81374 2012-03-16 11:05:51 -0700 remove-body-during-body-replacement2.html is triggering crashes on all platforms 2012-03-21 10:34:40 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED http://test-results.appspot.com/dashboards/flakiness_dashboard.html#showExpectations=true&tests=fast%2Fdom%2Fremove-body-during-body-replacement2.html InRadar P2 Normal --- 1 leviw webkit-unassigned abarth dpranke eric haraken inferno rniwa webkit-bug-importer webkit.review.bot oldest_to_newest 580691 0 leviw 2012-03-16 11:05:51 -0700 The backtraces all seem pretty different to keep things interesting. I tried a run with cluster-fuzz but it announced it un-reproducible. 580725 1 inferno 2012-03-16 11:32:48 -0700 Tried with libgmalloc (MAC) with --repeat-each 100, the testcases does not crash. Sometimes, it is the case, that the previous test that run before it, is causing the crash. Also, tried with ClusterFuzz on Linux with DRT, it didnt reproduce. Here is the crash stack from the url above base::debug::StackTrace::StackTrace() [0x82ad2ac] base::(anonymous namespace)::StackDumpSignalHandler() [0x8293e1d] 0xb7799400 WebCore::Frame::addDestructionObserver() [0x8adc56c] WebCore::FrameDestructionObserver::observeFrame() [0x8ade946] WebCore::DOMWindow::DOMWindow() [0x8ac02f5] WebCore::Frame::domWindow() [0x8addc72] WebCore::DOMWindowProperty::~DOMWindowProperty() [0x8ac5fc9] WebCore::DOMWindowNotifications::~DOMWindowNotifications() [0x960d994] WebCore::DOMWindow::~DOMWindow() [0x8ac3913] WebCore::V8DOMWindow::derefObject() [0x8e44465] WebCore::DOMData::derefObject() [0x8b52cb2] WebCore::DOMData::handleWeakObject<>() [0x8b52f99] WebCore::DOMDataStore::weakDOMObjectCallback() [0x8b53020] v8::internal::GlobalHandles::PostGarbageCollectionProcessing() [0x842815b] None 580775 2 leviw 2012-03-16 12:14:03 -0700 Here's a few of the tests leading up to one of the crashes. I should note that fast/dom/prototype-inheritance-2.html crashes on my machine (Mac 10.6 Debug) every other run when ran independently. It doesn't have a problem on cluster-fuzz though... even with location.reload() fast/dom/null-document-location-assign-crash.html passed fast/dom/null-document-location-href-put-crash.html passed fast/dom/null-document-location-put-crash.html passed fast/dom/null-document-location-replace-crash.html passed fast/dom/null-document-window-open-crash.html passed fast/dom/null-page-show-modal-dialog-crash.html passed fast/dom/objc-big-method-name.html passed fast/dom/object-plugin-hides-properties.html passed fast/dom/offset-parent-positioned-and-inline.html passed fast/dom/offset-position-writing-modes.html passed fast/dom/onerror-img.html passed fast/dom/onload-open.html passed fast/dom/option-properties.html passed fast/dom/option-text-mutation-crash.html passed fast/dom/outerText-no-element.html passed fast/dom/outerText.html passed fast/dom/ping-attribute-dom-binding.html passed fast/dom/plugin-attributes-enumeration.html passed fast/dom/prefixed-image-tag.xhtml passed fast/dom/processing-instruction-appendChild-exceptions.xhtml passed fast/dom/prototype-chain.html passed fast/dom/prototype-inheritance-2.html failed: Text diff mismatch fast/dom/prototype-inheritance.html passed fast/dom/prototype-property.html passed fast/dom/prototypes.html passed fast/dom/register-protocol-handler.html passed fast/dom/remove-body-during-body-replacement2.html crashed 580844 3 abarth 2012-03-16 13:07:12 -0700 +haraken, who worked on DOMWindowNotifications recently. 