9635 2006-06-28 12:12:58 -0700 REGRESSION: Crash when adding to cart at <http://www.yemeksepeti.com/> 2006-07-11 17:22:19 -0700 1 1 1 Unclassified WebKit DOM 420+ Mac OS X 10.4 RESOLVED FIXED http://www.yemeksepeti.com/ InRadar, NeedsReduction, Regression P1 Normal --- 1 troyb andersca andersca darin ggaren ian oldest_to_newest 47669 0 troyb 2006-06-28 12:12:58 -0700 This is fully reproducible in WebKit r15070 and as early as 13302. When adding to cart WebKit immediately crashes. Here's how to reproduce: 1.) Load <http://www.yemeksepeti.com/>. 2.) At the top of the page, from the right most dropdown box select "Akdeniz Restaurant". 3.) Click on "ara". 4.) Click on "Akdeniz Restaurant, Alanya" 5.) Click on "Izgara Köfte ... 6,00 YTL" 6.) A pop-up should appear, click on the "+" button at the bottom right of the pop-up. 7.) Crash What should happen at this point is the item gets added to the cart and the main page is updated to reflect this in the side bar on the left side of the page. Thread 0 Crashed: 0 com.apple.WebCore 0x012472fc WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 364 1 com.apple.WebCore 0x012473a0 WebCore::EventTargetNode::dispatchHTMLEvent(WebCore::AtomicString const&, bool, bool) + 112 2 com.apple.WebCore 0x010302e0 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedObject*) + 480 3 com.apple.WebCore 0x0103097c WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1308 4 com.apple.WebCore 0x01030dc8 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 536 5 com.apple.WebCore 0x01032d54 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6676 6 com.apple.WebCore 0x01033654 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1172 7 com.apple.WebCore 0x010cbb38 WebCore::Frame::write(char const*, int) + 824 8 com.apple.WebKit 0x0033492c -[WebHTMLRepresentation receivedData:withDataSource:] + 156 9 com.apple.WebKit 0x0032804c -[WebDataSource(WebPrivate) _commitLoadWithData:] + 92 10 com.apple.WebKit 0x003491c4 -[WebMainResourceLoader addData:] + 84 11 com.apple.WebKit 0x00325580 -[WebLoader didReceiveData:lengthReceived:] + 64 12 com.apple.WebKit 0x00349b38 -[WebMainResourceLoader didReceiveData:lengthReceived:] + 120 13 com.apple.WebKit 0x003259c8 -[WebLoader connection:didReceiveData:lengthReceived:] + 56 14 com.apple.Foundation 0x929a85d4 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 15 com.apple.Foundation 0x929a6a74 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 16 com.apple.Foundation 0x929a6810 _sendCallbacks + 156 17 com.apple.CoreFoundation 0x907e44cc __CFRunLoopDoSources0 + 384 18 com.apple.CoreFoundation 0x907e39fc __CFRunLoopRun + 452 19 com.apple.CoreFoundation 0x907e347c CFRunLoopRunSpecific + 268 20 com.apple.HIToolbox 0x9321d980 RunCurrentEventLoopInMode + 264 21 com.apple.HIToolbox 0x9321d014 ReceiveNextEventCommon + 380 22 com.apple.HIToolbox 0x9321ce80 BlockUntilNextEventMatchingListInMode + 96 23 com.apple.AppKit 0x9371fe84 _DPSNextEvent + 384 24 