[Webkit-unassigned] [Bug 31658] New: webkit_web_view_load_string() crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 18 19:17:05 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=31658

           Summary: webkit_web_view_load_string() crash
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Major
          Priority: P2
         Component: WebKit Gtk
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: bunk at stusta.de


Created an attachment (id=43478)
 --> (https://bugs.webkit.org/attachment.cgi?id=43478)
test program

Download and compile the test program, and click twice on "Next Step".

Notes:
- this bug is a serious problem for Liferea users
- the small example is not complete HTML, but the actual bug is with a complete
XHTML file
- as seen in the test program, the same HTML is accepted in
webkit_web_view_load_uri()
- tested on amd64 with 1.1.16 and latest SVN trunk
- --disable-jit does not help

$ gcc -g -O2 -Wall test-webkit-crash.c -o test-webkit-crash `pkg-config
--cflags --libs gtk+-2.0 webkit-1.0`
$ ./test-webkit-crash
#0  0x00007f1fa2c9b4dd in __libc_waitpid (pid=12738, stat_loc=<value optimized
out>, options=0) at ../sysdeps/unix/sysv/linux/waitpid.c:41
#1  0x00007f1fa2f69ed7 in IA__g_on_error_stack_trace (prg_name=0x40119e
"test-webkit-crash") at /tmp/buildd/glib2.0-2.22.2/glib/gbacktrace.c:187
#2  0x0000000000400fbe in fatal_signal_handler (sig=<value optimized out>) at
test-webkit-crash.c:36
#3  <signal handler called>
#4  IA__g_str_hash (v=0x0) at /tmp/buildd/glib2.0-2.22.2/glib/gstring.c:99
#5  0x00007f1fa2f7e28f in g_hash_table_lookup_node (hash_table=0x20ea770,
key=0x0) at /tmp/buildd/glib2.0-2.22.2/glib/ghash.c:195
#6  IA__g_hash_table_lookup (hash_table=0x20ea770, key=0x0) at
/tmp/buildd/glib2.0-2.22.2/glib/ghash.c:784
#7  0x00007f1fa504c334 in soup_cookie_jar_add_cookie (jar=0x20be360,
cookie=0x2118760) at soup-cookie-jar.c:345
#8  0x00007f1fa62bf409 in WebCore::setCookies (url=<value optimized out>,
value=...) at WebCore/platform/network/soup/CookieJarSoup.cpp:65
#9  0x00007f1fa5d9d10e in WebCore::Document::setCookie (this=0x7f1f99f74400,
value=...) at WebCore/dom/Document.cpp:3016
#10 0x00007f1fa633610d in WebCore::setJSDocumentCookie (exec=<value optimized
out>, thisObject=<value optimized out>, value=<value optimized out>) at
DerivedSources/JSDocument.cpp:1070
#11 0x00007f1fa633cc79 in lookupPut<WebCore::JSDocument> (this=0x7f1f95cd0240,
exec=0x7f1f9674d2b8, propertyName=..., value=..., slot=...) at
./JavaScriptCore/runtime/Lookup.h:303
#12 lookupPut<WebCore::JSDocument, WebCore::JSNode> (this=0x7f1f95cd0240,
exec=0x7f1f9674d2b8, propertyName=..., value=..., slot=...) at
./JavaScriptCore/runtime/Lookup.h:317
#13 WebCore::JSDocument::put (this=0x7f1f95cd0240, exec=0x7f1f9674d2b8,
propertyName=..., value=..., slot=...) at DerivedSources/JSDocument.cpp:1028
#14 0x00007f1fa63c56ca in lookupPut<WebCore::JSHTMLDocument,
WebCore::JSDocument> (this=0x7f1f95cd0240, exec=0x7f1f9674d2b8,
propertyName=..., value=<value optimized out>, slot=...) at
./JavaScriptCore/runtime/Lookup.h:318
#15 WebCore::JSHTMLDocument::put (this=0x7f1f95cd0240, exec=0x7f1f9674d2b8,
propertyName=..., value=<value optimized out>, slot=...) at
DerivedSources/JSHTMLDocument.cpp:315
#16 0x00007f1fa5b95f5f in JSC::JSValue::put (this=0x7fff5281ae20, flag=<value
optimized out>, registerFile=<value optimized out>, callFrame=0x7f1f9674d2b8,
exception=<value optimized out>) at ./JavaScriptCore/runtime/JSObject.h:656
#17 JSC::Interpreter::privateExecute (this=0x7fff5281ae20, flag=<value
optimized out>, registerFile=<value optimized out>, callFrame=0x7f1f9674d2b8,
exception=<value optimized out>) at
JavaScriptCore/interpreter/Interpreter.cpp:2294
#18 0x00007f1fa5ba0940 in JSC::Interpreter::execute (this=0x7f1f99f98680,
functionExecutable=<value optimized out>, callFrame=0x7f1f9a002748,