580849 4 abarth 2012-03-16 13:11:35 -0700 I see the problem. My fault. 580859 5 leviw 2012-03-16 13:14:29 -0700 (In reply to comment #4) > I see the problem. My fault. That first sentence is music to my ears :) 580862 6 inferno 2012-03-16 13:15:43 -0700 (In reply to comment #5) > (In reply to comment #4) > > I see the problem. My fault. > > That first sentence is music to my ears :) (In reply to comment #4) > I see the problem. My fault. Does the bug need security flags ? is it a use after free ? 580864 7 abarth 2012-03-16 13:16:24 -0700 > Does the bug need security flags ? is it a use after free ? I'm not sure yet. 580876 8 132358 abarth 2012-03-16 13:26:57 -0700 Created attachment 132358 needs changelog 580877 9 abarth 2012-03-16 13:27:39 -0700 Yes. It's a use-after-free, but the bug was introduced only 8 hours ago. 580923 10 132370 abarth 2012-03-16 13:54:26 -0700 Created attachment 132370 Patch 581089 11 132370 webkit.review.bot 2012-03-16 16:41:38 -0700 Comment on attachment 132370 Patch Clearing flags on attachment: 132370 Committed r111086: <http://trac.webkit.org/changeset/111086> 581090 12 webkit.review.bot 2012-03-16 16:41:43 -0700 All reviewed patches have been landed. Closing bug. 581516 13 haraken 2012-03-18 16:40:20 -0700 Reverted r111086 for reason: Chromium crash Committed r111140: <http://trac.webkit.org/changeset/111140> 581674 14 abarth 2012-03-19 00:34:04 -0700 > Chromium crash What crashes? 581675 15 abarth 2012-03-19 00:34:38 -0700 BTW, this patch is "correct" in the sense that we need to call the base class here. There might be other things we need to change if this causes other crashes. 581676 16 haraken 2012-03-19 00:36:35 -0700 (In reply to comment #15) > BTW, this patch is "correct" in the sense that we need to call the base class here. There might be other things we need to change if this causes other crashes. Adam: This one https://mail.google.com/mail/u/0/?ui=2&shva=1#inbox/1362401bf41e9c9e I could not fix the crash in hours, and since it is marked as a release-block bug, I rolled out suspicious patches. 581677 17 leviw 2012-03-19 00:37:56 -0700 (In reply to comment #16) > (In reply to comment #15) > > BTW, this patch is "correct" in the sense that we need to call the base class here. There might be other things we need to change if this causes other crashes. > > Adam: This one https://mail.google.com/mail/u/0/?ui=2&shva=1#inbox/1362401bf41e9c9e > > I could not fix the crash in hours, and since it is marked as a release-block bug, I rolled out suspicious patches. Can you provide a link that isn't to an email in your gmail ;) 581678 18 haraken 2012-03-19 00:39:48 -0700 (In reply to comment #17) > Can you provide a link that isn't to an email in your gmail ;) Oops, this one:) http://code.google.com/p/chromium/issues/detail?id=118796 582727 19 abarth 2012-03-19 21:25:00 -0700 This should be fixed now since we rolled out the cause of the problem. Please re-open if that's not correct. 