[Webkit-unassigned] [Bug 49935] Crash at WebCore::ScriptElementData::execute (AsyncScriptRunner's timer fires after the document is unloaded)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 23 12:50:38 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=49935





--- Comment #2 from Ryosuke Niwa <rniwa at webkit.org>  2010-11-23 12:50:38 PST ---
The problem is that we're calling notifyFinished in ScriptElement::requestScript because it does m_cachedScript->addClient(this), while notifyFinished is also called by didFinishLoading.

You can see the sequence of events as follows:

didFinishLoading: file:///Users/rniwa/Desktop/crbug63302.svg#bar
0x105f62c10: stopLoadRequest, 0x105f701a0
0x105f62c10: stopLoadRequest, 0x0
0x105f5fda0: requestScript, 0x0
    0x105f5fda0: notifyFinished, 0x105f701a0
0x105f5fda0: stopLoadRequest, 0x0
0x105f62c10: requestScript, 0x0
    0x105f62c10: notifyFinished, 0x105f701a0 < this call clears m_cachedScript
0x105f62c10: notifyFinished, 0x0 < oops! m_cachedScript is gone already
ASSERTION FAILED: o == m_cachedScript

I feel like ScriptElement::requestScript shouldn't be calling addClient but I'm not confident.  The stack trace for the first call to notifyFinished is:

#0    0x101fb02c0 in WebCore::ScriptElement::notifyFinished at ScriptElement.cpp:245
#1    0x101549f24 in WebCore::CachedResource::didAddClient at CachedResource.cpp:222
#2    0x10154b28b in WebCore::CachedResource::addClient at CachedResource.cpp:216
#3    0x101fb0655 in WebCore::ScriptElement::requestScript at ScriptElement.cpp:171
#4    0x101fb11f2 in WebCore::ScriptElement::insertedIntoDocument at ScriptElement.cpp:78
#5    0x1020c8737 in WebCore::SVGScriptElement::insertedIntoDocument at SVGScriptElement.cpp:99
#6    0x10159eb3a in WebCore::ContainerNode::insertedIntoDocument at ContainerNode.cpp:728
#7    0x1017f5ba2 in WebCore::Element::insertedIntoDocument at Element.cpp:858
#8    0x102054195 in WebCore::SVGElement::insertedIntoDocument at SVGElement.cpp:295
#9    0x1020d2d29 in WebCore::SVGStyledElement::insertedIntoDocument at SVGStyledElement.cpp:274
#10    0x1020f1089 in WebCore::SVGUseElement::insertedIntoDocument at SVGUseElement.cpp:125
#11    0x10159dcca in WebCore::notifyChildInserted at ContainerNode.cpp:1015
#12    0x10159ff99 in WebCore::ContainerNode::appendChild at ContainerNode.cpp:604
#13    0x1020f2c4b in WebCore::SVGUseElement::buildShadowTree at SVGUseElement.cpp:780
#14    0x1020f3699 in WebCore::SVGUseElement::buildShadowAndInstanceTree at SVGUseElement.cpp:538
#15    0x101f1d2ec in WebCore::RenderSVGShadowTreeRootContainer::updateFromElement at RenderSVGShadowTreeRootContainer.cpp:77
#16    0x1020f2de6 in WebCore::SVGUseElement::recalcStyle at SVGUseElement.cpp:346
#17    0x1017f5922 in WebCore::Element::recalcStyle at Element.cpp:1041
#18    0x1016d095c in WebCore::Document::recalcStyle at Document.cpp:1574
#19    0x1016d062f in WebCore::Document::updateStyleIfNeeded at Document.cpp:1616
#20    0x1016c949d in WebCore::Document::updateStyleForAllDocuments at Document.cpp:1633
#21    0x101fa639c in WebCore::ScriptController::executeScript at ScriptControllerBase.cpp:64
#22    0x102186d54 in WebCore::XMLDocumentParser::notifyFinished at XMLDocumentParser.cpp:362

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list