To reproduce this: 1) Login to http://wp.chrisjohnston.org/wp-admin with username/password: admin/demo. 2) Go to edit a page. 3) Double click a word in the post to select it. 4) Click on the "Make Hyperlink" button on the menu bar. 5) Fill in the text boxes with whatever you want. 6) Click on "Insert" 7) WebKit crashes
Created attachment 19093 [details] Problem Report for WebKit Crash log from reproducible bug.
Created attachment 19094 [details] Problem Report for WebKit Crash log from reproducible bug.
<rdar://problem/5737835>
Top of debug backtrace: Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x005da9b2 WTF::Vector<KJS::LocalStorageEntry, 32ul>::shrink(unsigned long) + 130 (Vector.h:635) 1 com.apple.JavaScriptCore 0x006042fa KJS::JSGlobalObject::popActivation() + 96 (JSGlobalObject.cpp:543) 2 com.apple.JavaScriptCore 0x0059611d KJS::FunctionExecState::~FunctionExecState() + 137 (ExecState.cpp:213) 3 com.apple.JavaScriptCore 0x0059613f KJS::FunctionExecState::~FunctionExecState() + 17 (ExecState.cpp:213) 4 com.apple.JavaScriptCore 0x0059b512 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 214 (function.cpp:83)
*** Bug 17338 has been marked as a duplicate of this bug. ***
ee bug 17388 for a testcase that triggers this same crash in a different way.
Sorry, that should have been: See bug 17338 for a testcase that triggers this same crash in a different way
The crash happens because the global object's "activations" stack is NULL.
I found the cause of the bug. For some reason, JSGlobalObject::reset() is being called, which changes activationCount from 6 to 0. This triggers the test in checkActivation() which then sets activationStackNode to NULL.
JSGlobalObject::reset gets called as a result of loading a javascript: URL into the script's <iframe>.
I think the error here is that the javascript: URL loads synchronously, potentially navigating during a script execution. See this comment, from the coder who came across this bug last, but decided not to fix it: // FIXME: We should always replace the document, but doing so // synchronously can cause crashes: // http://bugs.webkit.org/show_bug.cgi?id=16782 if (replaceDocument) { begin(m_URL, true, currentSecurityOrigin); write(scriptResult); end(); }
The example wasn't working for me because of the changes to disable local storage in clients that don't implement the proper delegate methods. Mark sent me a patch that removes this restriction, and I was able to reproduce the bug. It crashes for the same reason as bug 17329, JSGlobalObject::reset() is called while there is still a single element on the activation stack, causing the next call to JSGlobalObject::popActivation() to segfault. However, bug 17329 was traced by Geoff down to javascript: links, whereas none of those appear in this example. Therefore, I think that calling this a duplicate of bug 17329 is premature. I will trace the calls to JSGlobalObject::reset() and see why it is being called in the middle of script execution.
Oops. I posted in the wrong bug. :P
r30235