[Webkit-unassigned] [Bug 105043] New: REGRESSION (r137607): fast/loader/javascript-url-iframe-remove-on-navigate.html is crashing on GTK

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 14 11:20:06 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=105043

           Summary: REGRESSION (r137607):
                    fast/loader/javascript-url-iframe-remove-on-navigate.h
                    tml is crashing on GTK
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Keywords: Gtk, LayoutTestFailure, Regression
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: zandobersek at gmail.com
                CC: ap at webkit.org, gns at gnome.org, japhet at chromium.org,
                    mrobinson at webkit.org


fast/loader/javascript-url-iframe-remove-on-navigate.html started crashing after r137607 landed.
http://trac.webkit.org/changeset/137607

The patch already landed in r137333 but was later rolled out.
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=fast%2Floader%2Fjavascript-url-iframe-remove-on-navigate.html

This regression is limited to the GTK port.
Here's the crash log:
Crash log for DumpRenderTree (pid 8685):

...
[New LWP 9040]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f82690e7b84 in webkit_web_data_source_dispose (object=0x350d920) at ../../Source/WebKit/gtk/webkit/webkitwebdatasource.cpp:87
87        ASSERT(!priv->loader->isLoading());

...

Thread 1 (Thread 0x7f825e8db900 (LWP 8685)):
#0  0x00007f82690e7b84 in webkit_web_data_source_dispose (object=0x350d920) at ../../Source/WebKit/gtk/webkit/webkitwebdatasource.cpp:87
#1  0x00007f8267d2fbb9 in g_object_unref () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgobject-2.0.so.0
#2  0x00007f82690b4067 in WebKit::DocumentLoader::unrefDataSource (this=0x5b80c90) at ../../Source/WebKit/gtk/WebCoreSupport/DocumentLoaderGtk.cpp:122
#3  0x00007f82690b3da0 in WebKit::DocumentLoader::detachFromFrame (this=0x5b80c90) at ../../Source/WebKit/gtk/WebCoreSupport/DocumentLoaderGtk.cpp:81
#4  0x00007f82699372fe in WebCore::FrameLoader::setProvisionalDocumentLoader (this=0x5b7cce0, loader=0x0) at ../../Source/WebCore/loader/FrameLoader.cpp:1644
#5  0x00007f8269936d80 in WebCore::FrameLoader::stopAllLoaders (this=0x5b7cce0, clearProvisionalItemPolicy=WebCore::ShouldClearProvisionalItem) at ../../Source/WebCore/loader/FrameLoader.cpp:1558
#6  0x00007f826993a497 in WebCore::FrameLoader::frameDetached (this=0x5b7cce0) at ../../Source/WebCore/loader/FrameLoader.cpp:2374
#7  0x00007f82696b63e4 in WebCore::HTMLFrameOwnerElement::disconnectContentFrame (this=0x5b7a790) at ../../Source/WebCore/html/HTMLFrameOwnerElement.cpp:68
#8  0x00007f826941ad1a in WebCore::ChildFrameDisconnector::Target::disconnect (this=0x7fff1f988508) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:121
#9  0x00007f8269421fc0 in WebCore::ChildFrameDisconnector::disconnect (this=0x7fff1f9884f0) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:331
#10 0x00007f826941e562 in WebCore::willRemoveChildren (container=0x5b69210) at ../../Source/WebCore/dom/ContainerNode.cpp:447
#11 0x00007f826941ec73 in WebCore::ContainerNode::removeChildren (this=0x5b69210) at ../../Source/WebCore/dom/ContainerNode.cpp:575
#12 0x00007f8269435b32 in WebCore::Document::implicitOpen (this=0x5b69210) at ../../Source/WebCore/dom/Document.cpp:2277
#13 0x00007f82694359ea in WebCore::Document::open (this=0x5b69210, ownerDocument=0x5b69210) at ../../Source/WebCore/dom/Document.cpp:2241
#14 0x00007f826943685f in WebCore::Document::write (this=0x5b69210, text=..., ownerDocument=0x5b69210) at ../../Source/WebCore/dom/Document.cpp:2561
