10022 2006-07-19 18:10:02 -0700 REGRESSION: Crash in WebCore::XMLTokenizer::characters 2006-07-29 08:15:48 -0700 1 1 1 Unclassified WebKit XML 420+ Mac OS X 10.4 RESOLVED FIXED http://www.pogdesign.co.uk/cat/ NeedsReduction P1 Blocker --- 1 jon webkit-unassigned ddkilzer mrowe oldest_to_newest 50395 0 jon 2006-07-19 18:10:02 -0700 You may need to refresh the page to get the crash as it seems to successfully load sometimes. Thread 0 Crashed: 0 com.apple.WebCore 0x010429c4 WebCore::XMLTokenizer::characters(unsigned char const*, int) + 148 (XMLTokenizer.cpp:861) 1 com.apple.WebCore 0x01045a10 WebCore::XMLTokenizer::resumeParsing() + 64 (DeprecatedPtrList.h:53) 2 com.apple.WebCore 0x01045cd4 WebCore::XMLTokenizer::notifyFinished(WebCore::CachedResource*) + 484 (XMLTokenizer.cpp:1320) 3 com.apple.WebCore 0x0112f618 WebCore::CachedScript::checkNotify() + 88 (CachedScript.cpp:109) 4 com.apple.WebCore 0x0112facc WebCore::CachedScript::data(WTF::Vector<char, (unsigned long)0>&, bool) + 236 (CachedScript.cpp:101) 5 com.apple.WebCore 0x01131c9c WebCore::Loader::receivedAllData(WebCore::TransferJob*, NSData*) + 300 (loader.cpp:139) 6 com.apple.WebCore 0x0104b394 -[WebCoreResourceLoaderImp finishJobAndHandle:] + 116 (WebCoreResourceLoaderImp.mm:98) 7 com.apple.WebKit 0x00325490 -[WebSubresourceLoader didFinishLoading] + 80 8 com.apple.WebKit 0x0032728c -[WebLoader connectionDidFinishLoading:] + 44 (WebLoader.m:575) 9 com.apple.Foundation 0x9297684c -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 10 com.apple.Foundation 0x92974ab8 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 11 com.apple.Foundation 0x92974810 _sendCallbacks + 156 12 com.apple.CoreFoundation 0x907dc4cc __CFRunLoopDoSources0 + 384 13 com.apple.CoreFoundation 0x907db9fc __CFRunLoopRun + 452 14 com.apple.CoreFoundation 0x907db47c CFRunLoopRunSpecific + 268 15 com.apple.HIToolbox 0x931eb740 RunCurrentEventLoopInMode + 264 16 com.apple.HIToolbox 0x931eadd4 ReceiveNextEventCommon + 380 17 com.apple.HIToolbox 0x931eac40 BlockUntilNextEventMatchingListInMode + 96 18 com.apple.AppKit 0x936eeae4 _DPSNextEvent + 384 19 com.apple.AppKit 0x936ee7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 20 com.apple.SafariDev 0x00006740 0x1000 + 22336 21 com.apple.AppKit 0x936eacec -[NSApplication run] + 472 22 com.apple.AppKit 0x937db87c NSApplicationMain + 452 23 com.apple.SafariDev 0x0005c77c 0x1000 + 374652 24 com.apple.SafariDev 0x0005c624 0x1000 + 374308 50408 1 mrowe 2006-07-19 21:20:24 -0700 Confirmed with r15536. 50411 2 mrowe 2006-07-19 21:56:11 -0700 The page in question has an HTML 4.0 doctype, yet claims to be application/xhtml+xml via the Content-Type meta tag. This causes WebKit to attempt to process the HTML 4.0 document using the XML tokenizer. A lot of the code in XMLTokenizer makes the assumption that m_currentNode is non-NULL, and this crash is caused by a violation of that assumption. 