40161 2010-06-04 03:21:29 -0700 REGRESSION: crash when unloading an iFrame with Flash from the DOM 2010-06-11 16:39:17 -0700 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) Mac (Intel) OS X 10.6 RESOLVED FIXED InRadar P1 Critical --- 1 sulka simon.fraser ap simon.fraser oldest_to_newest 234140 0 sulka 2010-06-04 03:21:29 -0700 When unloading an iFrame from DOM, which contains an embedded Flash movie, the nightly webkit crashes 100% of the time. I don't have a test case at hand right now, but I'll try to get one (this is happening on the internal development server). The stable Safari and Chrome releases do not crash. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000048 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000100f48348 WebCore::Node::setNeedsStyleRecalc(WebCore::StyleChangeType) + 8 1 com.apple.WebCore 0x0000000101002b03 WebCore::RenderLayerCompositor::detachRootPlatformLayer() + 179 2 com.apple.WebCore 0x00000001009090ce WebCore::Document::documentWillBecomeInactive() + 30 3 com.apple.WebCore 0x000000010090e256 WebCore::Document::detach() + 38 4 com.apple.WebCore 0x0000000100a31701 WebCore::Frame::setView(WTF::PassRefPtr<WebCore::FrameView>) + 129 5 com.apple.WebCore 0x0000000100a3ab6d WebCore::FrameLoader::closeAndRemoveChild(WebCore::Frame*) + 45 6 com.apple.WebCore 0x0000000100a3ed82 WebCore::FrameLoader::detachFromParent() + 162 7 com.apple.WebCore 0x0000000100acdbcd WebCore::HTMLFrameOwnerElement::willRemove() + 45 8 com.apple.WebCore 0x000000010083a52c WebCore::ContainerNode::willRemove() + 44 9 com.apple.WebCore 0x000000010083a52c WebCore::ContainerNode::willRemove() + 44 10 com.apple.WebCore 0x000000010083a52c WebCore::ContainerNode::willRemove() + 44 11 com.apple.WebCore 0x000000010083a52c WebCore::ContainerNode::willRemove() + 44 12 com.apple.WebCore 0x000000010083d1cd WebCore::ContainerNode::removeChild(WebCore::Node*, int&) + 221 13 com.apple.WebCore 0x0000000100d4e09e WebCore::JSNode::removeChild(JSC::ExecState*) + 94 14 com.apple.WebCore 0x0000000100d4afdc WebCore::jsNodePrototypeFunctionRemoveChild(JSC::ExecState*) + 124 15 ??? 0x000042e1ae00017a 0 + 73537054310778 16 com.apple.JavaScriptCore 0x00000001005a9557 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 919 17 com.apple.Safari 0x0000000100000001 0x100000000 + 1 18 ??? 0x000000011ef11cd0 0 + 4814085328 19 com.apple.WebCore 0x0000000100c45690 WebCore::JSDOMWindowShell::~JSDOMWindowShell() + 0 20 ??? 0x0000441f0f66ffff 0 + 74900193083391 Testing using Version 4.0.5 (6531.22.7, r60654). 234557 1 ap 2010-06-04 23:42:47 -0700 I couldn't reproduce this with an example of my own. 234587 2 sulka 2010-06-05 03:06:23 -0700 Alas, we have no idea what part of the code is triggering the set of conditions needed for the crash, so I can't come up with a test case. We'll hopefully have the code in production soon - I'll send details immediately when this happens. The crash is reproducible 100% of the time and only on the nightlies, so I'm assuming it'll be there when the feature goes live. 234614 3 simon.fraser 2010-06-05 08:25:23 -0700 I'm aware of this crash. 