7601 2006-03-04 11:28:40 -0800 REGRESSION (r13089): Reproducible crash dereferencing a deallocated element on google image search 2006-03-06 23:19:42 -0800 1 1 1 Unclassified WebKit JavaScriptCore 420+ Mac OS X 10.4 VERIFIED FIXED http://images.google.com/images?client=safari&rls=en&q=street&ie=UTF-8&oe=UTF-8&sa=N&tab=wi Regression P1 Major --- 1 mitz webkit-unassigned ap mjs oldest_to_newest 35071 0 mitz 2006-03-04 11:28:40 -0800 I get the following crash when I am signed in to Google and I open the above URL, wait for it to finish loading, then reload. It doesn't happen when I'm not signed in nor was Alexey able to reproduce it when signed in to his account. However, it does not seem to depend on a specific search result, as I have gotten it with different searches. From what I saw in gdb, the crash happens because the HTMLImageElementImpl called in frame 8 is garbage, so supposedly it was deallocated. I got other similar crashes where the backtrace was different (e.g. when going back from a search result to the results page) but the cause was again an HTMLElement pointing to a bad ElementImpl. I am able to reproduce reliably with r13093 and later builds but not with r13078 or earlier. Thread 0 Crashed: 0 com.apple.WebCore 0x01bcd1e4 KXMLCore::HashTable<WebCore::NodeListImpl*, WebCore::NodeListImpl*, KXMLCore::IdentityExtractor<WebCore::NodeListImpl*>, KXMLCore::PtrHash<WebCore::NodeListImpl*>, KXMLCore::HashTraits<WebCore::NodeListImpl*>, KXMLCore::HashTraits<WebCore::NodeListImpl*> >::end() + 36 (HashTable.h:277) 1 com.apple.WebCore 0x01bcd250 KXMLCore::HashSet<WebCore::NodeListImpl*, KXMLCore::PtrHash<WebCore::NodeListImpl*>, KXMLCore::HashTraits<WebCore::NodeListImpl*> >::end() + 48 (HashSet.h:133) 2 com.apple.WebCore 0x019169e0 WebCore::NodeImpl::notifyLocalNodeListsAttributeChanged() + 60 (NodeImpl.cpp:756) 3 com.apple.WebCore 0x01916aa8 WebCore::NodeImpl::notifyNodeListsAttributeChanged() + 44 (NodeImpl.cpp:762) 4 com.apple.WebCore 0x01916b6c WebCore::NodeImpl::dispatchSubtreeModifiedEvent(bool) + 148 (NodeImpl.cpp:793) 5 com.apple.WebCore 0x017e5ac8 WebCore::NamedAttrMapImpl::addAttribute(WebCore::AttributeImpl*) + 452 (dom_elementimpl.cpp:1100) 6 com.apple.WebCore 0x017e9678 WebCore::ElementImpl::setAttribute(WebCore::QualifiedName const&, WebCore::StringImpl*, int&) + 488 (dom_elementimpl.cpp:430) 7 com.apple.WebCore 0x017e9744 WebCore::ElementImpl::setAttribute(WebCore::QualifiedName const&, WebCore::String const&) + 72 (dom_elementimpl.cpp:316) 8 com.apple.WebCore 0x017ba1b0 WebCore::HTMLImageElementImpl::setSrc(WebCore::String const&) + 60 (html_imageimpl.cpp:398) 9 com.apple.WebCore 0x01770324 KJS::HTMLElement::imageSetter(KJS::ExecState*, int, KJS::JSValue*, WebCore::String const&) + 396 (kjs_html.cpp:2890) 10 com.apple.WebCore 0x01789a9c KJS::HTMLElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) + 756 (kjs_html.cpp:3171) 11 com.apple.WebCore 0x01789db0 KJS::HTMLElement::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 740 (kjs_html.cpp:2463) 12 com.apple.JavaScriptCore 0x0103e0ac KJS::AssignDotNode::evaluate(KJS::ExecState*) + 1740 (nodes.cpp:1374) 13 com.apple.JavaScriptCore 0x010379c4 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1641) 14 com.apple.JavaScriptCore 0x01033f28 KJS::SourceElementsNode::execute(KJS::ExecState*) + 280 (nodes.cpp:2381) 15 com.apple.JavaScriptCore 0x01031280 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1618) 16 