[Webkit-unassigned] [Bug 56124] CSSSelector double frees

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 22 16:51:20 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=56124





--- Comment #6 from Mihai Parparita <mihaip at chromium.org>  2011-03-22 16:51:20 PST ---
(In reply to comment #5)
> Both these stacks look like normal destructions. The interesting question is how the selectors got deleted the first time.
> 
> Could someone add the full stacks, these ones don't extend to the runloop (and links don't work for me)? There is a possibility that WebKit has been re-entered badly. I note that the stacks look like they may involve Chrome specific behaviors.

Here's a more complete stack for the first one (during V8 GC):

0x625cd55e     [chrome.dll     + 0x000cd55e]    WebCore::CSSSelector::`scalar deleting destructor'(unsigned int)
0x625cd52c     [chrome.dll     - cssselectorlist.cpp:104]    WebCore::CSSSelectorList::deleteSelectors()
0x6263cc15     [chrome.dll     - cssstylerule.cpp:44]    WebCore::CSSStyleRule::~CSSStyleRule()
0x6263cbe4     [chrome.dll     + 0x0013cbe4]    WebCore::CSSStyleRule::`vector deleting destructor'(unsigned int)
0x625e4124     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::EditCommand>::deref()
0x625e6e97     [chrome.dll     - vector.h:526]    WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>,0>::~Vector<WTF::RefPtr<WebCore::StyleSheet>,0>()
0x62642cb8     [chrome.dll     - stylesheet.cpp:67]    WebCore::StyleSheet::~StyleSheet()
0x625dfc57     [chrome.dll     - cssstylesheet.cpp:88]    WebCore::CSSStyleSheet::~CSSStyleSheet()
0x625dfb2c     [chrome.dll     + 0x000dfb2c]    WebCore::CSSStyleSheet::`vector deleting destructor'(unsigned int)
0x625e4124     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::EditCommand>::deref()
0x625e6e97     [chrome.dll     - vector.h:526]    WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>,0>::~Vector<WTF::RefPtr<WebCore::StyleSheet>,0>()
0x6254597c     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::StyleSheetList>::deref()
0x6253da70     [chrome.dll     - document.cpp:617]    WebCore::Document::~Document()
0x627f35c2     [chrome.dll     - htmldocument.cpp:90]    WebCore::HTMLDocument::~HTMLDocument()
0x627f2c16     [chrome.dll     + 0x002f2c16]    WebCore::ImageDocument::`scalar deleting destructor'(unsigned int)
0x62537505     [chrome.dll     - node.cpp:401]    WebCore::Node::~Node()
0x6254cd00     [chrome.dll     - element.cpp:109]    WebCore::Element::~Element()
0x627ea933     [chrome.dll     + 0x002ea933]    WebCore::HTMLBodyElement::`vector deleting destructor'(unsigned int)
0x62c0d5ed     [chrome.dll     - update_recommended_message_box.cc:68]    UserDataDirDialog::DeleteDelegate()
0x6266c534     [chrome.dll     - domdatastore.cpp:173]    WebCore::DOMDataStore::weakNodeCallback(v8::Persistent<v8::Value>,void *)
0x632d9825     [chrome.dll     - global-handles.cc:182]    v8::internal::GlobalHandles::Node::PostGarbageCollectionProcessing()
0x632d9926     [chrome.dll     - global-handles.cc:387]    v8::internal::GlobalHandles::PostGarbageCollectionProcessing()
0x632c9ac5     [chrome.dll     - heap.cc:777]    v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector,v8::internal::GCTracer *)
0x632c9c21     [chrome.dll     - heap.cc:509]    v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace,v8::internal::GarbageCollector)
0x62680ab9     [chrome.dll     - algorithm:2089]    std::_Pop_heap_0<WebCore::TimerHeapIterator,WebCore::TimerHeapElement>(WebCore::TimerHeapIterator,WebCore::TimerHeapIterator,WebCore::TimerHeapElement *)
0x626a19aa     [chrome.dll     - threadtimers.cpp:90]    WebCore::ThreadTimers::sharedTimerFired()
0x62a0a5b7     [chrome.dll     - message_loop.cc:376]    MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x62a0a964     [chrome.dll     - message_loop.cc:569]    MessageLoop::DoWork()

