[Webkit-unassigned] [Bug 52945] New: crash @ WebCore::ResourceLoader::didCancel(WebCore::ResourceError const &)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 21 19:50:12 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=52945

           Summary: crash @
                    WebCore::ResourceLoader::didCancel(WebCore::ResourceEr
                    ror const &)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P1
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rtenneti at chromium.org
                CC: abarth at webkit.org, jar at chromium.org


Logged into my personal yahoo email a/c and opened an email and print it. 

Displays printable version of email in a new window and select printer dialog gets displayed. Click on "Cancel" of that dialog, sometimes it crashes (duplicated it in Chrome build Beta and Dev).


Stack trace:
###########
Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x000006c4 )

0x0225162f     [chrome.dll     - resourceloader.cpp:341]    WebCore::ResourceLoader::didCancel(WebCore::ResourceError const &)
0x02250e03     [chrome.dll     - subresourceloader.cpp:231]    WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const &)
0x02251716     [chrome.dll     - resourceloader.cpp:364]    WebCore::ResourceLoader::cancel(WebCore::ResourceError const &)
0x022516c1     [chrome.dll     - resourceloader.cpp:354]    WebCore::ResourceLoader::cancel()
0x02179605     [chrome.dll     - documentloader.cpp:64]    WebCore::cancelAll
0x02179cc6     [chrome.dll     - documentloader.cpp:251]    WebCore::DocumentLoader::stopLoading(WebCore::DatabasePolicy)
0x0210316e     [chrome.dll     - frameloader.cpp:1707]    WebCore::FrameLoader::stopAllLoaders(WebCore::DatabasePolicy)
0x023fdb04     [chrome.dll     - webframeimpl.cpp:962]    WebKit::WebFrameImpl::stopLoading()
0x024112e3     [chrome.dll     - chromeclientimpl.cpp:427]    WebKit::ChromeClientImpl::closeWindowSoon()
0x0233860a     [chrome.dll     - v8domwindow.cpp:2636]    WebCore::DOMWindowInternal::closeCallback
0x028e4d86     [chrome.dll     - builtins.cc:983]    v8::internal::HandleApiCallHelper<0>
0x028e507f     [chrome.dll     + 0x00cb507f]    
0x05e4d458            
Thread 1

0x7c90e514     [ntdll.dll     + 0x0000e514]    KiFastSystemCallRet
0x7c90df49     [ntdll.dll     + 0x0000df49]    NtWaitForMultipleObjects
0x7c80958f     [kernel32.dll     + 0x0000958f]    CreateFileMappingA
0x77df8630     [advapi32.dll     + 0x00028630]    WmipEventPump
0x7c80b728     [kernel32.dll     + 0x0000b728]    BaseThreadStart
Thread 2

0x7c90e514     [ntdll.dll     + 0x0000e514]    KiFastSystemCallRet
0x7c90da49     [ntdll.dll     + 0x0000da49]    ZwRemoveIoCompletion
0x7c80a7e5     [kernel32.dll     + 0x0000a7e5]    GetQueuedCompletionStatus
0x01d0b56b     [chrome.dll     - message_pump_win.cc:518]    base::MessagePumpForIO::GetIOItem(unsigned long,base::MessagePumpForIO::IOItem *)
0x01d0b4b7     [chrome.dll     - message_pump_win.cc:487]    base::MessagePumpForIO::WaitForIOCompletion(unsigned long,base::MessagePumpForIO::IOHandler *)
0x01d0b45f     [chrome.dll     - message_pump_win.cc:465]    base::MessagePumpForIO::DoRunLoop()
0x01d0aefe     [chrome.dll     - message_pump_win.cc:51]    base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
0x01d0ad43     [chrome.dll     - message_pump_win.h:80]    base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x01cf5d13     [chrome.dll     - message_loop.cc:258]    MessageLoop::RunInternal()
0x01cf5c91     [chrome.dll     - message_loop.cc:230]    MessageLoop::RunHandler()
0x01cf5c3f     [chrome.dll     - message_loop.cc:208]    MessageLoop::Run()
0x0270d40d     [chrome.dll     - thread.cc:140]    base::Thread::Run(MessageLoop *)
0x0270d4b9     [chrome.dll     - thread.cc:164]    base::Thread::ThreadMain()
0x01cfd757     [chrome.dll     - platform_thread_win.cc:26]    `anonymous namespace'::ThreadFunc(void *)
0x7c80b728     [kernel32.dll     + 0x0000b728]    BaseThreadStart

-------

>From japhet at chromium.org noticed the following:

We're crashing in ResourceLoader::didCancel() because we're assuming that ResourceLoader::m_documentLoader is valid. The stack below is from within SubresourceLoader::didCancel(), right before we crash.  We're re-entering the ResourceLoader and finishing it while in the process of cancelling it.

Note that the ResourceLoader is not yet freed (it's RefPtr<> protected). It's just accessing members that it already nulled.


