Bug 10855 - REGRESSION: Reproducible crash in svg/custom/evt-onload.svg under GuardMalloc
Summary: REGRESSION: Reproducible crash in svg/custom/evt-onload.svg under GuardMalloc
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
URL:
Keywords: Regression
Depends on:
Blocks:
 
Reported: 2006-09-14 06:40 PDT by Mark Rowe (bdash)
Modified: 2007-01-11 05:27 PST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2006-09-14 06:40:33 PDT
I have seen intermittent occurrences of "DumpRenderTree(1386,0xa000cf60) malloc: ***  Deallocation of a pointer not malloced: 0x2ed85de0; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug" while running the layout tests.  After experimentation, I narrowed it down to a single test that crashes when using GuardMalloc.

atlas:~/WebKit-Devel mrowe$ DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib ./WebKitBuild/Debug/DumpRenderTree LayoutTests/svg/custom/evt-onload.svg 
Allocations will be placed on word (4 byte) boundaries.
 - Small buffer overruns may not be noticed.
 - Applications using AltiVec instructions may fail.
GuardMalloc-11
Segmentation fault
LEAK: 8 Node
LEAK: 3 RenderObject
LEAK: 1 Frame
LEAK: 23 KJS::Node


GDB says:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xce35aff8
0x013efdd7 in WebCore::SVGPaint::paintType (this=0xce35afd8) at ./ksvg2/svg/SVGPaint.h:54
54              SVGPaintType paintType() const { return m_paintType; }
(gdb) bt
#0  0x013efdd7 in WebCore::SVGPaint::paintType (this=0xce35afd8) at ./ksvg2/svg/SVGPaint.h:54
#1  0x0107623e in WebCore::StyleFillData::operator== (this=0xce382ff4, other=@0xce490ff4) at WebKit-Devel/WebCore/ksvg2/css/SVGRenderStyleDefs.cpp:58
#2  0x013f1744 in WebCore::DataRef<WebCore::StyleFillData>::operator== (this=0xce380fe4, o=@0xce48efe4) at WebKit-Devel/WebCore/rendering/DataRef.h:87
#3  0x01075238 in WebCore::SVGRenderStyle::operator== (this=0xce380fd8, o=@0xce48efd8) at WebKit-Devel/WebCore/ksvg2/css/SVGRenderStyle.cpp:90
#4  0x01459c5e in WebCore::DataRef<WebCore::SVGRenderStyle>::operator== (this=0xce37affc, o=@0xce488ffc) at WebKit-Devel/WebCore/rendering/DataRef.h:87
#5  0x011ba836 in WebCore::RenderStyle::operator== (this=0xce37afc0, o=@0xce488fc0) at WebKit-Devel/WebCore/rendering/RenderStyle.cpp:690
#6  0x0125fbd8 in WebCore::Node::diff (this=0xce2aef40, s1=0xce37afc0, s2=0xce488fc0) at WebKit-Devel/WebCore/dom/Node.cpp:647
#7  0x0126599f in WebCore::Element::recalcStyle (this=0xce2aef40, change=NoChange) at WebKit-Devel/WebCore/dom/Element.cpp:579
#8  0x01265bcb in WebCore::Element::recalcStyle (this=0xce042f2c, change=NoChange) at WebKit-Devel/WebCore/dom/Element.cpp:618
#9  0x01118ce7 in WebCore::Document::recalcStyle (this=0xcbf5a860, change=NoChange) at WebKit-Devel/WebCore/dom/Document.cpp:874
#10 0x011121e3 in WebCore::Document::updateRendering (this=0xcbf5a860) at WebKit-Devel/WebCore/dom/Document.cpp:896
#11 0x01115a1e in WebCore::Document::updateDocumentsRendering () at WebKit-Devel/WebCore/dom/Document.cpp:906
#12 0x0127a6f7 in KJS::JSAbstractEventListener::handleEvent (this=0xce112fd8, ele=0xce3b2fd8, isWindowEvent=false) at WebKit-Devel/WebCore/bindings/js/kjs_events.cpp:142
#13 0x01248020 in WebCore::EventTargetNode::handleLocalEvents (this=0xce042f2c, evt=0xce3b2fd8, useCapture=false) at WebKit-Devel/WebCore/dom/EventTargetNode.cpp:164
#14 0x012486d8 in WebCore::EventTargetNode::dispatchGenericEvent (this=0xce042f2c, e=@0xbfffe028, tempEvent=false) at WebKit-Devel/WebCore/dom/EventTargetNode.cpp:212
#15 0x01088515 in WebCore::SVGElement::sendSVGLoadEventIfPossible (this=0xce042f2c, sendParentLoadEvents=false) at WebKit-Devel/WebCore/ksvg2/svg/SVGElement.cpp:180
#16 0x0108861d in WebCore::SVGElement::closeRenderer (this=0xce042f2c) at WebKit-Devel/WebCore/ksvg2/svg/SVGElement.cpp:189
#17 0x0103c161 in WebCore::XMLTokenizer::endElementNs (this=0xcdf2af7c) at WebKit-Devel/WebCore/dom/XMLTokenizer.cpp:794
#18 0x0103c52f in WebCore::endElementNsHandler (closure=0xcdfe5e48, localname=0xcdffbc43 "svg", prefix=0x0, uri=0xcdffbc47 "http://www.w3.org/2000/svg") at WebKit-Devel/WebCore/dom/XMLTokenizer.cpp:1053
Comment 1 Eric Seidel (no email) 2006-09-16 02:01:33 PDT
So the backtrace indicates that somehow an SVGRectElement has a stale SVGRenderStyle pointer.  It's not clear to me if the SVGRenderStyle pointer itself is stale, or just the associated DataRef<StyleFillData> is bad.
Comment 2 Eric Seidel (no email) 2006-09-16 02:02:38 PDT
Perhaps somehow the SVGPaint object is being dereffed an extra time?
Comment 3 Alexey Proskuryakov 2006-12-18 10:51:47 PST
I cannot reproduce this anymore.
Comment 4 Mark Rowe (bdash) 2007-01-11 05:27:10 PST
No longer reproducible.