234615 4 simon.fraser 2010-06-05 08:25:48 -0700 <rdar://problem/7994710> 237119 5 58524 simon.fraser 2010-06-11 16:27:55 -0700 Created attachment 58524 Patch 237131 6 simon.fraser 2010-06-11 16:39:17 -0700 http://trac.webkit.org/changeset/61045 58524 2010-06-11 16:27:55 -0700 2010-06-11 16:29:20 -0700 Patch bug-40161-20100611162754.patch text/plain 4298 simon.fraser ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCBhOWIyOGQ4NmJkMjAzZmI5NjYyYjA2MTQwZjhlMzRlMjUyMWJkODk2Li5kNDgwZWE5 ZGVkZjY4YWE4ODUzMzFhYzgyZjcwMmI3MmRiM2JmZDg4IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0 cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUgQEAK KzIwMTAtMDYtMTEgIFNpbW9uIEZyYXNlciAgPHNpbW9uLmZyYXNlckBhcHBsZS5jb20+CisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgUkVHUkVTU0lPTjog Y3Jhc2ggd2hlbiB1bmxvYWRpbmcgYW4gaUZyYW1lIHdpdGggRmxhc2ggZnJvbSB0aGUgRE9NCisg ICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD00MDE2MQorICAg ICAgICAKKyAgICAgICAgTGF5b3V0IHRlc3QgZm9yIGR5bmFtaWNhbGx5IHJlbW92aW5nIGFuIGlm cmFtZSB3aG9zZSBjb21wb3NpdGluZyBsYXllcnMgYXJlIGNvbm5lY3RlZCB0byB0aG9zZSBvZiB0 aGUgcGFyZW50IGRvY3VtZW50LgorCisgICAgICAgICogY29tcG9zaXRpbmcvaWZyYW1lcy9yZW1v dmUtaWZyYW1lLWNyYXNoLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogY29tcG9zaXRp bmcvaWZyYW1lcy9yZW1vdmUtaWZyYW1lLWNyYXNoLmh0bWw6IEFkZGVkLgorCiAyMDEwLTA2LTEx ICBaaGVueWFvIE1vICA8em1vQGdvb2dsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgRGlt aXRyaSBHbGF6a292LgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvY29tcG9zaXRpbmcvaWZyYW1l cy9yZW1vdmUtaWZyYW1lLWNyYXNoLWV4cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2NvbXBvc2l0 aW5nL2lmcmFtZXMvcmVtb3ZlLWlmcmFtZS1jcmFzaC1leHBlY3RlZC50eHQKbmV3IGZpbGUgbW9k ZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4u MzY5MWRlNDc0YzM0NzI1ODAxY2M1ZjVhZmUwMzQ2ODU5NmM2YTk5MAotLS0gL2Rldi9udWxsCisr KyBiL0xheW91dFRlc3RzL2NvbXBvc2l0aW5nL2lmcmFtZXMvcmVtb3ZlLWlmcmFtZS1jcmFzaC1l eHBlY3RlZC50eHQKQEAgLTAsMCArMSwyIEBACisKK1RoaXMgdGVzdCBzaG91bGQgbm90IGNyYXNo LgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvY29tcG9zaXRpbmcvaWZyYW1lcy9yZW1vdmUtaWZy YW1lLWNyYXNoLmh0bWwgYi9MYXlvdXRUZXN0cy9jb21wb3NpdGluZy9pZnJhbWVzL3JlbW92ZS1p ZnJhbWUtY3Jhc2guaHRtbApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLi43ZDgzMjk5OTc4ZmQyOGJiYTgwYTJkYjc4OGM2 NDRmY2M3Y2Y0NzVkCi0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvY29tcG9zaXRpbmcv aWZyYW1lcy9yZW1vdmUtaWZyYW1lLWNyYXNoLmh0bWwKQEAgLTAsMCArMSw0NCBAQAorPCFET0NU WVBFIGh0bWw+CisKKzxodG1sPgorPGhlYWQ+CisgIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyIgbWVk aWE9InNjcmVlbiI+CisgICAgaWZyYW1lIHsKKyAgICAgICAgYm9yZGVyOiAxMHB4IHNvbGlkIGJs YWNrOworICAgICAgICBwYWRkaW5nOiA1cHg7CisgICAgICAgIG1hcmdpbjogMjBweDsKKyAgICAg ICAgaGVpZ2h0OiAxNTBweDsKKyAgICAgICAgd2lkdGg6IDMwMHB4OworICAgICAgICAtd2Via2l0 LWJveC1zaGFkb3c6IDAgMCAyMHB4IGJsYWNrOworICAgICAgICAtd2Via2l0LXRyYW5zZm9ybTog dHJhbnNsYXRlWigwKTsKKyAgICB9CisKKyAgICAub3ZlcmxheSB7CisgICAgICBwb3NpdGlvbjog YWJzb2x1dGU7CisgICAgICB3aWR0aDogNTBweDsKKyAgICAgIGhlaWdodDogNTBweDsKKyAgICAg IHRvcDogNXB4OworICAgICAgbGVmdDogNXB4OworICAgICAgYmFja2dyb3VuZC1jb2xvcjogcmdi YSgwLCAwLCAwLCAwLjIpOworICAgIH0KKyAgPC9zdHlsZT4KKyAgPHNjcmlwdCB0eXBlPSJ0ZXh0 