[Webkit-unassigned] [Bug 29873] Use after free in XHR and/or JS error handler

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 26 11:07:22 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=29873





--- Comment #10 from SkyLined <skylined at chromium.org>  2010-02-26 11:07:21 PST ---
Yes, it reproduces reliably when I go through these steps in Safari 4.0
(530.17) in Windows Vista x64:
1) Load
http://skypher.com/SkyLined/Repro/Safari/WebKit%2029873%20-%20xmlhttperror_use_after_free/repro.html
2) Wait 5 seconds when the popup shows up.
3) Click OK.
4) Press F5 to refresh the page.
5) Wait 5 seconds when the popup shows up.
6) Click OK.
7) KaB00m
0035f5cc 6c955f1b WebKit!WebCore::Loader::Host::servePendingRequests+0x25
0035f5fc 6c95685c WebKit!WebCore::Loader::Host::servePendingRequests+0x4b
0035f628 6ca15492 WebKit!WebCore::Loader::Host::didReceiveResponse+0xbc
0035f640 6c95e4b3 WebKit!WebCore::SubresourceLoader::didReceiveResponse+0x42
0035f650 6c720f15 WebKit!WebCore::ResourceLoader::didReceiveResponse+0x73
0035f6f0 6f578d44 WebKit!WebCore::didReceiveResponse+0x85
0035f704 6f57a669
CFNetwork!URLConnectionClient::_clientSendDidReceiveResponse(struct
_CFURLResponse * response = 0x6f5791b8, class
URLConnectionClient::ClientConnectionEventQueue * preQ = 0x0035f83c)+0x1e
[c:\bwa\cfnetwork-450.2\srcroot\connection\urlconnectionclient.cpp @ 960]
0035f80c 6f5791b8
CFNetwork!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(struct
XConnectionEventInfo<enum XClientEvent,XClientEventParams> * e = 0x0035f83c,
long count = 2)+0x2b5
[c:\bwa\cfnetwork-450.2\srcroot\connection\urlconnectionclient.cpp @ 1681]
0035f81c 6f57a6e0 CFNetwork!XConnectionEventQueue<enum
XClientEvent,XClientEventParams>::processAllEvents(void)+0x14
[c:\bwa\cfnetwork-450.2\srcroot\connection\connectioneventqueue.h @ 177]
0035f91c 6f5791b8
CFNetwork!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(struct
XConnectionEventInfo<enum XClientEvent,XClientEventParams> * e = 0x0702ebc0,
long count = 3)+0x32c
[c:\bwa\cfnetwork-450.2\srcroot\connection\urlconnectionclient.cpp @ 1715]
0035f92c 6f57a7f0 CFNetwork!XConnectionEventQueue<enum
XClientEvent,XClientEventParams>::processAllEvents(void)+0x14
[c:\bwa\cfnetwork-450.2\srcroot\connection\connectioneventqueue.h @ 177]
0035f940 6f578a9f CFNetwork!URLConnectionClient::processEvents(void)+0x44
[c:\bwa\cfnetwork-450.2\srcroot\connection\urlconnectionclient.cpp @ 301]
0035f94c 76368817 CFNetwork!URLConnectionWndProc(struct HWND__ * hWnd =
0x001f1130, unsigned int message = 0x4cf, unsigned int wParam = 0x857bb28, long
lParam = 0)+0x38
[c:\bwa\cfnetwork-450.2\srcroot\connection\urlconnectionclient.cpp @ 88]
0035f978 7636898e USER32!InternalCallWinProc+0x23
0035f9f0 76368ab9 USER32!UserCallWinProcCheckWow+0x109
0035fa54 76368b10 USER32!DispatchMessageWorker+0x380
0035fa64 00d0cae9 USER32!DispatchMessageW+0xf
0035fc90 00cbcd9b Safari!ATL::CWindow::ClientToScreen+0x269
0035fce4 00d0d686 Safari!run+0xfb
0035fd10 00cc4034 Safari!safariMain+0x5a6
0035fd20 00efef57 Safari!wWinMain+0x14
0035fdb4 769aeccb Safari!_vsnprintf+0x1a1
0035fdc0 776bd24d kernel32!BaseThreadInitThunk+0xe
0035fe00 776bd45f ntdll!__RtlUserThreadStart+0x23
0035fe18 00000000 ntdll!_RtlUserThreadStart+0x1b

WebKit!WebCore::Loader::Host::servePendingRequests:
6c955f30 55              push    ebp
6c955f31 8bec            mov     ebp,esp
6c955f33 83e4f8          and     esp,0FFFFFFF8h
6c955f36 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
6c955f39 8b01            mov     eax,dword ptr [ecx]
6c955f3b 81ec4c010000    sub     esp,14Ch
6c955f41 3b4104          cmp     eax,dword ptr [ecx+4]
6c955f44 53              push    ebx
6c955f45 56              push    esi
6c955f46 57              push    edi
6c955f47 0f84b8050000    je     
WebKit!WebCore::Loader::Host::servePendingRequests+0x5d5 (6c956505)
6c955f4d 8b4108          mov     eax,dword ptr [ecx+8]
6c955f50 8b31            mov     esi,dword ptr [ecx]
6c955f52 8b1cb0          mov     ebx,dword ptr [eax+esi*4]
6c955f55 8b430c          mov     eax,dword ptr [ebx+0Ch]
ds:002b:c07b9ec7=????????

I'd give you more info, but I don't have private symbols. I will try to reduce
the repro and automate the timing as well as test on other platforms/machines
to see if this is a problem with my install or the code...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list