com.apple.JavaScriptCore 0x01019154 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:331) 17 com.apple.JavaScriptCore 0x01018780 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 700 (function.cpp:102) 18 com.apple.JavaScriptCore 0x0104483c KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:94) 19 com.apple.JavaScriptCore 0x0103b86c KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 820 (nodes.cpp:593) 20 com.apple.JavaScriptCore 0x010379c4 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1641) 21 com.apple.JavaScriptCore 0x01034078 KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2387) 22 com.apple.JavaScriptCore 0x01031280 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1618) 23 com.apple.JavaScriptCore 0x01019154 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:331) 24 com.apple.JavaScriptCore 0x01018780 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 700 (function.cpp:102) 25 com.apple.JavaScriptCore 0x0104483c KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:94) 26 com.apple.JavaScriptCore 0x0103b004 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 908 (nodes.cpp:686) 27 com.apple.JavaScriptCore 0x010379c4 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1641) 28 com.apple.JavaScriptCore 0x01034078 KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2387) 29 com.apple.JavaScriptCore 0x01031280 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1618) 30 com.apple.JavaScriptCore 0x0102746c KJS::InterpreterImp::evaluate(KJS::UChar const*, int, KJS::JSValue*, KJS::UString const&, int) + 1028 (internal.cpp:591) 31 com.apple.JavaScriptCore 0x0102964c KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 100 (interpreter.cpp:122) 32 com.apple.WebCore 0x0178f198 WebCore::KJSProxyImpl::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::NodeImpl*) + 380 (kjs_proxy.cpp:69) 33 com.apple.WebCore 0x018d6448 WebCore::Frame::executeScript(QString const&, int, WebCore::NodeImpl*, QString const&) + 144 (Frame.cpp:2080) 34 com.apple.WebCore 0x017d997c WebCore::HTMLTokenizer::scriptExecution(QString const&, WebCore::HTMLTokenizer::State, QString, int) + 468 (htmltokenizer.cpp:470) 35 com.apple.WebCore 0x017dca98 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1632 (htmltokenizer.cpp:409) 36 com.apple.WebCore 0x017dd1a8 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 1340 (htmltokenizer.cpp:277) 37 com.apple.WebCore 0x017dfdec WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 924 (htmltokenizer.cpp:1389) 38 com.apple.WebCore 0x018d9354 WebCore::Frame::write(char const*, int) + 952 (Frame.cpp:681) 39 com.apple.WebCore 0x018d0414 WebCore::Frame::addData(char const*, int) + 340 (Frame.cpp:2684) 40 com.apple.WebCore 0x0191e744 -[WebCoreFrameBridge addData:] + 224 (WebCoreFrameBridge.mm:653) 41 com.apple.WebKit 0x00334090 -[WebFrameBridge receivedData:textEncodingName:] + 236 (WebFrameBridge.m:479) 42 com.apple.WebKit 0x0036c788 -[WebHTMLRepresentation receivedData:withDataSource:] + 248 (WebHTMLRepresentation.m:122) 43 com.apple.WebKit 0x003578f4 -[WebDataSource(WebPrivate) _commitLoadWithData:] + 164 (WebDataSource.m:895) 44 com.apple.WebKit 0x00355f78 -[WebDataSource(WebPrivate) _receivedData:] + 196 (WebDataSource.m:646) 45 com.apple.WebKit 0x00391054 -[WebMainResourceLoader addData:] + 136 (WebMainResourceLoader.m:163) 46 com.apple.WebKit 0x00350c68 -[WebLoader didReceiveData:lengthReceived:] + 108 (WebLoader.m:535) 47 com.apple.WebKit 