com.apple.AppKit 0x9371fb48 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 25 com.apple.Safari 0x00006df4 0x1000 + 24052 26 com.apple.AppKit 0x9371c08c -[NSApplication run] + 472 27 com.apple.AppKit 0x9380cbfc NSApplicationMain + 452 28 com.apple.Safari 0x0005cb98 0x1000 + 375704 29 com.apple.Safari 0x0005ca40 0x1000 + 375360 47724 1 ap 2006-06-29 08:08:36 -0700 Confirmed with r15050 nightly. Note: between steps 1 and 2, choose "Antalya". Reproducible crash, regression -> P1. 47725 2 darin 2006-06-29 08:14:21 -0700 The immediate cause of the crash here is that we are in HTMLTokenizer::notifyFinished and pendingScripts.head()->isLoaded() is true, but scriptNode is 0. I don't know what the high level cause is. I'm loathe to add a null check until we understand why this happens, but I suspect it might make the crash go away. 48344 3 alice.barraclough 2006-07-05 11:23:19 -0700 <rdar://problem/4613730> 49364 4 9384 andersca 2006-07-11 16:55:39 -0700 Created attachment 9384 Patch The reason that scriptNode was 0 is that the parser is stopped by a previous script (using window.close). Stopping the parser causes processToken to return 0 as the node. 49366 5 9384 ggaren 2006-07-11 17:08:24 -0700 Comment on attachment 9384 Patch r=me 49367 6 9384 ggaren 2006-07-11 17:08:25 -0700 Comment on attachment 9384 Patch r=me 49368 7 andersca 2006-07-11 17:22:19 -0700 Committed in r15363 9384 2006-07-11 16:55:39 -0700 2006-07-11 17:08:24 -0700 Patch window-open-close-fix.txt text/plain 4210 andersca SW5kZXg6IENoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBDaGFuZ2VMb2cJKHJldmlzaW9uIDE1MzU5 KQorKysgQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTkgQEAKKzIwMDYtMDct MTIgIEFuZGVycyBDYXJsc3NvbiAgPGFjYXJsc3NvbkBhcHBsZS5jb20+CisKKyAgICAgICAgUmV2 aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgaHR0cDovL2J1Z3ppbGxhLm9wZW5k YXJ3aW4ub3JnL3Nob3dfYnVnLmNnaT9pZD05NjM1CisgICAgICAgIFJFR1JFU1NJT046IENyYXNo IHdoZW4gYWRkaW5nIHRvIGNhcnQgYXQgPGh0dHA6Ly93d3cueWVtZWtzZXBldGkuY29tLz4KKyAg ICAgICAgCisgICAgICAgICogaHRtbC9IVE1MVG9rZW5pemVyLmNwcDoKKyAgICAgICAgKFdlYkNv cmU6OkhUTUxUb2tlbml6ZXI6OnNjcmlwdEhhbmRsZXIpOgorICAgICAgICBEb24ndCBsb2FkIGV4 dGVybmFsIHNjcmlwdHMgaWYgdGhlIHBhcnNlciBpcyBzdG9wcGVkLgorICAgICAgICAKKyAgICAg ICAgKiBtYW51YWwtdGVzdHMvb3Blbi1jbG9zZS10b2tlbml6ZXItY3Jhc2guaHRtbDogQWRkZWQu CisgICAgICAgICogbWFudWFsLXRlc3RzL3Jlc291cmNlcy9lbXB0eS1maWxlLmpzOiBBZGRlZC4K KyAgICAgICAgKiBtYW51YWwtdGVzdHMvcmVzb3VyY2VzL29wZW4tY2xvc2UtdG9rZW5pemVyLWNy YXNoLmh0bWw6IEFkZGVkLgorICAgICAgICBBZGQgbWFudWFsIHRlc3QuCisKIDIwMDYtMDctMTEg IEFkZWxlIFBldGVyc29uICA8YWRlbGVAYXBwbGUuY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5 IEh5YXR0LgpJbmRleDogV2ViQ29yZS54Y29kZXByb2ovcHJvamVjdC5wYnhwcm9qCj09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT0KLS0tIFdlYkNvcmUueGNvZGVwcm9qL3Byb2plY3QucGJ4cHJvagkocmV2aXNpb24gMTUzNDkp CisrKyBXZWJDb3JlLnhjb2RlcHJvai9wcm9qZWN0LnBieHByb2oJKHdvcmtpbmcgY29weSkKQEAg LTE1OTEsMjMgKzE1OTEsNiBAQAogCQlGQUUwNDE5MDA5NzU5NkM5MDAwNTQwQkUgLyogU1ZHSW1h