Bug 17559 - REGRESSION(r30466): 15 out of 60 tests in fast/media crash under guard malloc
Summary: REGRESSION(r30466): 15 out of 60 tests in fast/media crash under guard malloc
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Major
Assignee: Dave Hyatt
URL:
Keywords: InRadar, Regression
Depends on:
Blocks:
 
Reported: 2008-02-26 15:04 PST by Mark Rowe (bdash)
Modified: 2008-02-29 14:13 PST (History)
3 users (show)

See Also:

Attachments
Crash log from one of the crashes (25.38 KB, text/plain)
2008-02-26 15:08 PST, Mark Rowe (bdash) 		no flags Details
Patch to fix the problem. (3.39 KB, patch)
2008-02-29 13:03 PST, Dave Hyatt 		aroben: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2008-02-26 15:04:45 PST 
$ run-webkit-tests -g --debug fast/media
Testing 60 test cases.
fast/media .............
fast/media/mq-compound-query-05.html -> crashed
.....................
fast/media/mq-min-constraint.html -> crashed
...
fast/media/mq-relative-constraints-02.html -> crashed
.
fast/media/mq-relative-constraints-03.html -> crashed
.
fast/media/mq-relative-constraints-04.html -> crashed
.
fast/media/mq-relative-constraints-05.html -> crashed
.
fast/media/mq-relative-constraints-06.html -> crashed
.
fast/media/mq-relative-constraints-07.html -> crashed
.
fast/media/mq-relative-constraints-08.html -> crashed
.
fast/media/mq-relative-constraints-09.html -> crashed
............
fast/media/mq-width-absolute-01.html -> crashed
.
fast/media/mq-width-absolute-02.html -> crashed
.
fast/media/mq-width-absolute-03.html -> crashed
.
fast/media/mq-width-absolute-04.html -> crashed
.
fast/media/viewport-media-query.html -> crashed

934.60s total testing time

45 test cases (75%) succeeded
15 test cases (25%) crashed
$
Comment 1 Mark Rowe (bdash) 2008-02-26 15:05:02 PST 
<rdar://problem/5766945>
Comment 2 Mark Rowe (bdash) 2008-02-26 15:08:43 PST 
Created attachment 19386 [details]
Crash log from one of the crashes

All of the crashes appear to have similar crash logs.
Comment 3 Mark Rowe (bdash) 2008-02-27 13:10:30 PST 
The crash was introduced in r30466.
Comment 4 Brent Fulgham 2008-02-28 21:17:24 PST 
I notice that if a place a breakpoint in CSSStyleSelector::addViewportDependentMediaQueryResult, the first time I enter the method m_viewportDependentMediaQueryResults has a size of zero.  After the append, the size is 1.  So far, so good.

The second time I hit the breakpoint, the size of m_viewportDependentMediaQueryResults is now 4277075694.

There seems to be a timing element; if I set the breakpoint and wait a while I can often run without error.  But if I move to a new page (with media content) and don't pause I get the crash.
Comment 5 Jon Honeycutt 2008-02-28 21:29:33 PST 
It looks like m_viewportDependentMediaQueryResults is not initialized at the point that we start adding items to it. It should be initialized earlier in CSSStyleSelector's constructor.
Comment 6 Brent Fulgham 2008-02-28 22:02:53 PST 
There seems to be some kind of access to the CSSStyleSelector after it is deallocated.  I keep hitting the destructor for a CSSStyleSelector (with particular address), then enter the constructor (with a new address).  I then enter the CSSStyleSelector::addViewportDependentMediaQueryResult for the original (destroyed) this pointer.  The elements are all in an uninitialized state, and then the program crashes.
Comment 7 Dave Hyatt 2008-02-29 13:03:17 PST 
Created attachment 19457 [details]
Patch to fix the problem.
Comment 8 Adam Roben (:aroben) 2008-02-29 13:13:04 PST 
Comment on attachment 19457 [details]
Patch to fix the problem.

r=me
Comment 9 Mark Rowe (bdash) 2008-02-29 14:13:12 PST 
This was landed in r30670.