35044 2010-02-17 10:36:35 -0800 Crash in XML tokenizer reloading zoom-coords-viewattr-01-b.svg 2010-03-03 14:05:44 -0800 1 1 1 Unclassified WebKit XML 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED InRadar P1 Normal --- 1 simon.fraser ap ap oldest_to_newest 191081 0 simon.fraser 2010-02-17 10:36:35 -0800 While debugging some SVG entity issues, I've twice hit a crash in XMLTokenizer because m_currentNode is null here: #0 0x03e31619 in WebCore::Node::isTextNode (this=0x0) at Node.h:166 #1 0x047dfa10 in WebCore::XMLTokenizer::characters (this=0x1f6d4320, s=0x2540a880 "\n ", len=5) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:903 #2 0x047e2ed5 in WebCore::PendingCallbacks::PendingCharactersCallback::call (this=0x2540ad10, tokenizer=0x1f6d4320) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:246 #3 0x047e0d57 in WebCore::PendingCallbacks::callAndRemoveFirstCallback (this=0x1f6b33d0, tokenizer=0x1f6d4320) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:188 #4 0x047dc303 in WebCore::XMLTokenizer::resumeParsing (this=0x1f6d4320) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:1375 #5 0x047dbcfd in WebCore::XMLTokenizer::notifyFinished (this=0x1f6d4320, unusedResource=0x81ff800) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizer.cpp:334 #6 0x03d4217c in WebCore::CachedScript::checkNotify (this=0x81ff800) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/CachedScript.cpp:105 #7 0x03d42242 in WebCore::CachedScript::data (this=0x81ff800, data=@0xbfffe3d0, allDataReceived=true) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/CachedScript.cpp:95 #8 0x0440a46e in WebCore::Loader::Host::didFinishLoading (this=0xc94220, loader=0x8437200) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/loader.cpp:397 #9 0x0467c002 in WebCore::SubresourceLoader::didFinishLoading (this=0x8437200) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/SubresourceLoader.cpp:184 #10 0x045daf5a in WebCore::ResourceLoader::didFinishLoading (this=0x8437200) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/ResourceLoader.cpp:403 #11 0x045d7497 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x2055a3c0, _cmd=0x9344e564, connection=0x20559180) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:789 #12 0x906e9497 in -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] () #13 0x906e9403 in _NSURLConnectionDidFinishLoading () #14 0x91979ba4 in URLConnectionClient::_clientDidFinishLoading () #15 0x9197a8fa in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload () #16 0x9197abaa in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload () #17 0x91979370 in URLConnectionClient::processEvents () #18 0x91926d03 in MultiplexerSource::perform () #19 0x9183640f in CFRunLoopRunSpecific () #20 0x91836aa8 in CFRunLoopRunInMode () #21 0x93d542ac in RunCurrentEventLoopInMode () #22 0x93d53ffe in ReceiveNextEventCommon () #23 0x93d53f39 in BlockUntilNextEventMatchingListInMode () #24 0x959236d5 in _DPSNextEvent () #25 0x95922f88 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #26 0x0000c045 in ?? () #27 0x9591bf9f in -[NSApplication run] () #28 0x958e91d8 in NSApplicationMain () 191121 1 simon.fraser 2010-02-17 11:43:27 -0800 I can get this crash by reloading LayoutTests/svg/zoom/page/zoom-coords-viewattr-01-b.svg a few times on Leopard. clearCurrentNodeStack() has been called already. 191127 2 simon.fraser 2010-02-17 11:54:12 -0800 It seems like the XMLTokenizer is getting resurrected after an end() by CachedScript::checkNotify() calling notifyFinished() on the clients. 191176 3 ap 2010-02-17 13:27:20 -0800 Surprising is that the tokenizer also thinks that it has been paused (otherwise, an assertion in resumeParsing would have failed). 192812 4 ap 2010-02-23 00:39:34 -0800 <rdar://problem/7679143> 195709 5 ap 2010-03-03 12:32:17 -0800 Sorry, now I'm getting the crash in 4.0.4, too. 195739 6 49940 ap 2010-03-03 13:44:56 -0800 Created attachment 49940 proposed fix 195750 7 ap 2010-03-03 14:05:44 -0800 Committed in <http://trac.webkit.org/changeset/55475>. 49940 2010-03-03 13:44:56 -0800 2010-03-03 13:46:04 -0800 proposed fix SVGCrash.txt text/plain 1369 ap SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA1NTQ3MykKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTcgQEAKKzIwMTAtMDMtMDMgIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEBhcHBs ZS5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTM1MDQ0CisgICAgICAgIENy YXNoIGluIFhNTCB0b2tlbml6ZXIgcmVsb2FkaW5nIHpvb20tY29vcmRzLXZpZXdhdHRyLTAxLWIu c3ZnCisKKyAgICAgICAgSSdtIG9mdGVuIGdldHRpbmcgYSBjcmFzaCBldmVuIHdoZW4gb3Blbmlu ZyB0aGUgdGVzdCBmb3IgdGhlIGZpcnN0IHRpbWUgaW4gU2FmYXJpLCBidXQgaXQKKyAgICAgICAg ZG9lc24ndCBzZWVtIHRvIGNyYXNoIGluIER1bXBSZW5kZXJUcmVlLiBTdGlsbCwgSSBjYW4ndCB0 aGluayBvZiBhIHN0cm9uZ2VyIHdheSB0byB0ZXN0IGZvcgorICAgICAgICB0aGlzIGNvbmRpdGlv biwgc28gbm8gbmV3IHJlZ3Jlc3Npb24gdGVzdC4KKworICAgICAgICAqIGRvbS9YTUxUb2tlbml6 ZXIuY3BwOiAoV2ViQ29yZTo6WE1MVG9rZW5pemVyOjplbmQpOiBCZSBwcmVwYXJlZCB0aGF0IHBh cnNpbmcgcmVtYWluaW5nCisgICAgICAgIGlucHV0IHdpbGwgcGF1c2UgcGFyc2luZy4KKwogMjAx MC0wMy0wMyAgQWxleGFuZGVyIFBhdmxvdiAgPGFwYXZsb3ZAY2hyb21pdW0ub3JnPgogCiAgICAg ICAgIFJldmlld2VkIGJ5IFBhdmVsIEZlbGRtYW4uCkluZGV4OiBXZWJDb3JlL2RvbS9YTUxUb2tl bml6ZXIuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvZG9tL1hNTFRva2VuaXplci5jcHAJKHJl dmlzaW9uIDU1NDMxKQorKysgV2ViQ29yZS9kb20vWE1MVG9rZW5pemVyLmNwcAkod29ya2luZyBj b3B5KQpAQCAtMjA2LDcgKzIwNiwxMSBAQCB2b2lkIFhNTFRva2VuaXplcjo6ZXhpdFRleHQoKQog dm9pZCBYTUxUb2tlbml6ZXI6OmVuZCgpCiB7CiAgICAgZG9FbmQoKTsKLSAgICAKKworICAgIC8v IGRvRW5kKCkgY291bGQgcHJvY2VzcyBhIHNjcmlwdCB0YWcsIHRodXMgcGF1c2luZyBwYXJzaW5n LgorICAgIGlmIChtX3BhcnNlclBhdXNlZCkKKyAgICAgICAgcmV0dXJuOworCiAgICAgaWYgKG1f c2F3RXJyb3IpCiAgICAgICAgIGluc2VydEVycm9yTWVzc2FnZUJsb2NrKCk7CiAgICAgZWxzZSB7 Cg==