#15 0x00007f82691b0716 in WebCore::documentWrite (exec=0x7f821c048148, document=0x5b69210, addNewline=WebCore::DoNotAddNewline) at ../../Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp:155
#16 0x00007f82691b0769 in WebCore::JSHTMLDocument::write (this=0x7f8216798580, exec=0x7f821c048148) at ../../Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp:160
#17 0x00007f8269fab6e3 in WebCore::jsHTMLDocumentPrototypeFunctionWrite (exec=0x7f821c048148) at DerivedSources/WebCore/JSHTMLDocument.cpp:450
#18 0x00007f821e6b5265 in ?? ()
#19 0x00007fff1f988ab0 in ?? ()
#20 0x00007f826d340b81 in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0
#21 0x00007f821c048100 in ?? ()
#22 0x000000000215e270 in ?? ()
#23 0x00007fff1f988a70 in ?? ()
#24 0x00007f826d2e69cf in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at ../../Source/JavaScriptCore/interpreter/JSStackInlines.h:213
#25 0x00007f826d2e573c in JSC::JITCode::execute (this=0x7f8216460b00, stack=0x215e270, callFrame=0x7f821c048100, globalData=0x27d63b0) at ../../Source/JavaScriptCore/jit/JITCode.h:134
#26 0x00007f826d2e2e69 in JSC::Interpreter::executeCall (this=0x215e260, callFrame=0x7f82164ae388, function=0x7f821c01b380, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1055
#27 0x00007f826d3c6289 in JSC::call (exec=0x7f82164ae388, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39
#28 0x00007f8269175ccf in WebCore::JSMainThreadExecState::call (exec=0x7f82164ae388, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:56
#29 0x00007f82691a79dc in WebCore::JSEventListener::handleEvent (this=0x5b913a0, scriptExecutionContext=0x5b692b0, event=0x5b39140) at ../../Source/WebCore/bindings/js/JSEventListener.cpp:130
#30 0x00007f82694c22fe in WebCore::EventTarget::fireEventListeners (this=0x54b5e60, event=0x5b39140, d=0x54b5f50, entry=WTF::Vector of length 94584224, capacity 4294967295 = {...}) at ../../Source/WebCore/dom/EventTarget.cpp:210
#31 0x00007f82694c20c2 in WebCore::EventTarget::fireEventListeners (this=0x54b5e60, event=0x5b39140) at ../../Source/WebCore/dom/EventTarget.cpp:175
#32 0x00007f82699e3bc0 in WebCore::DOMWindow::dispatchEvent (this=0x54b5e60, prpEvent=..., prpTarget=...) at ../../Source/WebCore/page/DOMWindow.cpp:1670
#33 0x00007f826943ace2 in WebCore::Document::dispatchWindowEvent (this=0x5b69210, event=..., target=...) at ../../Source/WebCore/dom/Document.cpp:3649
#34 0x00007f826943fa0f in WebCore::Document::enqueuePopstateEvent (this=0x5b69210, stateObject=...) at ../../Source/WebCore/dom/Document.cpp:4940
#35 0x00007f82694362f9 in WebCore::Document::implicitClose (this=0x5b69210) at ../../Source/WebCore/dom/Document.cpp:2424
#36 0x00007f8269932fc5 in WebCore::FrameLoader::checkCallImplicitClose (this=0x213d480) at ../../Source/WebCore/loader/FrameLoader.cpp:833
#37 0x00007f8269932d43 in WebCore::FrameLoader::checkCompleted (this=0x213d480) at ../../Source/WebCore/loader/FrameLoader.cpp:776
#38 0x00007f8269934052 in WebCore::FrameLoader::completed (this=0x5b7cce0) at ../../Source/WebCore/loader/FrameLoader.cpp:1082
#39 0x00007f8269932d66 in WebCore::FrameLoader::checkCompleted (this=0x5b7cce0) at ../../Source/WebCore/loader/FrameLoader.cpp:780
#40 0x00007f8269932b2a in WebCore::FrameLoader::loadDone (this=0x5b7cce0) at ../../Source/WebCore/loader/FrameLoader.cpp:722
#41 0x00007f8269909778 in WebCore::CachedResourceLoader::loadDone (this=0x5b836e0, resource=0x5b86100) at ../../Source/WebCore/loader/cache/CachedResourceLoader.cpp:721
#42 0x00007f8269986a32 in WebCore::SubresourceLoader::releaseResources (this=0x5b864b0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:318
