This is not even a regression. Looks like HTMLParser uses an already deallocated form object in getNode(). Thread 0 Crashed: 0 com.apple.WebCore 0x01632edc void WTF::Vector<WebCore::HTMLGenericFormElement*, (unsigned long)0>::insert<WebCore::HTMLGenericFormElement*>(unsigned long, WebCore::HTMLGenericFormElement* const&) + 324 (Vector.h:649) 1 com.apple.WebCore 0x010dd0a4 WebCore::HTMLFormElement::registerFormElement(WebCore::HTMLGenericFormElement*) + 476 (HTMLFormElement.cpp:555) 2 com.apple.WebCore 0x010d9e7c WebCore::HTMLGenericFormElement::HTMLGenericFormElement[not-in-charge](WebCore::QualifiedName const&, WebCore::Document*, WebCore::HTMLFormElement*) + 224 (HTMLGenericFormElement.cpp:50) 3 com.apple.WebCore 0x010d7f84 WebCore::HTMLInputElement::HTMLInputElement[in-charge](WebCore::Document*, WebCore::HTMLFormElement*) + 68 (HTMLInputElement.cpp:93) 4 com.apple.WebCore 0x0105eeb4 WebCore::inputConstructor(WebCore::AtomicString const&, WebCore::Document*, WebCore::HTMLFormElement*, bool) + 76 (HTMLElementFactory.cpp:160) 5 com.apple.WebCore 0x01060ad0 WebCore::HTMLElementFactory::createHTMLElement(WebCore::AtomicString const&, WebCore::Document*, WebCore::HTMLFormElement*, bool) + 208 (HTMLElementFactory.cpp:475) 6 com.apple.WebCore 0x01023b84 WebCore::HTMLParser::getNode(WebCore::Token*) + 3932 (HTMLParser.cpp:832) 7 com.apple.WebCore 0x010240d4 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1272 (HTMLParser.cpp:224) 8 com.apple.WebCore 0x01027d18 WebCore::HTMLTokenizer::processToken() + 632 (HTMLTokenizer.cpp:1590) 9 com.apple.WebCore 0x0102b420 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6076 (HTMLTokenizer.cpp:1163) 10 com.apple.WebCore 0x0102bf88 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1444 (HTMLTokenizer.cpp:1389) 11 com.apple.WebCore 0x010279fc WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 876 (HTMLTokenizer.cpp:1682) 12 com.apple.WebCore 0x01128bdc WebCore::CachedScript::checkNotify() + 108 (CachedScript.cpp:92) 13 com.apple.WebCore 0x01128db8 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 336 (CachedScript.cpp:84) 14 com.apple.WebCore 0x0112b2e8 WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 376 (loader.cpp:107) 15 com.apple.WebCore 0x014a779c WebCore::SubresourceLoader::didFinishLoading() + 204 (SubresourceLoader.cpp:192) 16 com.apple.WebCore 0x014a55e4 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 60 17 com.apple.WebCore 0x0147af38 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 144 (ResourceHandleMac.mm:370) 18 com.apple.Foundation 0x92c1389c -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 19 com.apple.Foundation 0x92c11b08 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 20 com.apple.Foundation 0x92c11860 _sendCallbacks + 156 21 com.apple.CoreFoundation 0x907df4fc __CFRunLoopDoSources0 + 384 22 com.apple.CoreFoundation 0x907dea2c __CFRunLoopRun + 452 23 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 24 com.apple.HIToolbox 0x93298b20 RunCurrentEventLoopInMode + 264 25 com.apple.HIToolbox 0x932981b4 ReceiveNextEventCommon + 380 26 com.apple.HIToolbox 0x93298020 BlockUntilNextEventMatchingListInMode + 96 27 com.apple.AppKit 0x9379eae4 _DPSNextEvent + 384 28 com.apple.AppKit 0x9379e7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 29 com.apple.Safari 0x00006740 0x1000 + 22336 30 com.apple.AppKit 0x9379acec -[NSApplication run] + 472 31 com.apple.AppKit 0x9388b87c NSApplicationMain + 452
Stack trace under GuardMalloc: #0 0x01630260 in WTF::Vector<WebCore::HTMLImageElement*, 0ul>::size at Vector.h:395 #1 0x01633360 in WTF::Vector<WebCore::HTMLImageElement*, 0ul>::append<WebCore::HTMLImageElement*> at Vector.h:628 #2 0x010dd0f4 in WebCore::HTMLFormElement::registerImgElement at HTMLFormElement.cpp:576 #3 0x0135b210 in WebCore::HTMLImageElement::HTMLImageElement at HTMLImageElement.cpp:51 #4 0x0105fad4 in imageConstructor at HTMLElementFactory.cpp:290 #5 0x01060ad0 in WebCore::HTMLElementFactory::createHTMLElement at HTMLElementFactory.cpp:475 #6 0x01023b84 in WebCore::HTMLParser::getNode at HTMLParser.cpp:832 #7 0x010240d4 in WebCore::HTMLParser::parseToken at HTMLParser.cpp:224 #8 0x01027d18 in WebCore::HTMLTokenizer::processToken at