RESOLVED FIXED 9477
REGRESSION: fast/dom/replaceChild.html crashes on WebKit ToT in debug build 
https://bugs.webkit.org/show_bug.cgi?id=9477
Summary REGRESSION: fast/dom/replaceChild.html crashes on WebKit ToT in debug build
David Kilzer (:ddkilzer)
Reported 2006-06-16 22:39:12 PDT
Running fast/dom/replaceChild.html on WebKit ToT (r14895) causes a reproducible crash on my Mac OS X 10.4.6 (8I127/PowerPC) PB G4. I'm not sure when this bug was introduced. This doesn't seem to happen when this test is loaded in the browser, although one of two resources is NOT loaded per the Activity Window when the test is opened in the browser. Relevant stack trace bits: Command: DumpRenderTree Path: /Users/ddkilzer/Projects/Cocoa/WebKit/WebKitBuild/Debug/DumpRenderTree Parent: perl [10628] Version: ??? (???) PID: 10671 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x2c323130 Thread 0 Crashed: 0 <<00000000>> 0x2c323130 0 + 741486896 1 com.apple.JavaScriptCore 0x12d1bc98 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 2 com.apple.JavaScriptCore 0x12d11110 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 908 (nodes.cpp:758) 3 com.apple.JavaScriptCore 0x12d0db0c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1661) 4 com.apple.JavaScriptCore 0x12d0a2e4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2448) 5 com.apple.JavaScriptCore 0x12d07ca0 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1638) 6 com.apple.JavaScriptCore 0x12d0d994 KJS::IfNode::execute(KJS::ExecState*) + 500 (nodes.cpp:1680) 7 com.apple.JavaScriptCore 0x12d0a194 KJS::SourceElementsNode::execute(KJS::ExecState*) + 280 (nodes.cpp:2442) 8 com.apple.JavaScriptCore 0x12d07ca0 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1638) 9 com.apple.JavaScriptCore 0x12cf633c KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:333) 10 com.apple.JavaScriptCore 0x12cf5964 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 668 (function.cpp:104) 11 com.apple.JavaScriptCore 0x12d1bc98 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 12 com.apple.WebCore 0x01338aa8 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 748 (kjs_events.cpp:105) 13 com.apple.WebCore 0x0114cb34 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 308 (Document.cpp:2208) 14 com.apple.WebCore 0x012fa1ac WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 324 (EventTargetNode.cpp:315) 15 com.apple.WebCore 0x0114fb68 WebCore::Document::implicitClose() + 700 (Document.cpp:1179) 16 com.apple.WebCore 0x0111ceb4 WebCore::Frame::checkEmitLoadEvent() + 724 (Frame.cpp:858) 17 com.apple.WebCore 0x011224ac WebCore::Frame::checkCompleted() + 528 (Frame.cpp:823) 18 com.apple.WebCore 0x011228d4 WebCore::Frame::finishedParsing() + 44 (Frame.cpp:778) 19 com.apple.WebCore 0x01149c88 WebCore::Document::finishedParsing() + 72 (Document.cpp:3223) 20 com.apple.WebCore 0x01040e0c WebCore::HTMLParser::finished() + 300 (HTMLParser.cpp:1345) 21 com.apple.WebCore 0x01046228 WebCore::HTMLTokenizer::end() + 308 (HTMLTokenizer.cpp:1489) 22 com.apple.WebCore 0x010466a4 WebCore::HTMLTokenizer::finish() + 1128 (HTMLTokenizer.cpp:1527) 23 com.apple.WebCore 0x01147abc WebCore::Document::finishParsing() + 84 (Document.cpp:1313) 24 com.apple.WebCore 0x011231d0 WebCore::Frame::endIfNotLoading() + 432 (Frame.cpp:734) 25 com.apple.WebCore 0x01123224 WebCore::Frame::end() + 52 (Frame.cpp:717) 26 com.apple.WebCore 0x01160b64 -[WebCoreFrameBridge end] + 72 (WebCoreFrameBridge.mm:703) 27 com.apple.WebKit 0x00246688 -[WebDataSource(WebPrivate) _finishedLoading] + 220 (WebDataSource.m:792) 28 com.apple.WebKit 0x002833c0 -[WebMainResourceLoader didFinishLoading] + 560 (WebMainResourceLoader.m:379) 29 com.apple.WebKit 0x00241788 -[WebLoader connectionDidFinishLoading:] + 184 (WebLoader.m:575) 30 com.apple.Foundation 0x929a884c -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 31 com.apple.Foundation 0x929a6ab8 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 32 com.apple.Foundation 0x929a6810 _sendCallbacks + 156 33 com.apple.CoreFoundation 0x907e44cc __CFRunLoopDoSources0 + 384 34 com.apple.CoreFoundation 0x907e39fc __CFRunLoopRun + 452 35 com.apple.CoreFoundation 0x907e347c CFRunLoopRunSpecific + 268 36 com.apple.Foundation 0x92985164 -[NSRunLoop runMode:beforeDate:] + 172 37 DumpRenderTree 0x00008ac4 dumpRenderTree + 904 (DumpRenderTree.m:744) 38 DumpRenderTree 0x00005d48 main + 3672 (DumpRenderTree.m:321) 39 DumpRenderTree 0x000024f0 _start + 340 (crt.c:272) 40 DumpRenderTree 0x00002398 start + 60
Attachments
Patch v1 (1.40 KB, patch)
2006-06-17 12:27 PDT, David Kilzer (:ddkilzer) 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2006-06-16 22:48:48 PDT
And fast/events/mouseover-mouseout2.html fails similarly.
mitz
Comment 2 2006-06-17 04:25:22 PDT
The immediate cause for the bug is that when a frame is deallocated along with its WebCoreScriptDebugger, the corresponding WebCoreScriptDebuggerImp is deleted but not detached. I'm surprised that it's otherwise okay to execute a script in a frame whose WebFrame has been deallocated.
David Kilzer (:ddkilzer)
Comment 3 2006-06-17 08:27:16 PDT
CC the usual suspects from Bug 9476.
David Kilzer (:ddkilzer)
Comment 4 2006-06-17 12:27:12 PDT
Created attachment 8889 [details] Patch v1 Patch v1 assumes that the WebFrame may get deallocated when the function is called, so it refetches the debugger before using it again in FunctionImp::callAsFunction(). I am running run-webkit-tests now. Will report results when completed.
David Kilzer (:ddkilzer)
Comment 5 2006-06-17 12:45:01 PDT
(In reply to comment #4) > I am running run-webkit-tests now. Will report results when completed. All of the tests passed (including http tests; Bug 9478).
Darin Adler
Comment 6 2006-06-17 17:12:34 PDT
Comment on attachment 8889 [details] Patch v1 r=me -- Did Tim check the performance impact of adding the debugging hooks?
David Kilzer (:ddkilzer)
Comment 7 2006-06-17 17:25:54 PDT
Committed revision 14900.
Timothy Hatcher
Comment 8 2006-06-17 18:26:07 PDT
I did check performance, that is why the debugger is enabled only for debug builds or when a default is set.
Note You need to log in before you can comment on or make changes to this bug.