50413 3 mrowe 2006-07-19 22:06:38 -0700 Ok, so the website tricked me. It returns HTML 4.0 by default unless the browser advertises support for application/xhtml+xml. The XHTML page validates fine, so there must be a more insidious bug hiding somewhere. 50420 4 9578 mrowe 2006-07-19 23:49:09 -0700 Created attachment 9578 Patch Occasionally when parsing is paused and then resumed, data may have arrived that when parsed causes callbacks to be queued. If XMLTokenizer::finish() has been called while the parser was paused, then we call end() to clean up the parse. This results in the current node being cleared, which causes a crash when the callbacks are finally processed. 50422 5 mrowe 2006-07-19 23:50:35 -0700 I should note that I intend to write an HTTP layout test for this later this evening, but it may be tricky to find the exact sequence of data arrival that will easily trigger the bug. 50447 6 9578 darin 2006-07-20 09:38:59 -0700 Comment on attachment 9578 Patch Is there a way to make a test for this bug? The fix looks OK, but I'd we normally require a regression test for each fix. 50519 7 9578 darin 2006-07-21 19:46:05 -0700 Comment on attachment 9578 Patch I see the answer now. r=me 51113 8 darin 2006-07-29 08:15:26 -0700 Committed revision 15689. 9578 2006-07-19 23:49:09 -0700 2006-07-21 19:46:05 -0700 Patch webkit-bug-10022-v1.patch text/plain 1346 mrowe SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAxNTU0MCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTQgQEAKKzIwMDYtMDctMjAgIE1hcmsgUm93ZSAgPG9wZW5kYXJ3aW4ub3JnQGJk YXNoLm5ldC5uej4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAg ICAgICBodHRwOi8vYnVnemlsbGEub3BlbmRhcndpbi5vcmcvc2hvd19idWcuY2dpP2lkPTEwMDIy CisgICAgICAgIEJ1ZyAxMDAyMjogUkVHUkVTU0lPTjogQ3Jhc2ggaW4gV2ViQ29yZTo6WE1MVG9r ZW5pemVyOjpjaGFyYWN0ZXJzCisKKyAgICAgICAgKiBkb20vWE1MVG9rZW5pemVyLmNwcDoKKyAg ICAgICAgKFdlYkNvcmU6OlhNTFRva2VuaXplcjo6cmVzdW1lUGFyc2luZyk6IElmIHRoZSB3cml0 ZSgpIGNhbGwgcmVzdWx0ZWQgaW4gbmV3IGNhbGxiYWNrcyBiZWluZworICAgICAgICBhZGRlZCwg ZG9uJ3QgY2FsbCB0aHJvdWdoIHRvIGVuZCgpIGp1c3QgeWV0LgorCiAyMDA2LTA3LTE5ICBNYXJr IFJvd2UgIDxvcGVuZGFyd2luLm9yZ0BiZGFzaC5uZXQubno+CiAKICAgICAgICAgUmV2aWV3ZWQg YnkgRGFyaW4uCkluZGV4OiBXZWJDb3JlL2RvbS9YTUxUb2tlbml6ZXIuY3BwCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIFdlYkNvcmUvZG9tL1hNTFRva2VuaXplci5jcHAJKHJldmlzaW9uIDE1NTM2KQorKysgV2Vi Q29yZS9kb20vWE1MVG9rZW5pemVyLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMTQwMyw5ICsxNDAz LDEwIEBAIHZvaWQgWE1MVG9rZW5pemVyOjpyZXN1bWVQYXJzaW5nKCkKICAgICBTZWdtZW50ZWRT dHJpbmcgcmVzdCA9IG1fcGVuZGluZ1NyYzsKICAgICBtX3BlbmRpbmdTcmMuY2xlYXIoKTsKICAg ICB3cml0ZShyZXN0LCBmYWxzZSk7Ci0gICAgCi0gICAgLy8gRmluYWxseSwgaWYgZmluaXNoKCkg aGFzIGJlZW4gY2FsbGVkLCBjYWxsIGVuZCgpCi0gICAgaWYgKG1fZmluaXNoQ2FsbGVkKQorCisg ICAgLy8gRmluYWxseSwgaWYgZmluaXNoKCkgaGFzIGJlZW4gY2FsbGVkIGFuZCB3cml0ZSgpIGRp ZG4ndCByZXN1bHQKKyAgICAvLyBpbiBhbnkgZnVydGhlciBjYWxsYmFja3MgYmVpbmcgcXVldWVk LCBjYWxsIGVuZCgpCisgICAgaWYgKG1fZmluaXNoQ2FsbGVkICYmIG1fcGVuZGluZ0NhbGxiYWNr cy0+aXNFbXB0eSgpKQogICAgICAgICBlbmQoKTsKIH0KIAo=