48643 2010-10-29 09:41:55 -0700 XMLDocumentParser gets deleted and then used in LayoutTest/fast/frames/set-parent-src-synchronously.xhtml on QT/Linux 2010-11-09 11:16:49 -0800 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 0 peter.rybin webkit-unassigned abarth commit-queue peter.rybin oldest_to_newest 301823 0 peter.rybin 2010-10-29 09:41:55 -0700 On Qt/Linux platform in LayoutTests/fast/frames/set-parent-src-synchronously.xhtml an isntance of XMLDocumentParser gets deleted: 3:_ZN7WebCore17XMLDocumentParserD0Ev+0x6a) 4:_ZN3WTF10RefCountedIN7WebCore14DocumentParserEE5derefEv+0x43) 5:_ZN3WTF14derefIfNotNullIN7WebCore14DocumentParserEEEvPT_+0x2e) 6:_ZN3WTF6RefPtrIN7WebCore14DocumentParserEE5clearEv+0x2e) 7:_ZN7WebCore8Document12detachParserEv+0x52) 8:_ZN7WebCore8Document13cancelParsingEv+0x37) 9:_ZN7WebCore11FrameLoader5clearEbbb+0x8f) 10:_ZN7WebCore14DocumentWriter5beginERKNS_4KURLEbPNS_14SecurityOriginE+0x1b1) 11:_ZN7WebCore14DocumentWriter15replaceDocumentERKN3WTF6StringE+0x7b) 12:_ZN7WebCore16ScriptController22executeIfJavaScriptURLERKNS_4KURLENS_36ShouldReplaceDocumentIfJavaScriptURLE+0x27b) 13:_ZN7WebCore14SubframeLoader12requestFrameEPNS_21HTMLFrameOwnerElementERKN3WTF6StringERKNS3_12AtomicStringEbb+0x19c) 14:_ZN7WebCore20HTMLFrameElementBase7openURLEbb+0x171) 15:_ZN7WebCore20HTMLFrameElementBase11setLocationERKN3WTF6StringE+0xe1) 16:_ZN7WebCore20HTMLFrameElementBase20parseMappedAttributeEPNS_9AttributeE+0x6c) 17:_ZN7WebCore17HTMLIFrameElement20parseMappedAttributeEPNS_9AttributeE+0x2ce) 18:_ZN7WebCore13StyledElement16attributeChangedEPNS_9AttributeEb+0x292) 19:_ZN7WebCore7Element12setAttributeERKN3WTF12AtomicStringES4_Ri+0x308) 20:_ZN7WebCore38jsElementPrototypeFunctionSetAttributeEPN3JSC9ExecStateE+0x232) 21: *** 22: *** 23: *** 24: *** 25:_ZN7WebCore21JSMainThreadExecState8evaluateEPN3JSC9ExecStateERNS1_10ScopeChainERKNS1_10SourceCodeENS1_7JSValueE+0x54) 26:_ZN7WebCore16ScriptController15evaluateInWorldERKNS_16ScriptSourceCodeEPNS_15DOMWrapperWorldENS_14ShouldAllowXSSE+0x1bd) 27:_ZN7WebCore16ScriptController8evaluateERKNS_16ScriptSourceCodeENS_14ShouldAllowXSSE+0x3f) 28:_ZN7WebCore16ScriptController13executeScriptERKNS_16ScriptSourceCodeENS_14ShouldAllowXSSE+0xa9) 29:_ZN7WebCore17XMLDocumentParser15parseEndElementEv+0x63e) 30:_ZN7WebCore17XMLDocumentParser5parseEv+0x87) 31:_ZN7WebCore17XMLDocumentParser7doWriteERKN3WTF6StringE+0xee) 32:_ZN7WebCore17XMLDocumentParser6appendERKNS_15SegmentedStringE+0x17c) 33:_ZN7WebCore25DecodedDataDocumentParser11appendBytesEPNS_14DocumentWriterEPKcib+0xfb) 34:_ZN7WebCore14DocumentWriter7addDataEPKcib+0x275) 35:_ZN7WebCore14DocumentLoader10commitDataEPKci+0x14b) 36:_ZN7WebCore19FrameLoaderClientQt13committedLoadEPNS_14DocumentLoaderEPKci+0x39) 37:_ZN7WebCore14DocumentLoader10commitLoadEPKci+0xa1) 38:_ZN7WebCore14DocumentLoader12receivedDataEPKci+0x58) 39:_ZN7WebCore18MainResourceLoader7addDataEPKcib+0x5a) 40:_ZN7WebCore14ResourceLoader14didReceiveDataEPKcixb+0x60) 41:_ZN7WebCore18MainResourceLoader14didReceiveDataEPKcixb+0x1d3) 42:_ZN7WebCore14ResourceLoader14didReceiveDataEPNS_14ResourceHandleEPKcii+0x7c) 43:_ZN7WebCore20QNetworkReplyHandler11forwardDataEv+0x121) 44:_ZN7WebCore20QNetworkReplyHandler11qt_metacallEN11QMetaObject4CallEiPPv+0x9c) and then used again: * segfault * WebCore::XMLDocumentParser::popCurrentNode() WebCore::XMLDocumentParser::parseEndElement() WebCore::XMLDocumentParser::parse() WebCore::XMLDocumentParser::doWrite(WTF::String const&) WebCore::XMLDocumentParser::append(WebCore::SegmentedString const&) WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, int, bool) WebCore::DocumentWriter::addData(char const*, int, bool) WebCore::DocumentLoader::commitData(char