HTMLTokenizer.cpp:1590 #9 0x0102b420 in WebCore::HTMLTokenizer::parseTag at HTMLTokenizer.cpp:1163 #10 0x0102bf88 in WebCore::HTMLTokenizer::write at HTMLTokenizer.cpp:1389 #11 0x01109710 in WebCore::Document::write at Document.cpp:1505 #12 0x012f2758 in KJS::JSHTMLDocumentPrototypeFunction::callAsFunction at kjs_html.cpp:135 #13 0x00557e3c in KJS::JSObject::call at object.cpp:97 #14 0x0054d268 in KJS::FunctionCallDotNode::evaluate at nodes.cpp:781 #15 0x00549628 in KJS::ExprStatementNode::execute at nodes.cpp:1681 #16 0x00546bb8 in KJS::SourceElementsNode::execute at nodes.cpp:2464 #17 0x00544520 in KJS::BlockNode::execute at nodes.cpp:1657 #18 0x0053d280 in KJS::Interpreter::evaluate at interpreter.cpp:365 #19 0x012f9d28 in WebCore::KJSProxy::evaluate at kjs_proxy.cpp:78 #20 0x0149e298 in WebCore::FrameLoader::executeScript at FrameLoader.cpp:685 #21 0x01025f38 in WebCore::HTMLTokenizer::scriptExecution at HTMLTokenizer.cpp:502 #22 0x01028f18 in WebCore::HTMLTokenizer::scriptHandler at HTMLTokenizer.cpp:452 #23 0x0102957c in WebCore::HTMLTokenizer::parseSpecial at HTMLTokenizer.cpp:310 #24 0x0102b660 in WebCore::HTMLTokenizer::parseTag at HTMLTokenizer.cpp:1176 #25 0x0102bf88 in WebCore::HTMLTokenizer::write at HTMLTokenizer.cpp:1389 #26 0x010279fc in WebCore::HTMLTokenizer::notifyFinished at HTMLTokenizer.cpp:1682 #27 0x01128bdc in WebCore::CachedScript::checkNotify at CachedScript.cpp:93 #28 0x01128db8 in WebCore::CachedScript::data at CachedScript.cpp:83 #29 0x0112b2e8 in WebCore::Loader::didFinishLoading at loader.cpp:107 #30 0x014a779c in WebCore::SubresourceLoader::didFinishLoading at SubresourceLoader.cpp:190 #31 0x014a55e4 in WebCore::ResourceLoader::didFinishLoading at ResourceLoader.cpp:335 #32 0x0147af38 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] at ResourceHandleMac.mm:369 #33 0x92c1389c in -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] #34 0x92c11b08 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] #35 0x92c11860 in _sendCallbacks #36 0x907df4fc in __CFRunLoopDoSources0 #37 0x907dea2c in __CFRunLoopRun #38 0x907de4ac in CFRunLoopRunSpecific #39 0x93298b20 in RunCurrentEventLoopInMode #40 0x932981b4 in ReceiveNextEventCommon #41 0x93298020 in BlockUntilNextEventMatchingListInMode #42 0x9379eae4 in _DPSNextEvent #43 0x9379e7a8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] #44 0x00006740 in ?? #45 0x9379acec in -[NSApplication run] #46 0x9388b87c in NSApplicationMain
Making HTMLParser::form a RefPtr fixes this crash. I'm still trying to make a reduction.
Created attachment 13984 [details] reduction (will crash)
Created attachment 13985 [details] proposed fix
Created attachment 13987 [details] Further reduction (will crash too). Perhaps this makes it more clear what the essence of the problem is. What does the DOM for this look like with the proposed fix?
Interestingly, the new reduction only crashes for me when closing the page. Must be some random glitch - I've seen this behavior come and go while making my original reduction. > What does the DOM for this look like with the proposed fix? According to Hixie's live DOM viewer, it's essentially the same as in Firefox (modulo empty text nodes and an implicit HEAD). NB: to test in Firefox, you need to have an explicit <body> element. HTML BODY DIV id="anekdotforsearch" FORM id="b" #text: SCRIPT #text: document.getElementById('anekdotforsearch').innerHTML="<form id='b'></form>"; #text: #text: INPUT #text: #text:
Comment on attachment 13985 [details] proposed fix Since you had to visit almost every call site, I might have wanted to see you change the name from form to m_currentFormElement. Do we need the same fix for m_currentMapElement and head? r=me
Created attachment 14114 [details] proposed fix (In reply to comment #7) > Since you had to visit almost every call site, I might have wanted to see you > change the name from form to m_currentFormElement. Done. > Do we need the same fix for m_currentMapElement and head? I have now found a (slightly different) case for m_currentMapElement; not sure about head. I've replaced my reduction with the simpler one done by Mitz.
Comment on attachment 14114 [details] proposed fix r=me
Committed revision 20996.