Bug 6944 - REGRESSION: crash when loading page w/ <link> that has a DOMSubtreeModified event listener
Summary: REGRESSION: crash when loading page w/ <link> that has a DOMSubtreeModified e...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Adele Peterson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-30 14:54 PST by Adele Peterson
Modified: 2019-02-06 09:03 PST (History)
2 users (show)

See Also:

Attachments
crashing test case (264 bytes, text/html)
2006-01-30 14:55 PST, Adele Peterson 		no flags Details
patch (5.59 KB, patch)
2006-01-30 15:36 PST, Adele Peterson 		no flags Details | Formatted Diff | Diff
patch (21.84 KB, patch)
2006-02-06 20:09 PST, Adele Peterson 		mjs: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adele Peterson 2006-01-30 14:54:33 PST 
When you load the attached test page, you get this crash:

Thread 0 Crashed:
0   <<00000000>> 	0xa6481890 0 + -1505224560
1   com.apple.WebCore        	0x01f56170 -[DOMNamedNodeMap getNamedItem:] + 200 (DOM.mm:676)
2   com.apple.Syndication    	0x99c764f4 -[DocumentLinks _findLinksInDOM:] + 248
3   com.apple.Syndication    	0x99c763e4 -[DocumentLinks initWithURL:DOM:] + 120
4   com.apple.SyndicationUI  	0x99cbe3b8 -[SafariSyndication feedURLFromDOM:baseURL:] + 80
5   com.apple.Safari         	0x0015a900 -[SyndicationController feedURLFromDOM:baseURL:] + 88 (SyndicationController.m:198)
6   com.apple.Safari         	0x00179e4c -[BrowserWebView updateCounterpartURLForRSS] + 712 (BrowserWebView.m:2317)
7   com.apple.Safari         	0x000cb11c -[LocationChangeHandler webView:locationChangeDone:forDataSource:] + 908 (LocationChangeHandler.m:682)
8   com.apple.Safari         	0x000cb498 -[LocationChangeHandler webView:didFinishLoadForFrame:] + 116 (LocationChangeHandler.m:717)
9   libobjc.A.dylib          	0x909c5214 objc_msgSendv + 180
10  com.apple.Foundation     	0x928d02a8 -[NSInvocation invoke] + 944
11  com.apple.Foundation     	0x928d0858 -[NSInvocation invokeWithTarget:] + 64
12  com.apple.WebKit         	0x012b0aa8 -[_WebSafeForwarder forwardInvocation:] + 624 (WebView.m:1489)
13  com.apple.Foundation     	0x928c8654 -[NSObject(NSForwardInvocation) forward::] + 408
14  libobjc.A.dylib          	0x909c50d0 _objc_msgForward + 176
15  com.apple.WebKit         	0x01262db4 -[WebFrame(WebPrivate) _checkLoadCompleteForThisFrame] + 2476 (WebFrame.m:1189)
16  com.apple.WebKit         	0x01263028 -[WebFrame(WebPrivate) _checkLoadComplete] + 164 (WebFrame.m:1223)
17  com.apple.WebKit         	0x012ab3f4 -[WebView(WebPrivate) _mainReceivedBytesSoFar:fromDataSource:complete:] + 236 (WebView.m:607)
18  com.apple.WebKit         	0x01293c74 -[WebMainResourceLoader didFinishLoading] + 656 (WebMainResourceLoader.m:398)
19  com.apple.WebKit         	0x01251bf4 -[WebLoader connectionDidFinishLoading:] + 184 (WebLoader.m:663)
20  com.apple.Foundation     	0x92906dbc -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188
21  com.apple.Foundation     	0x92905028 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556
22  com.apple.Foundation     	0x92904d80 _sendCallbacks + 156
23  com.apple.CoreFoundation 	0x9075ea68 __CFRunLoopDoSources0 + 384
24  com.apple.CoreFoundation 	0x9075df98 __CFRunLoopRun + 452
25  com.apple.CoreFoundation 	0x9075da18 CFRunLoopRunSpecific + 268
26  com.apple.HIToolbox      	0x9317c380 RunCurrentEventLoopInMode + 264
27  com.apple.HIToolbox      	0x9317b98c ReceiveNextEventCommon + 244
28  com.apple.HIToolbox      	0x9317b880 BlockUntilNextEventMatchingListInMode + 96
29  com.apple.AppKit         	0x9367a104 _DPSNextEvent + 384
30  com.apple.AppKit         	0x93679dc8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
31  com.apple.Safari         	0x00031048 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 296 (BrowserApplication.m:152)
32  com.apple.AppKit         	0x9367630c -[NSApplication run] + 472
33  com.apple.AppKit         	0x93766e68 NSApplicationMain + 452
34  com.apple.Safari         	0x000f9878 main + 160 (main.m:23)
35  com.apple.Safari         	0x00002eb0 _start + 340 (crt.c:272)
36  com.apple.Safari         	0x00002d58 start + 60
Comment 1 Adele Peterson 2006-01-30 14:55:10 PST 
Created attachment 6120 [details]
crashing test case

this does not crash with Safari-417.8
Comment 2 Adele Peterson 2006-01-30 14:57:51 PST 
I'm working on a patch.
Comment 3 Adele Peterson 2006-01-30 15:36:16 PST 
Created attachment 6121 [details]
patch

While debugging, I saw the event get destroyed, and then my node, which was an AttrImpl, getting destroyed.  This patch fixes my test case.
Comment 4 Adele Peterson 2006-01-30 16:54:27 PST 
Comment on attachment 6121 [details]
patch

uh oh.  I think this causes some leaks.  I'll have to rethink it.
Comment 5 Darin Adler 2006-01-31 09:32:41 PST 
Comment on attachment 6121 [details]
patch

I think this patch is correct, so if it causes a leak, I would expect it would be a bug elsewhere.
Comment 6 Adele Peterson 2006-01-31 16:31:42 PST 
Last patch doesn't work because AttrImpl has a reference to it's AttributeImpl
Comment 7 Adele Peterson 2006-01-31 17:58:03 PST 
I'm trying to find some way to ref the AttrImpl in NamedAttrMapImpl::getNamedItem so that the AttrImpl stays around long enough, but I haven't been able to get anything to work.
Comment 8 Darin Adler 2006-02-05 19:44:57 PST 
The trick here is that the AttributeImpl must be retained when appendChildNode is called on it. I have a patch in the works.
Comment 9 Adele Peterson 2006-02-06 20:09:28 PST 
Created attachment 6311 [details]
patch

new and improved patch.
Comment 10 Maciej Stachowiak 2006-02-06 23:04:37 PST 
Comment on attachment 6311 [details]
patch

r=me

Nice work
Comment 11 Lucas Forschler 2019-02-06 09:03:12 PST 
Mass moving XML DOM bugs to the "DOM" Component.