[Webkit-unassigned] [Bug 56124] New: CSSSelector double frees

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 10 11:20:40 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=56124

           Summary: CSSSelector double frees
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mihaip at chromium.org
                CC: koivisto at iki.fi


The CSSSelector double free checks added by http://trac.webkit.org/changeset/80269 and http://trac.webkit.org/changeset/80155 are being triggered in the wild (based on Chrome crash reports). Two stack that we've seen:

WebKit at r80534 (http://crash/reportdetail?reportid=84d45c1228e6b37b)
0x01cfd793     [chrome.dll     + 0x000cd793]    WebCore::CSSSelector::`scalar deleting destructor'(unsigned int)
0x01cfd773     [chrome.dll     - cssselectorlist.cpp:108]    WebCore::CSSSelectorList::deleteSelectors()
0x01d6d03c     [chrome.dll     - cssstylerule.cpp:44]    WebCore::CSSStyleRule::~CSSStyleRule()
0x01d6d00b     [chrome.dll     + 0x0013d00b]    WebCore::CSSStyleRule::`scalar deleting destructor'(unsigned int)
0x01cc0d85     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::EntryCallback>::deref()
0x01cf419a     [chrome.dll     - vector.h:526]    WTF::Vector<WTF::RefPtr<WebCore::FilterEffect>,0>::~Vector<WTF::RefPtr<WebCore::FilterEffect>,0>()
0x01d73033     [chrome.dll     - stylesheet.cpp:67]    WebCore::StyleSheet::~StyleSheet()
0x01d0fc51     [chrome.dll     - cssstylesheet.cpp:88]    WebCore::CSSStyleSheet::~CSSStyleSheet()
0x01d0fb26     [chrome.dll     + 0x000dfb26]    WebCore::CSSStyleSheet::`vector deleting destructor'(unsigned int)
0x01cc0d85     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::EntryCallback>::deref()
0x01cf419a     [chrome.dll     - vector.h:526]    WTF::Vector<WTF::RefPtr<WebCore::FilterEffect>,0>::~Vector<WTF::RefPtr<WebCore::FilterEffect>,0>()
0x01c75695     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::StyleSheetList>::deref()
0x01c6d878     [chrome.dll     - document.cpp:617]    WebCore::Document::~Document()
0x01f2364f     [chrome.dll     - htmldocument.cpp:90]    WebCore::HTMLDocument::~HTMLDocument()
0x01f22cd0     [chrome.dll     + 0x002f2cd0]    WebCore::HTMLDocument::`vector deleting destructor'(unsigned int)
0x01c6d2f3     [chrome.dll     - document.cpp:556]    WebCore::Document::removedLastRef()
0x01d9c786     [chrome.dll     - domdatastore.cpp:173]    WebCore::DOMDataStore::weakNodeCallback(v8::Persistent<v8::Value>,void *)
0x02a092e5     [chrome.dll     - global-handles.cc:182]    v8::internal::GlobalHandles::Node::PostGarbageCollectionProcessing()
0x02a093e6     [chrome.dll     - global-handles.cc:387]    v8::internal::GlobalHandles::PostGarbageCollectionProcessing()
0x029f95b5     [chrome.dll     - heap.cc:777]    v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector,v8::internal::GCTracer *)
0x029f9711     [chrome.dll     - heap.cc:509]    v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace,v8::internal::GarbageCollector)

WebKit at r80210 (http://crash/reportdetail?reportid=4d9d5e5a1dfee4d3)
0x6583bf17     [chrome.dll     + 0x000cbf17]    WebCore::CSSSelector::`scalar deleting destructor'(unsigned int)
0x6583bee2     [chrome.dll     - cssselectorlist.cpp:95]    WebCore::CSSSelectorList::deleteSelectors()
0x658a9349     [chrome.dll     - cssstylerule.cpp:44]    WebCore::CSSStyleRule::~CSSStyleRule()
0x658a9318     [chrome.dll     + 0x00139318]    WebCore::CSSStyleRule::`vector deleting destructor'(unsigned int)
0x657c913c     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::LightSource>::deref()
0x65832a07     [chrome.dll     - vector.h:526]    WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>,0>::~Vector<WTF::RefPtr<WebCore::StyleSheet>,0>()
0x658af42d     [chrome.dll     - stylesheet.cpp:67]    WebCore::StyleSheet::~StyleSheet()
0x6584da3c     [chrome.dll     - cssstylesheet.cpp:88]    WebCore::CSSStyleSheet::~CSSStyleSheet()
0x6584d911     [chrome.dll     + 0x000dd911]    WebCore::CSSStyleSheet::`vector deleting destructor'(unsigned int)
0x657c913c     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::LightSource>::deref()
0x65832a07     [chrome.dll     - vector.h:526]    WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>,0>::~Vector<WTF::RefPtr<WebCore::StyleSheet>,0>()
0x657b5128     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::StyleSheetList>::deref()
0x657ad828     [chrome.dll     - document.cpp:613]    WebCore::Document::~Document()
0x65a6443f     [chrome.dll     - htmldocument.cpp:90]    WebCore::HTMLDocument::~HTMLDocument()
0x6589d82b     [chrome.dll     + 0x0012d82b]    WebCore::FTPDirectoryDocument::`scalar deleting destructor'(unsigned int)
0x657a75d2     [chrome.dll     - node.cpp:401]    WebCore::Node::~Node()
0x657bc53d     [chrome.dll     - element.cpp:109]    WebCore::Element::~Element()
0x65a5c440     [chrome.dll     - htmlframeownerelement.cpp:69]    WebCore::HTMLFrameOwnerElement::~HTMLFrameOwnerElement()
0x65a62814     [chrome.dll     - htmlpluginelement.cpp:70]    WebCore::HTMLPlugInElement::~HTMLPlugInElement()
0x65a51660     [chrome.dll     + 0x002e1660]    WebCore::HTMLPlugInImageElement::~HTMLPlugInImageElement()
0x65a5e7dd     [chrome.dll     + 0x002ee7dd]    WebCore::HTMLPlugInImageElement::`vector deleting destructor'(unsigned int)
0x65e258e5     [chrome.dll     - repost_form_warning_view.cc:81]    `anonymous namespace'::ResetDefaultsConfirmBox::DeleteDelegate()
0x65aa0287     [chrome.dll     - webnode.cpp:58]    WebKit::WebNode::reset()
0x65c97f22     [chrome.dll     - page_click_tracker.cc:114]    PageClickTracker::handleEvent(WebKit::WebDOMEvent const &)
0x65abc2b1     [chrome.dll     - eventlistenerwrapper.cpp:64]    WebKit::EventListenerWrapper::handleEvent(WebCore::ScriptExecutionContext *,WebCore::Event *)
0x6583cffc     [chrome.dll     - eventtarget.cpp:354]    WebCore::EventTarget::fireEventListeners(WebCore::Event *,WebCore::EventTargetData *,WTF::Vector<WebCore::RegisteredEventListener,1> &)
0x6583cf36     [chrome.dll     - eventtarget.cpp:323]    WebCore::EventTarget::fireEventListeners(WebCore::Event *)
0x657aa56a     [chrome.dll     - node.cpp:2543]    WebCore::Node::handleLocalEvents(WebCore::Event *)
0x6583bc3b     [chrome.dll     - eventcontext.cpp:48]    WebCore::EventContext::handleLocalEvents(WebCore::Event *)
0x657aa9fd     [chrome.dll     - node.cpp:2694]    WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>)

The CSSSelectorList that triggers these deletes was most recently refactored by http://trac.webkit.org/changeset/76648

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list