VERIFIED FIXED6732
REGRESSION: Repro crash at Google Maps 
https://bugs.webkit.org/show_bug.cgi?id=6732
Summary REGRESSION: Repro crash at Google Maps
mitz
Reported 2006-01-23 08:05:57 PST
When I go to the URL, TOT crashes with the following backtrace: Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x010b1f3c KJS::JSObject::getPropertySlot(KJS::ExecState*, KJS::Identifier const&, KJS::PropertySlot&) + 56 (property_slot.h:634) 1 com.apple.JavaScriptCore 0x01044128 KJS::JSObject::get(KJS::ExecState*, KJS::Identifier const&) const + 52 (object.cpp:155) 2 com.apple.WebCore 0x01750cc4 KJS::JSAbstractEventListener::handleEvent(WebCore::EventImpl*, bool) + 344 (kjs_events.cpp:78) 3 com.apple.WebCore 0x01737d00 WebCore::EventListener::handleEventImpl(WebCore::EventImpl*, bool) + 72 (dom2_events.cpp:48) 4 com.apple.WebCore 0x01a84940 WebCore::XMLHttpRequest::changeState(WebCore::XMLHttpRequestState) + 408 (xmlhttprequest.cpp:191) 5 com.apple.WebCore 0x01a84bc0 WebCore::XMLHttpRequest::slotData(KIO::Job*, char const*, int) + 252 (xmlhttprequest.cpp:523) 6 com.apple.WebCore 0x01a84f54 WebCore::XMLHttpRequestQObject::slotData(KIO::Job*, char const*, int) + 64 (xmlhttprequest.cpp:99) 7 com.apple.WebCore 0x017f0d70 KWQSlot::call(KIO::Job*, char const*, int) const + 176 (KWQSlot.cpp:287) 8 com.apple.WebCore 0x017efc74 KWQSignal::call(KIO::Job*, char const*, int) const + 240 (KWQSignal.cpp:159) 9 com.apple.WebCore 0x016e687c KIO::TransferJob::emitData(char const*, int) + 64 (KWQKJobClasses.mm:233) 10 com.apple.WebCore 0x017f3e84 -[KWQResourceLoader addData:] + 252 (KWQResourceLoader.mm:74) 11 com.apple.WebKit 0x003426f8 -[WebSubresourceLoader didReceiveData:lengthReceived:] + 132 (WebSubresourceLoader.m:200) 12 com.apple.WebKit 0x00351744 -[WebLoader connection:didReceiveData:lengthReceived:] + 188 (WebLoader.m:645) 13 com.apple.Foundation 0x92918a64 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 14 com.apple.Foundation 0x92916f04 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 15 com.apple.Foundation 0x92916ca0 _sendCallbacks + 156 16 com.apple.CoreFoundation 0x9075da68 __CFRunLoopDoSources0 + 384 17 com.apple.CoreFoundation 0x9075cf98 __CFRunLoopRun + 452 18 com.apple.CoreFoundation 0x9075ca18 CFRunLoopRunSpecific + 268 19 com.apple.HIToolbox 0x9318e1e0 RunCurrentEventLoopInMode + 264 20 com.apple.HIToolbox 0x9318d874 ReceiveNextEventCommon + 380 21 com.apple.HIToolbox 0x9318d6e0 BlockUntilNextEventMatchingListInMode + 96 22 com.apple.AppKit 0x9368c104 _DPSNextEvent + 384 23 com.apple.AppKit 0x9368bdc8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 24 com.apple.Safari 0x000072d4 0x1000 + 25300 25 com.apple.AppKit 0x9368830c -[NSApplication run] + 472 26 com.apple.AppKit 0x93778e68 NSApplicationMain + 452 27 com.apple.Safari 0x0005cfdc 0x1000 + 376796 28 com.apple.Safari 0x0005ce80 0x1000 + 376448
Attachments
proposed fix (3.00 KB, patch)
2006-01-23 10:16 PST, Alexey Proskuryakov 		darin: review-
DetailsFormatted DiffDiff
another cut at a fix, this one restoring the "mark the listeners" behavior (10.00 KB, patch)
2006-01-24 00:27 PST, Darin Adler 		no flags
DetailsFormatted DiffDiff
another cut at a fix, this one restoring the "mark the listeners" behavior (21.74 KB, patch)
2006-01-24 08:19 PST, Darin Adler 		sullivan: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Joost de Valk (AlthA)
Comment 1 2006-01-23 08:17:12 PST
Adding regression keyword :)
Alexey Proskuryakov
Comment 2 2006-01-23 10:16:13 PST
Created attachment 5881 [details] proposed fix I have no idea what is happening here - just changed the first place I didn't understand in the code, and the crash went away. Tests from www.hixie.ch show no regressions, leaks tool reports no leaks. FWIW.
Darin Adler
Comment 3 2006-01-23 11:45:03 PST
Comment on attachment 5881 [details] proposed fix I'm pretty sure that this change makes it so that you can get a leak if the listener in turn points back to the XMLHttpRequest. We can't fix it this way.
Alexey Proskuryakov
Comment 4 2006-01-23 22:02:04 PST
*** Bug 6747 has been marked as a duplicate of this bug. ***
Darin Adler
Comment 5 2006-01-24 00:03:17 PST
I've got a fix in the works.
Darin Adler
Comment 6 2006-01-24 00:27:43 PST
Created attachment 5904 [details] another cut at a fix, this one restoring the "mark the listeners" behavior
Darin Adler
Comment 7 2006-01-24 08:19:58 PST
Created attachment 5910 [details] another cut at a fix, this one restoring the "mark the listeners" behavior
Anders Carlsson
Comment 8 2006-01-24 15:24:40 PST
There is a typo in the arguments check: - case JSXMLHttpRequest::OverrideMIMEType: { - if (args.size() != 1) { + case JSXMLHttpRequest::OverrideMIMEType: + if (args.size() != 2) return jsUndefined(); - } Otherwise looks great!
mitz
Comment 9 2006-01-24 23:09:55 PST
r12342
Alexey Proskuryakov
Comment 10 2006-01-25 07:18:44 PST
*** Bug 6757 has been marked as a duplicate of this bug. ***
Gregory Pierce
Comment 11 2006-01-25 09:00:43 PST
Confirm this is working fine in 417.8.
Eric Seidel (no email)
Comment 12 2006-01-31 21:20:56 PST
Removing Regression keyword from bugs already fixed.
Note You need to log in before you can comment on or make changes to this bug.