chrome.dll!WebCore::ResourceLoader::releaseResources()  Line 91    C++
chrome.dll!WebCore::ResourceLoader::didFinishLoading(double finishTime=1290207487.7740891)  Line 302 + 0xf bytes    C++
chrome.dll!WebCore::SubresourceLoader::didFinishLoading(double finishTime=1290207487.7740891)  Line 188    C++
chrome.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x04e77c20, double finishTime=1290207487.7740891)  Line 435 + 0x18 bytes    C++
chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading(WebKit::WebURLLoader * __formal=0x05e232c0, double finishTime=1290207487.7740891)  Line 191 + 0x2e bytes    C++
chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(const URLRequestStatus & status={...}, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & security_info="", const base::Time & completion_time={...})  Line 652 + 0x2c bytes    C++
chrome.dll!ResourceDispatcher::OnRequestComplete(int request_id=146, const URLRequestStatus & status={...}, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & security_info="", const base::Time & completion_time={...})  Line 439 + 0x1b bytes    C++
chrome.dll!DispatchToMethod<ResourceDispatcher,void (__thiscall ResourceDispatcher::*)(int,URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::Time const &),int,URLRequestStatus,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::Time>(ResourceDispatcher * obj=0x01d99aa0, void (int, const URLRequestStatus &, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &, const base::Time &)* method=0x5c00b460, const Tuple4<int,URLRequestStatus,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::Time> & arg={...})  Line 573 + 0x23 bytes    C++
chrome.dll!IPC::MessageWithTuple<Tuple4<int,URLRequestStatus,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::Time> >::Dispatch<ResourceDispatcher,void (__thiscall ResourceDispatcher::*)(int,URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::Time const &)>(const IPC::Message * msg=0x060ae928, ResourceDispatcher * obj=0x01d99aa0, void (int, const URLRequestStatus &, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &, const base::Time &)* func=0x5c00b460)  Line 944 + 0x11 bytes    C++
chrome.dll!ResourceDispatcher::DispatchMessageW(const IPC::Message & message={...})  Line 509 + 0x12 bytes    C++
chrome.dll!ResourceDispatcher::OnMessageReceived(const IPC::Message & message={...})  Line 297    C++
chrome.dll!ChildThread::OnMessageReceived(const IPC::Message & msg={...})  Line 139 + 0x19 bytes    C++
chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message={...})  Line 232 + 0x19 bytes    C++
chrome.dll!DispatchToMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &),IPC::Message>(IPC::ChannelProxy::Context * obj=0x01de0000, void (const IPC::Message &)* method=0x5ace84b0, const Tuple1<IPC::Message> & arg={...})  Line 554 + 0xf bytes    C++
chrome.dll!RunnableMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &),Tuple1<IPC::Message> >::Run()  Line 330 + 0x1e bytes    C++
chrome.dll!MessageLoop::RunTask(Task * task=0x060ae900)  Line 418 + 0xf bytes    C++
chrome.dll!MessageLoop::DeferOrRunPendingTask(const MessageLoop::PendingTask & pending_task={...})  Line 430    C++
chrome.dll!MessageLoop::DoWork()  Line 534 + 0xc bytes    C++
chrome.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate=0x003ff06c)  Line 23 + 0xf bytes    C++
chrome.dll!MessageLoop::RunInternal()  Line 266 + 0x2a bytes    C++
chrome.dll!MessageLoop::RunHandler()  Line 239    C++
chrome.dll!MessageLoop::Run()  Line 217    C++
chrome.dll!IPC::SyncChannel::WaitForReplyWithNestedMessageLoop(IPC::SyncChannel::SyncContext * context=0x01de0000)  Line 476    C++
chrome.dll!IPC::SyncChannel::WaitForReply(IPC::SyncChannel::SyncContext * context=0x01de0000, base::WaitableEvent * pump_messages_event=0x01d90028)  Line 442 + 0x9 bytes    C++
chrome.dll!IPC::SyncChannel::SendWithTimeout(IPC::Message * message=0x04ee8d70, int timeout_ms=-1)  Line 417 + 0x12 bytes    C++
chrome.dll!IPC::SyncChannel::Send(IPC::Message * message=0x04ee8d70)  Line 381 + 0x15 bytes    C++
chrome.dll!ChildThread::Send(IPC::Message * msg=0x04ee8d70)  Line 96 + 0x21 bytes    C++
chrome.dll!RenderThread::Send(IPC::Message * msg=0x04ee8d70)  Line 431 + 0xf bytes    C++
chrome.dll!RenderWidget::Send(IPC::Message * message=0x04ee8d70)  Line 186 + 0x19 bytes    C++
chrome.dll!PrintWebViewHelper::Send(IPC::Message * msg=0x04ee8d70)  Line 254 + 0x1d bytes    C++
chrome.dll!PrintWebViewHelper::GetPrintSettingsFromUser(WebKit::WebFrame * frame=0x04ebd160, int expected_pages_count=2, bool use_browser_overlays=true)  Line 428 + 0xf bytes    C++
chrome.dll!PrintWebViewHelper::Print(WebKit::WebFrame * frame=0x04ebd160, bool script_initiated=true, bool is_preview=false)  Line 145 + 0x14 bytes    C++
chrome.dll!RenderView::Print(WebKit::WebFrame * frame=0x04ebd160, bool script_initiated=true, bool is_preview=false)  Line 5185    C++
chrome.dll!RenderView::printPage(WebKit::WebFrame * frame=0x04ebd160)  Line 1970    C++
chrome.dll!WebKit::ChromeClientImpl::print(WebCore::Frame * frame=0x05c42800)  Line 628 + 0x2a bytes    C++
chrome.dll!WebCore::Chrome::print(WebCore::Frame * frame=0x05c42800)  Line 418 + 0x1c bytes    C++
chrome.dll!WebCore::DOMWindow::print()  Line 901    C++
chrome.dll!WebCore::DOMWindow::finishedLoading()  Line 1587    C++
chrome.dll!WebCore::DocumentLoader::updateLoading()  Line 351    C++
chrome.dll!WebCore::DocumentLoader::removeSubresourceLoader(WebCore::ResourceLoader * loader=0x055d3400)  Line 710    C++
chrome.dll!WebCore::SubresourceLoader::didCancel(const WebCore::ResourceError & error={...})  Line 230    C++
chrome.dll!WebCore::ResourceLoader::cancel(const WebCore::ResourceError & error={...})  Line 378 + 0x1f bytes    C++

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list