And for the other crash (during load):
0x5ddfbf17     [chrome.dll     + 0x000cbf17]    WebCore::CSSSelector::`scalar deleting destructor'(unsigned int)
0x5ddfbee2     [chrome.dll     - cssselectorlist.cpp:95]    WebCore::CSSSelectorList::deleteSelectors()
0x5de69349     [chrome.dll     - cssstylerule.cpp:44]    WebCore::CSSStyleRule::~CSSStyleRule()
0x5de69318     [chrome.dll     + 0x00139318]    WebCore::CSSStyleRule::`vector deleting destructor'(unsigned int)
0x5dd8913c     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::LightSource>::deref()
0x5ddf2a07     [chrome.dll     - vector.h:526]    WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>,0>::~Vector<WTF::RefPtr<WebCore::StyleSheet>,0>()
0x5de6f42d     [chrome.dll     - stylesheet.cpp:67]    WebCore::StyleSheet::~StyleSheet()
0x5de0da3c     [chrome.dll     - cssstylesheet.cpp:88]    WebCore::CSSStyleSheet::~CSSStyleSheet()
0x5de0d911     [chrome.dll     + 0x000dd911]    WebCore::CSSStyleSheet::`vector deleting destructor'(unsigned int)
0x5dd8913c     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::LightSource>::deref()
0x5ddf2a07     [chrome.dll     - vector.h:526]    WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>,0>::~Vector<WTF::RefPtr<WebCore::StyleSheet>,0>()
0x5dd75128     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::StyleSheetList>::deref()
0x5dd6d828     [chrome.dll     - document.cpp:613]    WebCore::Document::~Document()
0x5e02443f     [chrome.dll     - htmldocument.cpp:90]    WebCore::HTMLDocument::~HTMLDocument()
0x5de5d82b     [chrome.dll     + 0x0012d82b]    WebCore::FTPDirectoryDocument::`scalar deleting destructor'(unsigned int)
0x5dd675d2     [chrome.dll     - node.cpp:401]    WebCore::Node::~Node()
0x5dd7c53d     [chrome.dll     - element.cpp:109]    WebCore::Element::~Element()
0x5e0162a1     [chrome.dll     + 0x002e62a1]    WebCore::HTMLAnchorElement::`scalar deleting destructor'(unsigned int)
0x5e3e58e5     [chrome.dll     - repost_form_warning_view.cc:81]    `anonymous namespace'::ResetDefaultsConfirmBox::DeleteDelegate()
0x5dd98c06     [chrome.dll     - event.cpp:64]    WebCore::Event::~Event()
0x5ddff31f     [chrome.dll     + 0x000cf31f]    WebCore::MouseEvent::`vector deleting destructor'(unsigned int)
0x5de20a1d     [chrome.dll     - refcounted.h:141]    WTF::RefCounted<WebCore::WebSocketChannel>::deref()
0x5dd5744e     [chrome.dll     + 0x0002744e]    WebCore::NavigationAction::~NavigationAction()
0x5ddc10df     [chrome.dll     - documentloader.cpp:115]    WebCore::DocumentLoader::~DocumentLoader()
0x5e07347c     [chrome.dll     + 0x0034347c]    WebKit::WebDataSourceImpl::`vector deleting destructor'(unsigned int)
0x5dd5b81f     [chrome.dll     - refptr.h:135]    WTF::RefPtr<WebCore::DocumentLoader>::operator=(WebCore::DocumentLoader *)
0x5dd58243     [chrome.dll     - frameloader.cpp:1786]    WebCore::FrameLoader::setDocumentLoader(WebCore::DocumentLoader *)
0x5dd58794     [chrome.dll     - frameloader.cpp:1970]    WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage>)
0x5dd58400     [chrome.dll     - frameloader.cpp:1869]    WebCore::FrameLoader::commitProvisionalLoad()
0x5ddc14ae     [chrome.dll     - documentloader.cpp:274]    WebCore::DocumentLoader::commitIfReady()
...... (7 stack frames dropped.)
0x5e570f4a     [chrome.dll     - resource_dispatcher.cc:370]    ResourceDispatcher::OnReceivedData(IPC::Message const &,int,void *,int)
0x5e5714e7     [chrome.dll     - resource_dispatcher.cc:526]    ResourceDispatcher::DispatchMessageW(IPC::Message const &)
0x5e570d55     [chrome.dll     - resource_dispatcher.cc:295]    ResourceDispatcher::OnMessageReceived(IPC::Message const &)
0x5e560fd7     [chrome.dll     - child_thread.cc:144]    ChildThread::OnMessageReceived(IPC::Message const &)
0x5e7b88da     [chrome.dll     - task.h:331]    RunnableMethod<UserStyleSheetLoader,void ( UserStyleSheetLoader::*)(GURL const &),Tuple1<GURL> >::Run()
0x5e1f18d3     [chrome.dll     - message_loop.cc:367]    MessageLoop::RunTask(Task *)
0x5e1f195a     [chrome.dll     - message_loop.cc:376]    MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x5e1f1d07     [chrome.dll     - message_loop.cc:569]    MessageLoop::DoWork()
0x5e20764c     [chrome.dll     - message_pump_default.cc:50]    base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x5e1f1854     [chrome.dll     - message_loop.cc:342]    MessageLoop::RunInternal()
0x5e1f17d9     [chrome.dll     - message_loop.cc:315]    MessageLoop::RunHandler()
0x5e1f16cd     [chrome.dll     - message_loop.cc:239]    MessageLoop::Run()
0x5e21e7aa     [chrome.dll     - renderer_main.cc:300]    RendererMain(MainFunctionParams const &)
0x5dd34170     [chrome.dll     - chrome_main.cc:755]    ChromeMain
0x00322212     [chrome.exe     - client_util.cc:280]    MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x00324392     [chrome.exe     - chrome_exe_main_win.cc:46]    wWinMain
0x003733a7     [chrome.exe     - crt0.c:263]    __tmainCRTStartup
0x774f3c44     [kernel32.dll     + 0x00053c44]    BaseThreadInitThunk
0x77b237f4     [ntdll.dll     + 0x000637f4]    __RtlUserThreadStart
0x77b237c7     [ntdll.dll     + 0x000637c7]    _RtlUserThreadStart

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list