function=0x7f1f95cd1400, thisObj=<value optimized out>, args=<value optimized
out>, scopeChain=0x7f1f95c86cf0, exc#19 0x00007f1fa5c2b6a7 in
JSC::JSFunction::call (this=0x7f1f95cd1400, exec=0x7f1f9a002748, thisValue=...,
args=...) at JavaScriptCore/runtime/JSFunction.cpp:120
#20 0x00007f1fa5c0ea80 in JSC::call (exec=0x2, functionObject=...,
callType=<value optimized out>, callData=..., thisValue=..., args=...) at
JavaScriptCore/runtime/CallData.cpp:39
#21 0x00007f1fa5caae29 in WebCore::callInWorld (exec=0x7f1f9a002748,
function=..., callType=JSC::CallTypeJS, callData=..., thisValue=<value
optimized out>, args=<value optimized out>, isolatedWorld=0x7f1f99fa4f80) at
WebCore/bindings/js/JSDOMBinding.cpp:83#22 0x00007f1fa5cc2794 in
WebCore::JSEventListener::handleEvent (this=0x7f1f95c192a8,
scriptExecutionContext=0x7f1f99f74458, event=<value optimized out>) at
WebCore/bindings/js/JSEventListener.cpp:118
#23 0x00007f1fa5db8a37 in WebCore::EventTarget::fireEventListeners
(this=0x7f1f99f74400, event=0x7f1f95c24120) at WebCore/dom/EventTarget.cpp:297
#24 0x00007f1fa5dc7375 in WebCore::Node::dispatchGenericEvent
(this=0x7f1f99f74400, prpEvent=<value optimized out>) at
WebCore/dom/Node.cpp:2523
#25 0x00007f1fa5dc7901 in WebCore::Node::dispatchEvent (this=0x7f1f99f74400,
prpEvent=<value optimized out>) at WebCore/dom/Node.cpp:2446
#26 0x00007f1fa5d96414 in WebCore::Document::finishedParsing
(this=0x7f1f99f74400) at WebCore/dom/Document.cpp:4036
#27 0x00007f1fa5ed5dec in WebCore::HTMLTokenizer::end (this=0x7f1f95bfb800) at
WebCore/html/HTMLTokenizer.cpp:1863
#28 0x00007f1fa5edeeb9 in WebCore::HTMLTokenizer::finish (this=0x7f1f95bfb800)
at WebCore/html/HTMLTokenizer.cpp:1903
#29 0x00007f1fa5f39447 in WebCore::FrameLoader::endIfNotLoadingMainResource
(this=0x7f1f99f4f850) at WebCore/loader/FrameLoader.cpp:949
#30 0x00007f1fa5f35bd8 in WebCore::FrameLoader::finishedLoading
(this=0x7f1f99f4f850) at WebCore/loader/FrameLoader.cpp:2699
#31 0x00007f1fa5f4a61f in WebCore::MainResourceLoader::didFinishLoading
(this=0x7f1f99f98b00) at WebCore/loader/MainResourceLoader.cpp:393
#32 0x00007f1fa5f4d5e2 in
WebCore::MainResourceLoader::continueAfterContentPolicy (this=0x7f1f99f98b00,
contentPolicy=2784274064, r=...) at WebCore/loader/MainResourceLoader.cpp:264
#33 0x00007f1fa5f4d876 in
WebCore::MainResourceLoader::continueAfterContentPolicy (this=0x7f1f99f98b00,
policy=WebCore::PolicyUse) at WebCore/loader/MainResourceLoader.cpp:278
#34 0x00007f1fa5f4e1dd in
WebCore::MainResourceLoader::callContinueAfterContentPolicy
(this=0x7f1f99f98b00, r=...) at WebCore/loader/MainResourceLoader.cpp:270
#35 WebCore::MainResourceLoader::didReceiveResponse (this=0x7f1f99f98b00,
r=...) at WebCore/loader/MainResourceLoader.cpp:336
#36 0x00007f1fa5f4b2b3 in WebCore::MainResourceLoader::handleDataLoadNow
(this=0x7f1f99f98b00) at WebCore/loader/MainResourceLoader.cpp:438
#37 0x00007f1fa5fe23f6 in WebCore::ThreadTimers::sharedTimerFiredInternal
(this=0x7f1f99f43900) at WebCore/platform/ThreadTimers.cpp:112
#38 0x00007f1fa62ae492 in timeout_cb () at
WebCore/platform/gtk/SharedTimerGtk.cpp:48
#39 0x00007f1fa2f8d12a in g_main_dispatch (context=0x2032940) at
/tmp/buildd/glib2.0-2.22.2/glib/gmain.c:1960
#40 IA__g_main_context_dispatch (context=0x2032940) at
/tmp/buildd/glib2.0-2.22.2/glib/gmain.c:2513
#41 0x00007f1fa2f90988 in g_main_context_iterate (context=0x2032940, block=1,
dispatch=1, self=<value optimized out>) at
/tmp/buildd/glib2.0-2.22.2/glib/gmain.c:2591
#42 0x00007f1fa2f90e5d in IA__g_main_loop_run (loop=0x20f3a70) at
/tmp/buildd/glib2.0-2.22.2/glib/gmain.c:2799
#43 0x00007f1fa53b7ca7 in IA__gtk_main () at
/tmp/buildd/gtk+2.0-2.18.3/gtk/gtkmain.c:1218
#44 0x0000000000400f85 in main (argc=1, argv=0x7fff5281c3f8) at
test-webkit-crash.c:68

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list