const*, int) WebCore::FrameLoaderClientQt::committedLoad(WebCore::DocumentLoader*, char const*, int) WebCore::DocumentLoader::commitLoad(char const*, int) WebCore::MainResourceLoader::addData(char const*, int, bool) WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) WebCore::QNetworkReplyHandler::forwardData() WebCore::QNetworkReplyHandler::qt_metacall(QMetaObject::Call, int, void**) QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) QMetaCallEvent::placeMetaCall(QObject*) QObject::event(QEvent*) QApplicationPrivate::notify_helper(QObject*, QEvent*) QApplication::notify(QObject*, QEvent*) QCoreApplication::notifyInternal(QObject*, QEvent*) QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) QCoreApplication::sendPostedEvents(QObject*, int) Method WebCore::XMLDocumentParser::parseEndElement() in XMLDocumentParserQt.cpp seems to be a point where 2 stacktraces split. It first calls executeScript where parser gets deleted, and then -- popCurrentNode, and process fails. This segfault is very flaky. It is also often erroneously attributed to innocent LayoutTests/fast/frames/set-unloaded-frame-location.html that goes right after in the batch run. 306783 1 73376 peter.rybin 2010-11-09 07:31:18 -0800 Created attachment 73376 Patch 306844 2 73376 abarth 2010-11-09 09:59:05 -0800 Comment on attachment 73376 Patch Great. Thanks for fixing the Qt bug Peter! 306886 3 73376 commit-queue 2010-11-09 11:16:44 -0800 Comment on attachment 73376 Patch Clearing flags on attachment: 73376 Committed r71654: <http://trac.webkit.org/changeset/71654> 306887 4 commit-queue 2010-11-09 11:16:49 -0800 All reviewed patches have been landed. Closing bug. 73376 2010-11-09 07:31:18 -0800 2010-11-09 11:16:44 -0800 Patch bug-48643-20101109183116.patch text/plain 1370 peter.rybin ZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXgg ODM1MGU2MmRhYTkzZmQyZjIyOTdjNDM0MTlhNWUzZjdkMDNiZjVhYS4uNWM5ZGE0NmRiNzI4NTMx ZWE5ZGY3MTNiNGE0OWMzMTM4ZTcyMjE3YyAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cK KysrIGIvV2ViQ29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxMyBAQAorMjAxMC0xMS0wOSAgUGV0 ZXIgUnliaW4gIDxwZXRlci5yeWJpbkBnbWFpbC5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkg Tk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgWE1MRG9jdW1lbnRQYXJzZXIgZ2V0cyBkZWxldGVk IGFuZCB0aGVuIHVzZWQgaW4gTGF5b3V0VGVzdC9mYXN0L2ZyYW1lcy9zZXQtcGFyZW50LXNyYy1z eW5jaHJvbm91c2x5LnhodG1sIG9uIFFUL0xpbnV4CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD00ODY0MworCisgICAgICAgICogZG9tL1hNTERvY3VtZW50 UGFyc2VyUXQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6WE1MRG9jdW1lbnRQYXJzZXI6OmRvV3Jp dGUpOgorCiAyMDEwLTEwLTI4ICBQYXZlbCBGZWxkbWFuICA8cGZlbGRtYW5AY2hyb21pdW0ub3Jn PgogCiAgICAgICAgIE5vdCByZXZpZXdlZC4gUm9sbGluZyBvdXQgcjcwODAwLgpkaWZmIC0tZ2l0 IGEvV2ViQ29yZS9kb20vWE1MRG9jdW1lbnRQYXJzZXJRdC5jcHAgYi9XZWJDb3JlL2RvbS9YTUxE b2N1bWVudFBhcnNlclF0LmNwcAppbmRleCAwM2IwODNlYzFjOTI1Y2NkNTFlNmIxZDIxYzliNTJl YTE2YmNlOWNlLi45NzQ3ODRjNTJiZmQ2ZjE5ZTQ5OTJiM2JlYzA0OTYzYjUyODczM2M3IDEwMDY0 NAotLS0gYS9XZWJDb3JlL2RvbS9YTUxEb2N1bWVudFBhcnNlclF0LmNwcAorKysgYi9XZWJDb3Jl L2RvbS9YTUxEb2N1bWVudFBhcnNlclF0LmNwcApAQCAtMTkyLDYgKzE5MiwxMCBAQCB2b2lkIFhN TERvY3VtZW50UGFyc2VyOjpkb1dyaXRlKGNvbnN0IFN0cmluZyYgcGFyc2VTdHJpbmcpCiAKICAg ICBRU3RyaW5nIGRhdGEocGFyc2VTdHJpbmcpOwogICAgIGlmICghZGF0YS5pc0VtcHR5KCkpIHsK KyAgICAgICAgLy8gSmF2YVNjcmlwdCBtYXkgY2F1c2UgdGhlIHBhcnNlciB0byBkZXRhY2gsCisg ICAgICAgIC8vIGtlZXAgdGhpcyBhbGl2ZSB1bnRpbCB0aGlzIGZ1bmN0aW9uIGlzIGRvbmUuCisg ICAgICAgIFJlZlB0cjxYTUxEb2N1bWVudFBhcnNlcj4gcHJvdGVjdCh0aGlzKTsKKwogICAgICAg ICBtX3N0cmVhbS5hZGREYXRhKGRhdGEpOwogICAgICAgICBwYXJzZSgpOwogICAgIH0KQEAgLTcx Niw0ICs3MjAsMyBAQCB2b2lkIFhNTERvY3VtZW50UGFyc2VyOjpwYXJzZUR0ZCgpCiAKIH0KIH0K LQo=