RESOLVED FIXED9635
REGRESSION: Crash when adding to cart at <http://www.yemeksepeti.com/> 
https://bugs.webkit.org/show_bug.cgi?id=9635
Summary REGRESSION: Crash when adding to cart at <http://www.yemeksepeti.com/>
Troy Brandt
Reported 2006-06-28 12:12:58 PDT
This is fully reproducible in WebKit r15070 and as early as 13302. When adding to cart WebKit immediately crashes. Here's how to reproduce: 1.) Load <http://www.yemeksepeti.com/>. 2.) At the top of the page, from the right most dropdown box select "Akdeniz Restaurant". 3.) Click on "ara". 4.) Click on "Akdeniz Restaurant, Alanya" 5.) Click on "Izgara Köfte ... 6,00 YTL" 6.) A pop-up should appear, click on the "+" button at the bottom right of the pop-up. 7.) Crash What should happen at this point is the item gets added to the cart and the main page is updated to reflect this in the side bar on the left side of the page. Thread 0 Crashed: 0 com.apple.WebCore 0x012472fc WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 364 1 com.apple.WebCore 0x012473a0 WebCore::EventTargetNode::dispatchHTMLEvent(WebCore::AtomicString const&, bool, bool) + 112 2 com.apple.WebCore 0x010302e0 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedObject*) + 480 3 com.apple.WebCore 0x0103097c WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1308 4 com.apple.WebCore 0x01030dc8 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 536 5 com.apple.WebCore 0x01032d54 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6676 6 com.apple.WebCore 0x01033654 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1172 7 com.apple.WebCore 0x010cbb38 WebCore::Frame::write(char const*, int) + 824 8 com.apple.WebKit 0x0033492c -[WebHTMLRepresentation receivedData:withDataSource:] + 156 9 com.apple.WebKit 0x0032804c -[WebDataSource(WebPrivate) _commitLoadWithData:] + 92 10 com.apple.WebKit 0x003491c4 -[WebMainResourceLoader addData:] + 84 11 com.apple.WebKit 0x00325580 -[WebLoader didReceiveData:lengthReceived:] + 64 12 com.apple.WebKit 0x00349b38 -[WebMainResourceLoader didReceiveData:lengthReceived:] + 120 13 com.apple.WebKit 0x003259c8 -[WebLoader connection:didReceiveData:lengthReceived:] + 56 14 com.apple.Foundation 0x929a85d4 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 15 com.apple.Foundation 0x929a6a74 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 16 com.apple.Foundation 0x929a6810 _sendCallbacks + 156 17 com.apple.CoreFoundation 0x907e44cc __CFRunLoopDoSources0 + 384 18 com.apple.CoreFoundation 0x907e39fc __CFRunLoopRun + 452 19 com.apple.CoreFoundation 0x907e347c CFRunLoopRunSpecific + 268 20 com.apple.HIToolbox 0x9321d980 RunCurrentEventLoopInMode + 264 21 com.apple.HIToolbox 0x9321d014 ReceiveNextEventCommon + 380 22 com.apple.HIToolbox 0x9321ce80 BlockUntilNextEventMatchingListInMode + 96 23 com.apple.AppKit 0x9371fe84 _DPSNextEvent + 384 24 com.apple.AppKit 0x9371fb48 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 25 com.apple.Safari 0x00006df4 0x1000 + 24052 26 com.apple.AppKit 0x9371c08c -[NSApplication run] + 472 27 com.apple.AppKit 0x9380cbfc NSApplicationMain + 452 28 com.apple.Safari 0x0005cb98 0x1000 + 375704 29 com.apple.Safari 0x0005ca40 0x1000 + 375360
Attachments
Patch (4.11 KB, patch)
2006-07-11 16:55 PDT, Anders Carlsson 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2006-06-29 08:08:36 PDT
Confirmed with r15050 nightly. Note: between steps 1 and 2, choose "Antalya". Reproducible crash, regression -> P1.
Darin Adler
Comment 2 2006-06-29 08:14:21 PDT
The immediate cause of the crash here is that we are in HTMLTokenizer::notifyFinished and pendingScripts.head()->isLoaded() is true, but scriptNode is 0. I don't know what the high level cause is. I'm loathe to add a null check until we understand why this happens, but I suspect it might make the crash go away.
Alice Liu
Comment 3 2006-07-05 11:23:19 PDT
<rdar://problem/4613730>
Anders Carlsson
Comment 4 2006-07-11 16:55:39 PDT
Created attachment 9384 [details] Patch The reason that scriptNode was 0 is that the parser is stopped by a previous script (using window.close). Stopping the parser causes processToken to return 0 as the node.
Geoffrey Garen
Comment 5 2006-07-11 17:08:24 PDT
Comment on attachment 9384 [details] Patch r=me
Geoffrey Garen
Comment 6 2006-07-11 17:08:25 PDT
Comment on attachment 9384 [details] Patch r=me
Anders Carlsson
Comment 7 2006-07-11 17:22:19 PDT
Committed in r15363
Note You need to log in before you can comment on or make changes to this bug.