L2phdmFzY3JpcHQiIGNoYXJzZXQ9InV0Zi04Ij4KKyAgICBpZiAod2luZG93LmxheW91dFRlc3RD b250cm9sbGVyKQorICAgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIuZHVtcEFzVGV4dCgpOworCisg ICAgZnVuY3Rpb24gZG9UZXN0KCkKKyAgICB7CisgICAgICB2YXIgaWZyYW1lID0gZG9jdW1lbnQu Z2V0RWxlbWVudHNCeVRhZ05hbWUoJ2lmcmFtZScpWzBdOworICAgICAgaWZyYW1lLnBhcmVudE5v ZGUucmVtb3ZlQ2hpbGQoaWZyYW1lKTsKKyAgICB9CisgICAgCisgICAgd2luZG93LmFkZEV2ZW50 TGlzdGVuZXIoJ2xvYWQnLCBkb1Rlc3QsIGZhbHNlKTsKKyAgPC9zY3JpcHQ+Cis8L2hlYWQ+Cis8 Ym9keT4KKyAgCisgIDxpZnJhbWUgc3JjPSJyZXNvdXJjZXMvY29tcG9zaXRlZC1zdWJmcmFtZS5o dG1sIj48L2lmcmFtZT4KKyAgPGRpdiBjbGFzcz0ib3ZlcmxheSI+PC9kaXY+CisgIDxwPlRoaXMg dGVzdCBzaG91bGQgbm90IGNyYXNoLjwvcD4KKzwvYm9keT4KKzwvaHRtbD4KZGlmZiAtLWdpdCBh L1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggOGQwMzliMDIwZjAz NjAyYWE0NDVjMTI4Y2VkM2RlZDYxMjkyMTRlYi4uNjFiYjMxNmRjNjkwZWVkYWU1MGY2MmY3ZDIw Yjc1NDU3ODg2NGFhMyAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2ViQ29y ZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxOSBAQAorMjAxMC0wNi0xMSAgU2ltb24gRnJhc2VyICA8 c2ltb24uZnJhc2VyQGFwcGxlLmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICBSRUdSRVNTSU9OOiBjcmFzaCB3aGVuIHVubG9hZGluZyBhbiBpRnJh bWUgd2l0aCBGbGFzaCBmcm9tIHRoZSBET00KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTQwMTYxCisgICAgICAgIAorICAgICAgICBOdWxsLWNoZWNrIHRo ZSBvd25lckVsZW1lbnQgb2YgdGhlIFJlbmRlclZpZXcncyBkb2N1bWVudCB3aGVuIHVuaG9va2lu ZyB0aGUgY29tcG9zaXRpbmcKKyAgICAgICAgcm9vdCBvZiBhbiBpZnJhbWUgd2hvc2UgbGF5ZXJz IGFyZSBwYXJlbnRlZCB2aWEgdGhlIGVuY2xvc2luZyBkb2N1bWVudC4gRml4ZXMgYSBjcmFzaCB3 aGVuCisgICAgICAgIGR5bmFtaWNhbGx5IHJlbW92aW5nIHN1Y2ggYW4gaWZyYW1lLgorCisgICAg ICAgIFRlc3Q6IGNvbXBvc2l0aW5nL2lmcmFtZXMvcmVtb3ZlLWlmcmFtZS1jcmFzaC5odG1sCisK KyAgICAgICAgKiByZW5kZXJpbmcvUmVuZGVyTGF5ZXJDb21wb3NpdG9yLmNwcDoKKyAgICAgICAg KFdlYkNvcmU6OlJlbmRlckxheWVyQ29tcG9zaXRvcjo6ZGV0YWNoUm9vdFBsYXRmb3JtTGF5ZXIp OgorCiAyMDEwLTA2LTExICBIYW5zIFdlbm5ib3JnICA8aGFuc0BjaHJvbWl1bS5vcmc+CiAKICAg ICAgICAgUmV2aWV3ZWQgYnkgSmVyZW15IE9ybG93LgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9yZW5k ZXJpbmcvUmVuZGVyTGF5ZXJDb21wb3NpdG9yLmNwcCBiL1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRl ckxheWVyQ29tcG9zaXRvci5jcHAKaW5kZXggNDBiZmQ3YjIwNWEwNWNkMjgyNGE3MzU3ZjUzOGUz MTRlODhjNTc2MC4uMGY1NzI0MWQzNWM2NTkxODMyYWI1NTc3ZTJjMzFiMDQyNTBkZjEwYSAxMDA2 NDQKLS0tIGEvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyTGF5ZXJDb21wb3NpdG9yLmNwcAorKysg Yi9XZWJDb3JlL3JlbmRlcmluZy9SZW5kZXJMYXllckNvbXBvc2l0b3IuY3BwCkBAIC0xMzQzLDcg KzEzNDMsOCBAQCB2b2lkIFJlbmRlckxheWVyQ29tcG9zaXRvcjo6ZGV0YWNoUm9vdFBsYXRmb3Jt TGF5ZXIoKQogICAgICAgICAgICAgZWxzZQogICAgICAgICAgICAgICAgIG1fcm9vdFBsYXRmb3Jt TGF5ZXItPnJlbW92ZUZyb21QYXJlbnQoKTsKIAotICAgICAgICAgICAgbV9yZW5kZXJWaWV3LT5k b2N1bWVudCgpLT5vd25lckVsZW1lbnQoKS0+c2V0TmVlZHNTdHlsZVJlY2FsYyhTeW50aGV0aWNT dHlsZUNoYW5nZSk7CisgICAgICAgICAgICBpZiAoRWxlbWVudCogb3duZXJFbGVtZW50ID0gbV9y ZW5kZXJWaWV3LT5kb2N1bWVudCgpLT5vd25lckVsZW1lbnQoKSkKKyAgICAgICAgICAgICAgICBv d25lckVsZW1lbnQtPnNldE5lZWRzU3R5bGVSZWNhbGMoU3ludGhldGljU3R5bGVDaGFuZ2UpOwog ICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIH0KICAgICAgICAgY2FzZSBSb290TGF5ZXJBdHRh Y2hlZFZpYUNocm9tZUNsaWVudDogewo=