#43 0x00007f826997b751 in WebCore::ResourceLoader::cancel (this=0x5b864b0, error=...) at ../../Source/WebCore/loader/ResourceLoader.cpp:410
#44 0x00007f826996d5ad in WebCore::MainResourceLoader::cancel (this=0x5b81a10, error=...) at ../../Source/WebCore/loader/MainResourceLoader.cpp:128
#45 0x00007f826996d441 in WebCore::MainResourceLoader::cancel (this=0x5b81a10) at ../../Source/WebCore/loader/MainResourceLoader.cpp:110
#46 0x00007f826991b6c7 in WebCore::DocumentLoader::stopLoading (this=0x5b80c90) at ../../Source/WebCore/loader/DocumentLoader.cpp:257
#47 0x00007f8269977a84 in WebCore::NavigationScheduler::schedule (this=0x5b7d0d8, redirect=...) at ../../Source/WebCore/loader/NavigationScheduler.cpp:432
#48 0x00007f8269977516 in WebCore::NavigationScheduler::scheduleLocationChange (this=0x5b7d0d8, securityOrigin=0x5b66e00, url="about:blank", referrer="file:///home/slave/webkitgtk/gtk-linux-64-debug/build/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate.html", lockHistory=false, lockBackForwardList=true) at ../../Source/WebCore/loader/NavigationScheduler.cpp:358
#49 0x00007f8269984579 in WebCore::SubframeLoader::loadOrRedirectSubframe (this=0x213d6e0, ownerElement=0x5b7a790, url=..., frameName="target", lockHistory=false, lockBackForwardList=false) at ../../Source/WebCore/loader/SubframeLoader.cpp:340
#50 0x00007f82699832c3 in WebCore::SubframeLoader::requestFrame (this=0x213d6e0, ownerElement=0x5b7a790, urlString="javascript:alert('FAIL')", frameName="target", lockHistory=false, lockBackForwardList=false) at ../../Source/WebCore/loader/SubframeLoader.cpp:87
#51 0x00007f82696b5047 in WebCore::HTMLFrameElementBase::openURL (this=0x5b7a790, lockHistory=false, lockBackForwardList=false) at ../../Source/WebCore/html/HTMLFrameElementBase.cpp:88
#52 0x00007f82696b596a in WebCore::HTMLFrameElementBase::setLocation (this=0x5b7a790, str="javascript:alert('FAIL')") at ../../Source/WebCore/html/HTMLFrameElementBase.cpp:201
#53 0x00007f82696b519d in WebCore::HTMLFrameElementBase::parseAttribute (this=0x5b7a790, name="src", value="javascript:alert('FAIL')") at ../../Source/WebCore/html/HTMLFrameElementBase.cpp:98
#54 0x00007f82696b92bc in WebCore::HTMLIFrameElement::parseAttribute (this=0x5b7a790, name="src", value="javascript:alert('FAIL')") at ../../Source/WebCore/html/HTMLIFrameElement.cpp:99
#55 0x00007f826949d62c in WebCore::Element::attributeChanged (this=0x5b7a790, name="src", newValue="javascript:alert('FAIL')") at ../../Source/WebCore/dom/Element.cpp:776
#56 0x00007f826953b49d in WebCore::StyledElement::attributeChanged (this=0x5b7a790, name="src", newValue="javascript:alert('FAIL')") at ../../Source/WebCore/dom/StyledElement.cpp:168
#57 0x00007f82694a39c0 in WebCore::Element::didModifyAttribute (this=0x5b7a790, name="src", value="javascript:alert('FAIL')") at ../../Source/WebCore/dom/Element.cpp:2492
#58 0x00007f82694a8487 in WebCore::Element::setAttributeInternal (this=0x5b7a790, index=0, name="src", newValue="javascript:alert('FAIL')", inSynchronizationOfLazyAttribute=WebCore::Element::NotInSynchronizationOfLazyAttribute) at ../../Source/WebCore/dom/Element.cpp:749
#59 0x00007f826949d42c in WebCore::Element::setAttribute (this=0x5b7a790, name="src", value="javascript:alert('FAIL')") at ../../Source/WebCore/dom/Element.cpp:714
#60 0x00007f8269fe2db8 in WebCore::setJSHTMLIFrameElementSrc (exec=0x7f821c048058, thisObject=0x7f821679f520, value=...) at DerivedSources/WebCore/JSHTMLIFrameElement.cpp:421
#61 0x00007f8269fe3f76 in JSC::lookupPut<WebCore::JSHTMLIFrameElement> (exec=0x7f821c048058, propertyName=..., value=..., table=0x7f826c95a310, thisObj=0x7f821679f520, shouldThrow=false) at ../../Source/JavaScriptCore/runtime/Lookup.h:373
