9477 2006-06-16 22:39:12 -0700 REGRESSION: fast/dom/replaceChild.html crashes on WebKit ToT in debug build 2006-06-17 18:26:07 -0700 1 1 1 Unclassified WebKit JavaScriptCore 420+ Mac OS X 10.4 RESOLVED FIXED Regression P1 Normal --- 1 ddkilzer webkit-unassigned adele ggaren mitz mjs timothy oldest_to_newest 46017 0 ddkilzer 2006-06-16 22:39:12 -0700 Running fast/dom/replaceChild.html on WebKit ToT (r14895) causes a reproducible crash on my Mac OS X 10.4.6 (8I127/PowerPC) PB G4. I'm not sure when this bug was introduced. This doesn't seem to happen when this test is loaded in the browser, although one of two resources is NOT loaded per the Activity Window when the test is opened in the browser. Relevant stack trace bits: Command: DumpRenderTree Path: /Users/ddkilzer/Projects/Cocoa/WebKit/WebKitBuild/Debug/DumpRenderTree Parent: perl [10628] Version: ??? (???) PID: 10671 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x2c323130 Thread 0 Crashed: 0 <<00000000>> 0x2c323130 0 + 741486896 1 com.apple.JavaScriptCore 0x12d1bc98 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 2 com.apple.JavaScriptCore 0x12d11110 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 908 (nodes.cpp:758) 3 com.apple.JavaScriptCore 0x12d0db0c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1661) 4 com.apple.JavaScriptCore 0x12d0a2e4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2448) 5 com.apple.JavaScriptCore 0x12d07ca0 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1638) 6 com.apple.JavaScriptCore 0x12d0d994 KJS::IfNode::execute(KJS::ExecState*) + 500 (nodes.cpp:1680) 7 com.apple.JavaScriptCore 0x12d0a194 KJS::SourceElementsNode::execute(KJS::ExecState*) + 280 (nodes.cpp:2442) 8 com.apple.JavaScriptCore 0x12d07ca0 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1638) 9 com.apple.JavaScriptCore 0x12cf633c KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:333) 10 com.apple.JavaScriptCore 0x12cf5964 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 668 (function.cpp:104) 11 com.apple.JavaScriptCore 0x12d1bc98 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 12 com.apple.WebCore 0x01338aa8 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 748 (kjs_events.cpp:105) 13 com.apple.WebCore 0x0114cb34 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 308 (Document.cpp:2208) 14 com.apple.WebCore 0x012fa1ac WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 324 (EventTargetNode.cpp:315) 15 com.apple.WebCore 0x0114fb68 WebCore::Document::implicitClose() + 700 (Document.cpp:1179) 16 com.apple.WebCore 0x0111ceb4 WebCore::Frame::checkEmitLoadEvent() + 724 (Frame.cpp:858) 17 com.apple.WebCore 0x011224ac WebCore::Frame::checkCompleted() + 528 (Frame.cpp:823) 18 com.apple.WebCore 0x011228d4 WebCore::Frame::finishedParsing() + 44 (Frame.cpp:778) 19 com.apple.WebCore 0x01149c88 WebCore::Document::finishedParsing() + 72 (Document.cpp:3223) 20 com.apple.WebCore 0x01040e0c WebCore::HTMLParser::finished() + 300 (HTMLParser.cpp:1345) 21 com.apple.WebCore 0x01046228 WebCore::HTMLTokenizer::end() + 308 (HTMLTokenizer.cpp:1489) 22 com.apple.WebCore 0x010466a4 WebCore::HTMLTokenizer::finish() + 1128 (HTMLTokenizer.cpp:1527) 23 com.apple.WebCore 0x01147abc WebCore::Document::finishParsing() + 84 (Document.cpp:1313) 24 com.apple.WebCore 0x011231d0 WebCore::Frame::endIfNotLoading() + 432 (Frame.cpp:734) 25 com.apple.WebCore 0x01123224 WebCore::Frame::end() + 52 (Frame.cpp:717) 26 com.apple.WebCore 0x01160b64 -[WebCoreFrameBridge end] + 72 (WebCoreFrameBridge.mm:703) 27 com.apple.WebKit 0x00246688 -[WebDataSource(WebPrivate) _finishedLoading] + 220 (WebDataSource.m:792) 28 com.apple.WebKit 0x002833c0 -[WebMainResourceLoader didFinishLoading] + 560 (WebMainResourceLoader.m:379) 29 com.apple.WebKit 0x00241788 -[WebLoader connectionDidFinishLoading:] + 184 (WebLoader.m:575) 30 com.apple.Foundation 0x929a884c -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 