0x00392638 -[WebMainResourceLoader didReceiveData:lengthReceived:] + 724 (WebMainResourceLoader.m:378) 48 com.apple.WebKit 0x003517cc -[WebLoader connection:didReceiveData:lengthReceived:] + 188 (WebLoader.m:645) 49 com.apple.Foundation 0x9299c5d4 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 50 com.apple.Foundation 0x9299aa74 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 51 com.apple.Foundation 0x9299a810 _sendCallbacks + 156 52 com.apple.CoreFoundation 0x907e4a68 __CFRunLoopDoSources0 + 384 53 com.apple.CoreFoundation 0x907e3f98 __CFRunLoopRun + 452 54 com.apple.CoreFoundation 0x907e3a18 CFRunLoopRunSpecific + 268 55 com.apple.HIToolbox 0x93211980 RunCurrentEventLoopInMode + 264 56 com.apple.HIToolbox 0x93211014 ReceiveNextEventCommon + 380 57 com.apple.HIToolbox 0x93210e80 BlockUntilNextEventMatchingListInMode + 96 58 com.apple.AppKit 0x93713104 _DPSNextEvent + 384 59 com.apple.AppKit 0x93712dc8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 60 com.apple.Safari 0x00006fd4 0x1000 + 24532 61 com.apple.AppKit 0x9370f30c -[NSApplication run] + 472 62 com.apple.AppKit 0x937ffe68 NSApplicationMain + 452 63 com.apple.Safari 0x0005cd08 0x1000 + 376072 64 com.apple.Safari 0x0005cbb0 0x1000 + 375728 35171 1 mitz 2006-03-05 12:12:49 -0800 I have tracked this regression down to r13089, the PLATFORM macros patch, and then Alexey found out the reason in Platform.h: #if PLATFORM(MAC) #define USE_MULTIPLE_THREADS 1 #endif changing it to KXMLCORE_USE_MULTIPLE_THREADS fixes the bug. 35173 2 6876 mitz 2006-03-05 13:14:30 -0800 Created attachment 6876 Patch No test case since I don't know how to reproduce locally. 35176 3 6876 hyatt 2006-03-05 15:00:12 -0800 Comment on attachment 6876 Patch r=me 35177 4 6876 hyatt 2006-03-05 15:00:12 -0800 Comment on attachment 6876 Patch r=me 35205 5 ap 2006-03-05 21:30:22 -0800 Landed, r13154. 35353 6 mitz 2006-03-06 23:19:42 -0800 No longer crashes in r13183 nightly. 6876 2006-03-05 13:14:30 -0800 2006-03-05 15:00:07 -0800 Patch 7601_r1.patch text/plain 1179 mitz SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDEzMTQ0KQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTIgQEAKKzIwMDYtMDMtIyMgIE1pdHogUGV0 dGVsICA8b3BlbmRhcndpbi5vcmdAbWl0enBldHRlbC5jb20+CisKKyAgICAgICAgRml4IHN1Z2dl c3RlZCBieSBBbGV4ZXkgUHJvc2t1cnlha292IDxhcEBueXBvcC5jb20+LCByZXZpZXdlZCBieSBO T0JPRFkgKE9PUFMhKS4KKyAgICAgICAgCisgICAgICAgIC0gZml4IGh0dHA6Ly9idWd6aWxsYS5v cGVuZGFyd2luLm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NzYwMQorICAgICAgICAgIFJFR1JFU1NJT04g KHIxMzA4OSk6IFJlcHJvZHVjaWJsZSBjcmFzaCBkZXJlZmVyZW5jaW5nIGEgZGVhbGxvY2F0ZWQg ZWxlbWVudCBvbiBnb29nbGUgaW1hZ2Ugc2VhcmNoCisKKyAgICAgICAgKiBreG1sY29yZS9QbGF0 Zm9ybS5oOiBDb3JyZWN0ZWQgdGhlIGRlZmluZSB0byBlbmFibGUgVVNFKE1VTFRJUExFX1RIUkVB RFMpIG9uIE1hYyBPUyBYLgorCiAyMDA2LTAzLTA1ICBBbmRyZXcgV2VsbGluZ3RvbiAgPHByb3Rv bkB3aXJldGFwcGVkLm5ldD4KIAogICAgICAgICBSZXZpZXdlZCBieSBFcmljLCBsYW5kZWQgYnkg YXAuCkluZGV4OiBKYXZhU2NyaXB0Q29yZS9reG1sY29yZS9QbGF0Zm9ybS5oCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIEphdmFTY3JpcHRDb3JlL2t4bWxjb3JlL1BsYXRmb3JtLmgJKHJldmlzaW9uIDEzMTQ0KQor KysgSmF2YVNjcmlwdENvcmUva3htbGNvcmUvUGxhdGZvcm0uaAkod29ya2luZyBjb3B5KQpAQCAt MTQ4LDcgKzE0OCw3IEBACiAKIC8vIG11bHRpcGxlIHRocmVhZHMgb25seSBzdXBwb3J0ZWQgb24g T1MgWCBXZWJLaXQgZm9yIG5vdwogI2lmIFBMQVRGT1JNKE1BQykKLSNkZWZpbmUgVVNFX01VTFRJ UExFX1RIUkVBRFMgMQorI2RlZmluZSBLWE1MQ09SRV9VU0VfTVVMVElQTEVfVEhSRUFEUyAxCiAj ZW5kaWYKIAogI2VuZGlmIC8vIEtYTUxDT1JFX1BMQVRGT1JNX0gK