RESOLVED FIXED 17559
REGRESSION(r30466): 15 out of 60 tests in fast/media crash under guard malloc 
https://bugs.webkit.org/show_bug.cgi?id=17559
Summary REGRESSION(r30466): 15 out of 60 tests in fast/media crash under guard malloc
Mark Rowe (bdash)
Reported 2008-02-26 15:04:45 PST
$ run-webkit-tests -g --debug fast/media Testing 60 test cases. fast/media ............. fast/media/mq-compound-query-05.html -> crashed ..................... fast/media/mq-min-constraint.html -> crashed ... fast/media/mq-relative-constraints-02.html -> crashed . fast/media/mq-relative-constraints-03.html -> crashed . fast/media/mq-relative-constraints-04.html -> crashed . fast/media/mq-relative-constraints-05.html -> crashed . fast/media/mq-relative-constraints-06.html -> crashed . fast/media/mq-relative-constraints-07.html -> crashed . fast/media/mq-relative-constraints-08.html -> crashed . fast/media/mq-relative-constraints-09.html -> crashed ............ fast/media/mq-width-absolute-01.html -> crashed . fast/media/mq-width-absolute-02.html -> crashed . fast/media/mq-width-absolute-03.html -> crashed . fast/media/mq-width-absolute-04.html -> crashed . fast/media/viewport-media-query.html -> crashed 934.60s total testing time 45 test cases (75%) succeeded 15 test cases (25%) crashed $
Attachments
Crash log from one of the crashes (25.38 KB, text/plain)
2008-02-26 15:08 PST, Mark Rowe (bdash) 		no flags
Details
Patch to fix the problem. (3.39 KB, patch)
2008-02-29 13:03 PST, Dave Hyatt 		aroben: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2008-02-26 15:05:02 PST
<rdar://problem/5766945>
Mark Rowe (bdash)
Comment 2 2008-02-26 15:08:43 PST
Created attachment 19386 [details] Crash log from one of the crashes All of the crashes appear to have similar crash logs.
Mark Rowe (bdash)
Comment 3 2008-02-27 13:10:30 PST
The crash was introduced in r30466.
Brent Fulgham
Comment 4 2008-02-28 21:17:24 PST
I notice that if a place a breakpoint in CSSStyleSelector::addViewportDependentMediaQueryResult, the first time I enter the method m_viewportDependentMediaQueryResults has a size of zero. After the append, the size is 1. So far, so good. The second time I hit the breakpoint, the size of m_viewportDependentMediaQueryResults is now 4277075694. There seems to be a timing element; if I set the breakpoint and wait a while I can often run without error. But if I move to a new page (with media content) and don't pause I get the crash.
Jon Honeycutt
Comment 5 2008-02-28 21:29:33 PST
It looks like m_viewportDependentMediaQueryResults is not initialized at the point that we start adding items to it. It should be initialized earlier in CSSStyleSelector's constructor.
Brent Fulgham
Comment 6 2008-02-28 22:02:53 PST
There seems to be some kind of access to the CSSStyleSelector after it is deallocated. I keep hitting the destructor for a CSSStyleSelector (with particular address), then enter the constructor (with a new address). I then enter the CSSStyleSelector::addViewportDependentMediaQueryResult for the original (destroyed) this pointer. The elements are all in an uninitialized state, and then the program crashes.
Dave Hyatt
Comment 7 2008-02-29 13:03:17 PST
Created attachment 19457 [details] Patch to fix the problem.
Adam Roben (:aroben)
Comment 8 2008-02-29 13:13:04 PST
Comment on attachment 19457 [details] Patch to fix the problem. r=me
Mark Rowe (bdash)
Comment 9 2008-02-29 14:13:12 PST
This was landed in r30670.
Note You need to log in before you can comment on or make changes to this bug.