31 com.apple.Foundation 0x929a6ab8 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 32 com.apple.Foundation 0x929a6810 _sendCallbacks + 156 33 com.apple.CoreFoundation 0x907e44cc __CFRunLoopDoSources0 + 384 34 com.apple.CoreFoundation 0x907e39fc __CFRunLoopRun + 452 35 com.apple.CoreFoundation 0x907e347c CFRunLoopRunSpecific + 268 36 com.apple.Foundation 0x92985164 -[NSRunLoop runMode:beforeDate:] + 172 37 DumpRenderTree 0x00008ac4 dumpRenderTree + 904 (DumpRenderTree.m:744) 38 DumpRenderTree 0x00005d48 main + 3672 (DumpRenderTree.m:321) 39 DumpRenderTree 0x000024f0 _start + 340 (crt.c:272) 40 DumpRenderTree 0x00002398 start + 60 46018 1 ddkilzer 2006-06-16 22:48:48 -0700 And fast/events/mouseover-mouseout2.html fails similarly. 46076 2 mitz 2006-06-17 04:25:22 -0700 The immediate cause for the bug is that when a frame is deallocated along with its WebCoreScriptDebugger, the corresponding WebCoreScriptDebuggerImp is deleted but not detached. I'm surprised that it's otherwise okay to execute a script in a frame whose WebFrame has been deallocated. 46092 3 ddkilzer 2006-06-17 08:27:16 -0700 CC the usual suspects from Bug 9476. 46103 4 8889 ddkilzer 2006-06-17 12:27:12 -0700 Created attachment 8889 Patch v1 Patch v1 assumes that the WebFrame may get deallocated when the function is called, so it refetches the debugger before using it again in FunctionImp::callAsFunction(). I am running run-webkit-tests now. Will report results when completed. 46104 5 ddkilzer 2006-06-17 12:45:01 -0700 (In reply to comment #4) > I am running run-webkit-tests now. Will report results when completed. All of the tests passed (including http tests; Bug 9478). 46118 6 8889 darin 2006-06-17 17:12:34 -0700 Comment on attachment 8889 Patch v1 r=me -- Did Tim check the performance impact of adding the debugging hooks? 46122 7 ddkilzer 2006-06-17 17:25:54 -0700 Committed revision 14900. 46123 8 timothy 2006-06-17 18:26:07 -0700 I did check performance, that is why the debugger is enabled only for debug builds or when a default is set. 8889 2006-06-17 12:27:12 -0700 2006-06-17 17:12:34 -0700 Patch v1 bug-9477-v1.diff text/plain 1433 ddkilzer SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE0ODk5KQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIwMDYtMDYtMTcgIERhdmlkIEtp bHplciAgPGRka2lsemVyQGtpbHplci5uZXQ+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZ IChPT1BTISkuCisKKyAgICAgICAgaHR0cDovL2J1Z3ppbGxhLm9wZW5kYXJ3aW4ub3JnL3Nob3df YnVnLmNnaT9pZD05NDc3CisgICAgICAgIFJFR1JFU1NJT046IGZhc3QvZG9tL3JlcGxhY2VDaGls ZC5odG1sIGNyYXNoZXMgb24gV2ViS2l0IFRvVCBpbiBkZWJ1ZyBidWlsZAorCisgICAgICAgICog a2pzL2Z1bmN0aW9uLmNwcDoKKyAgICAgICAgKEtKUzo6RnVuY3Rpb25JbXA6OmNhbGxBc0Z1bmN0 aW9uKTogUmVmZXRjaCB0aGUgZGVidWdnZXIgYWZ0ZXIgZXhlY3V0aW5nIHRoZSBmdW5jdGlvbgor ICAgICAgICBpbiBjYXNlIHRoZSBXZWJGcmFtZSBpdCB3YXMgcnVubmluZyBpbiBoYXMgc2luY2Ug YmVlbiBkZXN0cm95ZWQuCisKIDIwMDYtMDYtMTcgIERhdmlkIEtpbHplciAgPGRka2lsemVyQGtp bHplci5uZXQ+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgZ2dhcmVuLgpJbmRleDogSmF2YVNjcmlw dENvcmUva2pzL2Z1bmN0aW9uLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0Q29yZS9ranMv ZnVuY3Rpb24uY3BwCShyZXZpc2lvbiAxNDg5OSkKKysrIEphdmFTY3JpcHRDb3JlL2tqcy9mdW5j dGlvbi5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTExMyw2ICsxMTMsMTEgQEAgSlNWYWx1ZSAqRnVu Y3Rpb25JbXA6OmNhbGxBc0Z1bmN0aW9uKEV4ZQogICAgIGZwcmludGYoc3RkZXJyLCAicmV0dXJu aW5nOiB1bmRlZmluZWRcbiIpOwogI2VuZGlmCiAKKyAgLy8gVGhlIGRlYnVnZ2VyIG1heSBoYXZl IGJlZW4gZGVhbGxvY2F0ZWQgYnkgbm93IGlmIHRoZSBXZWJGcmFtZQorICAvLyB3ZSB3ZXJlIHJ1 bm5pbmcgaW4gaGFzIGJlZW4gZGVzdHJveWVkLCBzbyByZWZldGNoIGl0LgorICAvLyBTZWUgaHR0 cDovL2J1Z3ppbGxhLm9wZW5kYXJ3aW4ub3JnL3Nob3dfYnVnLmNnaT9pZD05NDc3CisgIGRiZyA9 IGV4ZWMtPmR5bmFtaWNJbnRlcnByZXRlcigpLT5kZWJ1Z2dlcigpOworCiAgIGlmIChkYmcpIHsK ICAgICBpZiAoaW5oZXJpdHMoJkRlY2xhcmVkRnVuY3Rpb25JbXA6OmluZm8pKQogICAgICAgbGlu ZW5vID0gc3RhdGljX2Nhc3Q8RGVjbGFyZWRGdW5jdGlvbkltcCo+KHRoaXMpLT5ib2R5LT5sYXN0 TGluZSgpOwo=