[Webkit-unassigned] [Bug 48643] New: XMLDocumentParser gets deleted and then used in LayoutTest/fast/frames/set-parent-src-synchronously.xhtml on QT/Linux

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Oct 29 09:41:55 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=48643

           Summary: XMLDocumentParser gets deleted and then used in
                    LayoutTest/fast/frames/set-parent-src-synchronously.xh
                    tml on QT/Linux
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: peter.rybin at gmail.com


On Qt/Linux platform in LayoutTests/fast/frames/set-parent-src-synchronously.xhtml

an isntance of XMLDocumentParser gets deleted:

3:_ZN7WebCore17XMLDocumentParserD0Ev+0x6a)
4:_ZN3WTF10RefCountedIN7WebCore14DocumentParserEE5derefEv+0x43)
5:_ZN3WTF14derefIfNotNullIN7WebCore14DocumentParserEEEvPT_+0x2e)
6:_ZN3WTF6RefPtrIN7WebCore14DocumentParserEE5clearEv+0x2e)
7:_ZN7WebCore8Document12detachParserEv+0x52)
8:_ZN7WebCore8Document13cancelParsingEv+0x37)
9:_ZN7WebCore11FrameLoader5clearEbbb+0x8f)
10:_ZN7WebCore14DocumentWriter5beginERKNS_4KURLEbPNS_14SecurityOriginE+0x1b1)
11:_ZN7WebCore14DocumentWriter15replaceDocumentERKN3WTF6StringE+0x7b)
12:_ZN7WebCore16ScriptController22executeIfJavaScriptURLERKNS_4KURLENS_36ShouldReplaceDocumentIfJavaScriptURLE+0x27b)
13:_ZN7WebCore14SubframeLoader12requestFrameEPNS_21HTMLFrameOwnerElementERKN3WTF6StringERKNS3_12AtomicStringEbb+0x19c)
14:_ZN7WebCore20HTMLFrameElementBase7openURLEbb+0x171)
15:_ZN7WebCore20HTMLFrameElementBase11setLocationERKN3WTF6StringE+0xe1)
16:_ZN7WebCore20HTMLFrameElementBase20parseMappedAttributeEPNS_9AttributeE+0x6c)
17:_ZN7WebCore17HTMLIFrameElement20parseMappedAttributeEPNS_9AttributeE+0x2ce)
18:_ZN7WebCore13StyledElement16attributeChangedEPNS_9AttributeEb+0x292)
19:_ZN7WebCore7Element12setAttributeERKN3WTF12AtomicStringES4_Ri+0x308)
20:_ZN7WebCore38jsElementPrototypeFunctionSetAttributeEPN3JSC9ExecStateE+0x232)
21: ***
22: ***
23: ***
24: ***
25:_ZN7WebCore21JSMainThreadExecState8evaluateEPN3JSC9ExecStateERNS1_10ScopeChainERKNS1_10SourceCodeENS1_7JSValueE+0x54)
26:_ZN7WebCore16ScriptController15evaluateInWorldERKNS_16ScriptSourceCodeEPNS_15DOMWrapperWorldENS_14ShouldAllowXSSE+0x1bd)
27:_ZN7WebCore16ScriptController8evaluateERKNS_16ScriptSourceCodeENS_14ShouldAllowXSSE+0x3f)
28:_ZN7WebCore16ScriptController13executeScriptERKNS_16ScriptSourceCodeENS_14ShouldAllowXSSE+0xa9)
29:_ZN7WebCore17XMLDocumentParser15parseEndElementEv+0x63e)
30:_ZN7WebCore17XMLDocumentParser5parseEv+0x87)
31:_ZN7WebCore17XMLDocumentParser7doWriteERKN3WTF6StringE+0xee)
32:_ZN7WebCore17XMLDocumentParser6appendERKNS_15SegmentedStringE+0x17c)
33:_ZN7WebCore25DecodedDataDocumentParser11appendBytesEPNS_14DocumentWriterEPKcib+0xfb)
34:_ZN7WebCore14DocumentWriter7addDataEPKcib+0x275)
35:_ZN7WebCore14DocumentLoader10commitDataEPKci+0x14b)
36:_ZN7WebCore19FrameLoaderClientQt13committedLoadEPNS_14DocumentLoaderEPKci+0x39)
37:_ZN7WebCore14DocumentLoader10commitLoadEPKci+0xa1)
38:_ZN7WebCore14DocumentLoader12receivedDataEPKci+0x58)
39:_ZN7WebCore18MainResourceLoader7addDataEPKcib+0x5a)
40:_ZN7WebCore14ResourceLoader14didReceiveDataEPKcixb+0x60)
41:_ZN7WebCore18MainResourceLoader14didReceiveDataEPKcixb+0x1d3)
42:_ZN7WebCore14ResourceLoader14didReceiveDataEPNS_14ResourceHandleEPKcii+0x7c)
43:_ZN7WebCore20QNetworkReplyHandler11forwardDataEv+0x121)
44:_ZN7WebCore20QNetworkReplyHandler11qt_metacallEN11QMetaObject4CallEiPPv+0x9c)


and then used again:

* segfault *
WebCore::XMLDocumentParser::popCurrentNode()
WebCore::XMLDocumentParser::parseEndElement()
WebCore::XMLDocumentParser::parse()
WebCore::XMLDocumentParser::doWrite(WTF::String const&)
WebCore::XMLDocumentParser::append(WebCore::SegmentedString const&)
WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, int, bool)
WebCore::DocumentWriter::addData(char const*, int, bool)
WebCore::DocumentLoader::commitData(char const*, int)
WebCore::FrameLoaderClientQt::committedLoad(WebCore::DocumentLoader*, char const*, int)
WebCore::DocumentLoader::commitLoad(char const*, int)
WebCore::MainResourceLoader::addData(char const*, int, bool)
WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool)
WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool)
WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int)
WebCore::QNetworkReplyHandler::forwardData()
WebCore::QNetworkReplyHandler::qt_metacall(QMetaObject::Call, int, void**)
QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**)
QMetaCallEvent::placeMetaCall(QObject*)
QObject::event(QEvent*)
QApplicationPrivate::notify_helper(QObject*, QEvent*)
QApplication::notify(QObject*, QEvent*)
QCoreApplication::notifyInternal(QObject*, QEvent*)
QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*)
QCoreApplication::sendPostedEvents(QObject*, int)


Method WebCore::XMLDocumentParser::parseEndElement() in XMLDocumentParserQt.cpp seems to be a point where 2 stacktraces split. It first calls  executeScript  where parser gets deleted, and then --  popCurrentNode,  and process fails.

This segfault is very flaky. It is also often erroneously attributed to innocent LayoutTests/fast/frames/set-unloaded-frame-location.html that goes right after in the batch run.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list