584309 20 webkit-bug-importer 2012-03-21 10:34:40 -0700 <rdar://problem/11091337> 132358 2012-03-16 13:26:57 -0700 2012-03-16 13:54:20 -0700 needs changelog bug-81374-20120316132656.patch text/plain 788 abarth SW5kZXg6IFNvdXJjZS9XZWJDb3JlL25vdGlmaWNhdGlvbnMvRE9NV2luZG93Tm90aWZpY2F0aW9u cy5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNvcmUvbm90aWZpY2F0aW9ucy9ET01XaW5k b3dOb3RpZmljYXRpb25zLmNwcAkocmV2aXNpb24gMTExMDUwKQorKysgU291cmNlL1dlYkNvcmUv bm90aWZpY2F0aW9ucy9ET01XaW5kb3dOb3RpZmljYXRpb25zLmNwcAkod29ya2luZyBjb3B5KQpA QCAtODcsMTAgKzg3LDEzIEBAIE5vdGlmaWNhdGlvbkNlbnRlciogRE9NV2luZG93Tm90aWZpY2F0 aW8KIAogdm9pZCBET01XaW5kb3dOb3RpZmljYXRpb25zOjpkaXNjb25uZWN0RnJhbWUoKQogewor ICAgIC8vIEZJWE1FOiBXZSBzaG91bGQgc3VwcG9ydCBrZWVwIHRoZSBvbGQgbV9ub3RpZmljYXRp b25DZW50ZXIgc28gd2UgY2FuIHN1cHBvcnQgcmVjb25uZWN0RnJhbWUoKS4KKyAgICAvLyBTZWUg RE9NV2luZG93SW5kZXhlZERhdGFiYXNlOjpkaXNjb25uZWN0RnJhbWUoKSBmb3IgYW4gZXhhbXBs ZSBvZiBob3cgdG8gZG8gdGhpcy4KICAgICBpZiAobV9ub3RpZmljYXRpb25DZW50ZXIpIHsKICAg ICAgICAgbV9ub3RpZmljYXRpb25DZW50ZXItPmRpc2Nvbm5lY3RGcmFtZSgpOwogICAgICAgICBt X25vdGlmaWNhdGlvbkNlbnRlciA9IDA7CiAgICAgfQorICAgIERPTVdpbmRvd1Byb3BlcnR5Ojpk aXNjb25uZWN0RnJhbWUoKTsKIH0KIAogfSAvLyBuYW1lc3BhY2UgV2ViQ29yZQo= 132370 2012-03-16 13:54:26 -0700 2012-03-16 16:41:38 -0700 Patch bug-81374-20120316135424.patch text/plain 1678 abarth SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDExMTA2MCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBACisyMDEyLTAzLTE2ICBBZGFtIEJh cnRoICA8YWJhcnRoQHdlYmtpdC5vcmc+CisKKyAgICAgICAgcmVtb3ZlLWJvZHktZHVyaW5nLWJv ZHktcmVwbGFjZW1lbnQyLmh0bWwgaXMgdHJpZ2dlcmluZyBjcmFzaGVzIG9uIGFsbCBwbGF0Zm9y bXMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTgxMzc0 CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgV2hlbiBv dmVycmlkaW5nIGRpc2Nvbm5lY3RGcmFtZSwgd2UgbmVlZCB0byBjYWxsIHRoZSBiYXNlIGNsYXNz IHZlcnNpb24KKyAgICAgICAgb2YgdGhlIG1ldGhvZCBzbyB0aGF0IGl0IGNhbiBjbGVhciB0aGUg bV9mcmFtZSBwb2ludGVyLgorCisgICAgICAgIFRlc3RzOiBUaGlzIHBhdGNoIGZpeGVzIGEgbGFy Z2UgbnVtYmVyIG9mIGNyYXNoZXMgaW4gdGVzdHMuCisKKyAgICAgICAgKiBub3RpZmljYXRpb25z L0RPTVdpbmRvd05vdGlmaWNhdGlvbnMuY3BwOgorICAgICAgICAoV2ViQ29yZTo6RE9NV2luZG93 Tm90aWZpY2F0aW9uczo6ZGlzY29ubmVjdEZyYW1lKToKKwogMjAxMi0wMy0xNiAgTWF0dCBMaWxl ayAgPG1ybEBhcHBsZS5jb20+CiAKICAgICAgICAgRG9uJ3QgaW5zdGFsbCBsaWJXZWJDb3JlVGVz dFN1cHBvcnQgb24gT1MgWCBwcm9kdWN0aW9uIGJ1aWxkcwpJbmRleDogU291cmNlL1dlYkNvcmUv bm90aWZpY2F0aW9ucy9ET01XaW5kb3dOb3RpZmljYXRpb25zLmNwcAo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBT b3VyY2UvV2ViQ29yZS9ub3RpZmljYXRpb25zL0RPTVdpbmRvd05vdGlmaWNhdGlvbnMuY3BwCShy ZXZpc2lvbiAxMTEwNTApCisrKyBTb3VyY2UvV2ViQ29yZS9ub3RpZmljYXRpb25zL0RPTVdpbmRv d05vdGlmaWNhdGlvbnMuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC04NywxMCArODcsMTMgQEAgTm90 aWZpY2F0aW9uQ2VudGVyKiBET01XaW5kb3dOb3RpZmljYXRpbwogCiB2b2lkIERPTVdpbmRvd05v dGlmaWNhdGlvbnM6OmRpc2Nvbm5lY3RGcmFtZSgpCiB7CisgICAgLy8gRklYTUU6IFdlIHNob3Vs ZCBzdXBwb3J0IGtlZXAgdGhlIG9sZCBtX25vdGlmaWNhdGlvbkNlbnRlciBzbyB3ZSBjYW4gc3Vw cG9ydCByZWNvbm5lY3RGcmFtZSgpLgorICAgIC8vIFNlZSBET01XaW5kb3dJbmRleGVkRGF0YWJh c2U6OmRpc2Nvbm5lY3RGcmFtZSgpIGZvciBhbiBleGFtcGxlIG9mIGhvdyB0byBkbyB0aGlzLgog ICAgIGlmIChtX25vdGlmaWNhdGlvbkNlbnRlcikgewogICAgICAgICBtX25vdGlmaWNhdGlvbkNl bnRlci0+ZGlzY29ubmVjdEZyYW1lKCk7CiAgICAgICAgIG1fbm90aWZpY2F0aW9uQ2VudGVyID0g MDsKICAgICB9CisgICAgRE9NV2luZG93UHJvcGVydHk6OmRpc2Nvbm5lY3RGcmFtZSgpOwogfQog CiB9IC8vIG5hbWVzcGFjZSBXZWJDb3JlCg==