[Webkit-unassigned] [Bug 26671] New: Safari 4.0 crashes in WebCore::DOMTimer::fired()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 24 00:02:24 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=26671
Summary: Safari 4.0 crashes in WebCore::DOMTimer::fired()
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
URL: http://lite.maps.nsw.gov.au/
OS/Version: All
Status: UNCONFIRMED
Severity: Critical
Priority: P1
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: david.carter at erdas.com
Safari 4.0 (530.17) crashes in WebCore::DOMTimer::fired(). The crash did not
occur in Safari 3.2.2 (from
http://support.apple.com/downloads/Safari_3_2_2_for_Windows).
To repeat the crash, follow these steps:
1. Load http://lite.maps.nsw.gov.au/
2. Click the zoom box tool on the circular navigator.
3. Click and drag the map to zoom into an area. Safari will crash.
I checked out and debugged the latest WebKit code in Visual Studio, and found
the crash was occurring in WebCore::DOMTimer::fired(). The error reported by
Visual Stuio when the crash occurs is "A buffer overrun has occurred in
Safari.exe which has corrupted the program's internal state.". Also, here is
the Visual Studio call stack at the time of the crash:
WebKit.dll!__crt_debugger_hook() Unknown
WebKit.dll!__report_gsfailure() Line 298 + 0x7 bytes C
WebKit.dll!WebCore::Node::compareDocumentPosition(WebCore::Node *
otherNode=0x00000000) Line 2073 + 0x15 bytes C++
WebKit.dll!WebCore::Document::addStyleSheetCandidateNode(WebCore::Node *
node=0x7e9bb160, bool createdByParser=true) Line 2287 C++
WebKit.dll!WebCore::ProcessingInstruction::insertedIntoDocument() Line 254
C++
WebKit.dll!WebCore::dispatchChildInsertionEvents(WebCore::Node *
child=0x7e9bb160, int & ec=0) Line 874 C++
WebKit.dll!WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>
newChild={...}, int & ec=2124132704, bool shouldLazyAttach=true) Line 483 +
0x7 bytes C++
WebKit.dll!WebCore::JSNode::appendChild(JSC::ExecState * exec=0x0c568944, const
JSC::ArgList & args={...}) Line 105 C++
WebKit.dll!WebCore::jsNodePrototypeFunctionAppendChild(JSC::ExecState *
exec=0x00000000, JSC::JSObject * __formal=0x0f662e14, JSC::JSValue
thisValue={...}, const JSC::ArgList & args={...}) Line 1295 + 0xd bytes
C++
JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile *
registerFile=0x7fd81d88, JSC::ExecState * callFrame=0x0c568024,
JSC::JSGlobalData * globalData=0x00000000, JSC::JSValue * exception=0x0012f980)
Line 83 + 0x1d bytes C++
JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramNode * programNode=,
JSC::ExecState * callFrame=, JSC::ScopeChainNode * scopeChain=, JSC::JSObject *
thisObj=, JSC::JSValue * exception=) Line 644 + 0x26 bytes C++
JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x7fe62500,
JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...},
JSC::JSValue thisValue={...}) Line 69 C++
WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode
& sourceCode=) Line 103 C++
WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::ScriptSourceCode
& sourceCode={...}) Line 781 C++
WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::String &
script={...}, bool forceUserGesture=false) Line 768 + 0x6f bytes C++
WebKit.dll!WebCore::ScheduledAction::execute(WebCore::Document *
document=0x00000000) Line 128 + 0x12 bytes C++
WebKit.dll!WebCore::DOMTimer::fired() Line 125 + 0x18 bytes C++
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list