERT(cs == m_cachedScript);
if (cs->errorOccurred())
m_scriptElement->dispatchErrorEvent();
else {
RefPtr<Element> protector(m_element);
evaluateScript(cs->url(), cs->script());
m_scriptElement->dispatchLoadEvent();
}
stopLoadRequest();
}
The crash I get is inside stopLoadRequest() with |this| having been trashed.
m_element owns |this|.
Here's the interesting portion of the crash stack:
chrome.dll!WTF::HashTable<WebCore::RenderObject
*,std::pair<WebCore::RenderObject *,WebCore::RenderBlock::FloatingObject
*>,WTF::PairFirstExtractor<std::pair<WebCore::RenderObject
*,WebCore::RenderBlock::FloatingObject *> >,WTF::PtrHash<WebCore::RenderObject
*>,WTF::PairHashTraits<WTF::HashTraits<WebCore::RenderObject
*>,WTF::HashTraits<WebCore::RenderBlock::FloatingObject *>
>,WTF::HashTraits<WebCore::RenderObject *> >::find<WebCore::RenderObject *,WTF::IdentityHashTranslator<WebCore::RenderObject
*,std::pair<WebCore::RenderObject *,WebCore::RenderBlock::FloatingObject
*>,WTF::PtrHash<WebCore::RenderObject *> > >(WebCore::RenderObject * const &
key=0x0232775c) Line 751 C++
chrome.dll!WebCore::CachedResource::removeClient(WebCore::CachedResourceClient
* c=0x0232775c) Line 131 + 0x12 bytes C++
> chrome.dll!WebCore::ScriptElementData::notifyFinished(WebCore::CachedResource * o=0x02330e58) Line 191 + 0xd bytes C++
chrome.dll!WebCore::CachedScript::checkNotify() Line 95 + 0xa bytes
C++
chrome.dll!WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>
data={...}, bool allDataReceived=true) Line 85 + 0xe bytes
C++
chrome.dll!WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader *
loader=0x034297f8) Line 278 C++
chrome.dll!WebCore::SubresourceLoader::didFinishLoading() Line 195
C++
chrome.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle *
__formal=0x01f31cf8) Line 399 C++
Originally identified here:
http://code.google.com/p/chromium/issues/detail?id=3056
In the old code, the protector was also ensuring that |this| remained valid
until after stopLoadRequest() is called. I think this is an apparent goof in
the recent code change.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list