RESOLVED FIXED 9176
REGRESSION: repro crash in WebCore::StringImpl::hash() const + 28 (StringImpl.h:67) 
https://bugs.webkit.org/show_bug.cgi?id=9176
Summary REGRESSION: repro crash in WebCore::StringImpl::hash() const + 28 (StringImpl...
Alice Liu
Reported 2006-05-30 15:11:08 PDT
This bug is also in Radar as <rdar://4567325> * SUMMARY Safari TOT crashes immediately upon loading http://www.move.com/?poe=move I looked for a dup of this in bugzilla and didn't find one. Then again, i'm not that great at searching the bugzilla database. * STEPS TO REPRODUCE load http://www.move.com/?poe=move * REGRESSION not crashing on shipping versions of Safari * NOTES Command: Safari Path: /Build/symroots/Debug/Safari.app/Contents/MacOS/Safari Parent: WindowServer [6799] Version: 2.0.1 (420+) PID: 7166 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c Thread 0 Crashed: 0 com.apple.WebCore 0x020f8fe8 WebCore::StringImpl::hash() const + 28 (StringImpl.h:67) 1 com.apple.WebCore 0x02108878 WTF::StrHash<WebCore::String>::hash(WebCore::String const&) + 44 (xml_tokenizer.cpp:182) 2 com.apple.WebCore 0x021749ac WTF::HashMapTranslator<(bool)0, std::pair<WebCore::String, WebCore::CachedObject*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::StrHash<WebCore::String> >::hash(WebCore::String const&) + 32 (HashMap.h:140) 3 com.apple.WebCore 0x0217541c std::pair<std::pair<std::pair<WebCore::StringImpl*, int>*, bool>, unsigned> WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WTF::StrHash<WebCore::StringImpl*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >::lookup<WebCore::String, WTF::HashMapTranslator<(bool)0, std::pair<WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WTF::StrHash<WebCore::StringImpl*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >::lookup, WebCore::CachedObject*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::StrHash<WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WTF::StrHash<WebCore::StringImpl*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >::lookup> > >(WebCore::String const&) + 108 (HashTable.h:385) 4 com.apple.WebCore 0x02175b28 std::pair<WTF::HashTableIterator<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WTF::StrHash<WebCore::StringImpl*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >, bool> WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WTF::StrHash<WebCore::StringImpl*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >::add<WebCore::String, WebCore::CachedObject*, WTF::HashMapTranslator<(bool)0, std::pair<WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WTF::StrHash<WebCore::StringImpl*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >::add, WebCore::CachedObject>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::StrHash<WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WTF::StrHash<WebCore::StringImpl*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >::add> > >(WebCore::String const&, WebCore::CachedObject* const&) + 92 (HashTable.h:427) 5 com.apple.WebCore 0x02175d00 WTF::HashMap<WebCore::String, WebCore::CachedObject*, WTF::StrHash<WebCore::String>, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::CachedObject*> >::inlineAdd(WebCore::String const&, WebCore::CachedObject* const&) + 76 (HashMap.h:255) 6 com.apple.WebCore 0x02175d70 WTF::HashMap<WebCore::String, WebCore::CachedObject*, WTF::StrHash<WebCore::String>, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WebCore::CachedObject*> >::set(WebCore::String const&, WebCore::CachedObject* const&) + 60 (HashMap.h:263) 7 com.apple.WebCore 0x01e30920 WebCore::Cache::updateCacheStatus(WebCore::DocLoader*, WebCore::String const&, WebCore::CachedObject*) + 140 (Cache.cpp:119) 8 com.apple.WebCore 0x01e313e4 WebCore::Cache::requestStyleSheet(WebCore::DocLoader*, WebCore::String const&, bool, long, DeprecatedString const&) + 880 (Cache.cpp:227) 9 com.apple.WebCore 0x01e35058 WebCore::DocLoader::requestStyleSheet(WebCore::String const&, DeprecatedString const&) + 212 (DocLoader.cpp:113) 10 com.apple.WebCore 0x0203da2c WebCore::HTMLLinkElement::process() + 1128 (HTMLLinkElement.cpp:183) 11 com.apple.WebCore 0x0203db90 WebCore::HTMLLinkElement::insertedIntoDocument() + 44 (HTMLLinkElement.cpp:198) 12 com.apple.WebCore 0x01e196d0 WebCore::ContainerNode::addChild(WTF::PassRefPtr<WebCore::Node>) + 436 (ContainerNode.cpp:565) 13 com.apple.WebCore 0x01cf5c14 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 264 (HTMLParser.cpp:262) 14 com.apple.WebCore 0x01cf7814 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1388 (HTMLParser.cpp:215) 15 com.apple.WebCore 0x01cfb1b4 WebCore::HTMLTokenizer::processToken() + 564 (HTMLTokenizer.cpp:1581) 16 com.apple.WebCore 0x01cfe794 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 7124 (HTMLTokenizer.cpp:1160) 17 com.apple.WebCore 0x01cff3a8 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1720 (HTMLTokenizer.cpp:1386) 18 com.apple.WebCore 0x01de802c WebCore::Frame::write(char const*, int) + 1192 (Frame.cpp:685) 19 com.apple.WebCore 0x01dda7d4 WebCore::Frame::addData(char const*, int) + 340 (Frame.cpp:2646) 20 com.apple.WebCore 0x01e1ffa0 -[WebCoreFrameBridge addData:] + 224 (WebCoreFrameBridge.mm:557) 21 com.apple.WebKit 0x01235890 -[WebFrameBridge receivedData:textEncodingName:] + 236 (WebFrameBridge.m:490) 22 com.apple.WebKit 0x0125daec -[WebHTMLRepresentation receivedData:withDataSource:] + 248 (WebHTMLRepresentation.m:138) 23 com.apple.WebKit 0x012468a0 -[WebDataSource(WebPrivate) _commitLoadWithData:] + 164 (WebDataSource.m:766) 24 com.apple.WebKit 0x01246aec -[WebDataSource(WebPrivate) _receivedData:] + 196 (WebDataSource.m:781) 25 com.apple.WebKit 0x01280c50 -[WebMainResourceLoader addData:] + 136 (WebMainResourceLoader.m:162) 26 com.apple.WebKit 0x012411d0 -[WebLoader didReceiveData:lengthReceived:] + 108 (WebLoader.m:461) 27 com.apple.WebKit 0x012821cc -[WebMainResourceLoader didReceiveData:lengthReceived:] + 680 (WebMainResourceLoader.m:371) 28 com.apple.WebKit 0x01241b18 -[WebLoader connection:didReceiveData:lengthReceived:] + 188 (WebLoader.m:561) 29 com.apple.Foundation 0x929715d4 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 30 com.apple.Foundation 0x9296fa74 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 31 com.apple.Foundation 0x9296f810 _sendCallbacks + 156 32 com.apple.CoreFoundation 0x907dc4cc __CFRunLoopDoSources0 + 384 33 com.apple.CoreFoundation 0x907db9fc __CFRunLoopRun + 452 34 com.apple.CoreFoundation 0x907db47c CFRunLoopRunSpecific + 268 35 com.apple.HIToolbox 0x931e5740 RunCurrentEventLoopInMode + 264 36 com.apple.HIToolbox 0x931e4dd4 ReceiveNextEventCommon + 380 37 com.apple.HIToolbox 0x931e4c40 BlockUntilNextEventMatchingListInMode + 96 38 com.apple.AppKit 0x936e8ae4 _DPSNextEvent + 384 39 com.apple.AppKit 0x936e87a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 40 com.apple.Safari 0x00032ca4 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 292 (BrowserApplication.m:155) 41 com.apple.AppKit 0x936e4cec -[NSApplication run] + 472 42 com.apple.AppKit 0x937d587c NSApplicationMain + 452 43 com.apple.Safari 0x00102c2c main + 420 (main.m:36) 44 com.apple.Safari 0x00002f9c _start + 340 (crt.c:272) 45 com.apple.Safari 0x00002e44 start + 60 ------------------------------------------- <GMT30-May-2006 22:08:51GMT> Alice Liu: migrating to bugzilla.
Attachments
Test case reduction (95 bytes, text/html)
2006-06-01 01:11 PDT, jonathanjohnsson 		no flags
Details
patch (4.88 KB, patch)
2006-06-04 17:39 PDT, Darin Adler 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
jonathanjohnsson
Comment 1 2006-06-01 01:11:19 PDT
Created attachment 8635 [details] Test case reduction The original link tag had the form <link id="ctl00_ctl00_ChannelStyleLink" rel="stylesheet" type="text/css">.
jonathanjohnsson
Comment 2 2006-06-01 01:18:46 PDT
If you replace the link tag in the reduction with <link rel="stylesheet">, WebKit crashes as well. In short, the following tags crash WebKit: <link type="text/css"> <link rel="stylesheet">
Darin Adler
Comment 3 2006-06-03 21:02:19 PDT
I believe this occurs when m_url is null and requestStyleSheet is called with it. That's inside HTMLLinkElement::process. I believe this can be fixed by setting m_cachedSheet to 0 when m_url is null or by changing the DocLoader functions to fail when the URL string is null.
Darin Adler
Comment 4 2006-06-04 17:39:11 PDT
Created attachment 8706 [details] patch
Maciej Stachowiak
Comment 5 2006-06-04 18:16:50 PDT
Comment on attachment 8706 [details] patch r=me
Darin Adler
Comment 6 2006-06-04 21:10:19 PDT
Committed revision 14732.
Note You need to log in before you can comment on or make changes to this bug.