#62 0x00007f8269fe3acd in JSC::lookupPut<WebCore::JSHTMLIFrameElement, WebCore::JSHTMLElement> (exec=0x7f821c048058, propertyName=..., value=..., table=0x7f826c95a310, thisObj=0x7f821679f520, slot=...) at ../../Source/JavaScriptCore/runtime/Lookup.h:389
#63 0x00007f8269fe27b5 in WebCore::JSHTMLIFrameElement::put (cell=0x7f821679f520, exec=0x7f821c048058, propertyName=..., value=..., slot=...) at DerivedSources/WebCore/JSHTMLIFrameElement.cpp:321
#64 0x00007f826d22ee3c in JSC::JSValue::put (this=0x7fff1f989d20, exec=0x7f821c048058, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1522
#65 0x00007f826d33534e in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7f821c048058, pc=0x53faf60) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:980
#66 0x00007f826d33e557 in llint_op_put_by_id () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0
#67 0x00007f821c048058 in ?? ()
#68 0x000000000215e270 in ?? ()
#69 0x00007fff1f989e10 in ?? ()
#70 0x00007f826d2e69cf in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at ../../Source/JavaScriptCore/interpreter/JSStackInlines.h:213
#71 0x00007f826d2e573c in JSC::JITCode::execute (this=0x7f8216460ba0, stack=0x215e270, callFrame=0x7f821c048058, globalData=0x27d63b0) at ../../Source/JavaScriptCore/jit/JITCode.h:134
#72 0x00007f826d2e2e69 in JSC::Interpreter::executeCall (this=0x215e260, callFrame=0x7f82164ae388, function=0x7f821c01b400, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1055
#73 0x00007f826d3c6289 in JSC::call (exec=0x7f82164ae388, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39
#74 0x00007f8269175ccf in WebCore::JSMainThreadExecState::call (exec=0x7f82164ae388, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:56
#75 0x00007f82691e1da8 in WebCore::ScheduledAction::executeFunctionInContext (this=0x5b91160, globalObject=0x7f82164ae180, thisValue=..., context=0x5b692b0) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:112
#76 0x00007f82691e1f94 in WebCore::ScheduledAction::execute (this=0x5b91160, document=0x5b69210) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:134
#77 0x00007f82691e1b18 in WebCore::ScheduledAction::execute (this=0x5b91160, context=0x5b692b0) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:80
#78 0x00007f82699dacac in WebCore::DOMTimer::fired (this=0x5b911a0) at ../../Source/WebCore/page/DOMTimer.cpp:139
#79 0x00007f826a2e1d49 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x2152000) at ../../Source/WebCore/platform/ThreadTimers.cpp:116
#80 0x00007f826a2e1c43 in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:93
#81 0x00007f826a46baba in WebCore::timeout_cb () at ../../Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49
#82 0x00007f8267c1b5ac in g_timeout_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#83 0x00007f8267c19903 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#84 0x00007f8267c1a4b3 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#85 0x00007f8267c1a6a3 in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#86 0x00007f8267c1aad3 in g_main_loop_run () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#87 0x00007f8268762e22 in gtk_main () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#88 0x0000000000486dbd in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:760
#89 0x00000000004864fb in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:550
#90 0x00000000004897a9 in main (argc=2, argv=0x7fff1f98aef8) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1500

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list