Z2VMb2FkZXIuaCBpbiBIZWFkZXJzICovID0ge2lzYSA9IFBCWEJ1aWxkRmlsZTsgZmlsZVJlZiA9 IEZBRTA0MThFMDk3NTk2QzkwMDA1NDBCRSAvKiBTVkdJbWFnZUxvYWRlci5oICovOyB9OwogLyog RW5kIFBCWEJ1aWxkRmlsZSBzZWN0aW9uICovCiAKLS8qIEJlZ2luIFBCWEJ1aWxkU3R5bGUgc2Vj dGlvbiAqLwotCQlEMERCQ0I3OTBBNjMwM0VDMDA3RkEzODYgLyogRGV2ZWxvcG1lbnQgKi8gPSB7 Ci0JCQlpc2EgPSBQQlhCdWlsZFN0eWxlOwotCQkJYnVpbGRTZXR0aW5ncyA9IHsKLQkJCQlDT1BZ X1BIQVNFX1NUUklQID0gTk87Ci0JCQl9OwotCQkJbmFtZSA9IERldmVsb3BtZW50OwotCQl9Owot CQlEMERCQ0I3QTBBNjMwM0VDMDA3RkEzODYgLyogRGVwbG95bWVudCAqLyA9IHsKLQkJCWlzYSA9 IFBCWEJ1aWxkU3R5bGU7Ci0JCQlidWlsZFNldHRpbmdzID0gewotCQkJCUNPUFlfUEhBU0VfU1RS SVAgPSBZRVM7Ci0JCQl9OwotCQkJbmFtZSA9IERlcGxveW1lbnQ7Ci0JCX07Ci0vKiBFbmQgUEJY QnVpbGRTdHlsZSBzZWN0aW9uICovCi0KIC8qIEJlZ2luIFBCWENvbnRhaW5lckl0ZW1Qcm94eSBz ZWN0aW9uICovCiAJCUREMDQxRkYwMDlEOUUzMjUwMDEwQUYyQSAvKiBQQlhDb250YWluZXJJdGVt UHJveHkgKi8gPSB7CiAJCQlpc2EgPSBQQlhDb250YWluZXJJdGVtUHJveHk7CkBAIC02NDI3LDEy ICs2NDEwLDYgQEAKIAkJMDg2N0Q2OTBGRTg0MDI4RkMwMkFBQzA3IC8qIFByb2plY3Qgb2JqZWN0 ICovID0gewogCQkJaXNhID0gUEJYUHJvamVjdDsKIAkJCWJ1aWxkQ29uZmlndXJhdGlvbkxpc3Qg PSAxNDlDMjg0MzA4OTAyQjExMDA4QTlFRkMgLyogQnVpbGQgY29uZmlndXJhdGlvbiBsaXN0IGZv ciBQQlhQcm9qZWN0ICJXZWJDb3JlIiAqLzsKLQkJCWJ1aWxkU2V0dGluZ3MgPSB7Ci0JCQl9Owot CQkJYnVpbGRTdHlsZXMgPSAoCi0JCQkJRDBEQkNCNzkwQTYzMDNFQzAwN0ZBMzg2IC8qIERldmVs b3BtZW50ICovLAotCQkJCUQwREJDQjdBMEE2MzAzRUMwMDdGQTM4NiAvKiBEZXBsb3ltZW50ICov LAotCQkJKTsKIAkJCWhhc1NjYW5uZWRGb3JFbmNvZGluZ3MgPSAxOwogCQkJa25vd25SZWdpb25z ID0gKAogCQkJCUVuZ2xpc2gsCkluZGV4OiBodG1sL0hUTUxUb2tlbml6ZXIuY3BwCj09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT0KLS0tIGh0bWwvSFRNTFRva2VuaXplci5jcHAJKHJldmlzaW9uIDE1MzQ5KQorKysgaHRtbC9I VE1MVG9rZW5pemVyLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMzY3LDcgKzM2Nyw5IEBAIEhUTUxU b2tlbml6ZXI6OlN0YXRlIEhUTUxUb2tlbml6ZXI6OnNjcmkKICAgICAgICAgICAgICAgICBpZiAo IW1fZG9jLT5vd25lckVsZW1lbnQoKSkKICAgICAgICAgICAgICAgICAgICAgcHJpbnRmKCJSZXF1 ZXN0aW5nIHNjcmlwdCBhdCB0aW1lICVkXG4iLCBtX2RvYy0+ZWxhcHNlZFRpbWUoKSk7CiAgICAg I2VuZGlmCi0gICAgICAgICAgICAgICAgaWYgKCAoY3MgPSBtX2RvYy0+ZG9jTG9hZGVyKCktPnJl cXVlc3RTY3JpcHQoc2NyaXB0U3JjLCBzY3JpcHRTcmNDaGFyc2V0KSApKQorICAgICAgICAgICAg ICAgIC8vIFRoZSBwYXJzZXIgbWlnaHQgaGF2ZSBiZWVuIHN0b3BwZWQgYnkgZm9yIGV4YW1wbGUg YSB3aW5kb3cuY2xvc2UgY2FsbCBpbiBhbiBlYXJsaWVyIHNjcmlwdC4KKyAgICAgICAgICAgICAg ICAvLyBJZiBzbywgd2UgZG9uJ3Qgd2FudCB0byBsb2FkIHNjcmlwdHMuCisgICAgICAgICAgICAg ICAgaWYgKCFtX3BhcnNlclN0b3BwZWQgJiYgKGNzID0gbV9kb2MtPmRvY0xvYWRlcigpLT5yZXF1 ZXN0U2NyaXB0KHNjcmlwdFNyYywgc2NyaXB0U3JjQ2hhcnNldCkgKSkKICAgICAgICAgICAgICAg ICAgICAgcGVuZGluZ1NjcmlwdHMuZW5xdWV1ZShjcyk7CiAgICAgICAgICAgICAgICAgZWxzZQog ICAgICAgICAgICAgICAgICAgICBzY3JpcHROb2RlID0gMDsKSW5kZXg6IG1hbnVhbC10ZXN0cy9v cGVuLWNsb3NlLXRva2VuaXplci1jcmFzaC5odG1sCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIG1hbnVhbC10ZXN0 cy9vcGVuLWNsb3NlLXRva2VuaXplci1jcmFzaC5odG1sCShyZXZpc2lvbiAwKQorKysgbWFudWFs LXRlc3RzL29wZW4tY2xvc2UtdG9rZW5pemVyLWNyYXNoLmh0bWwJKHJldmlzaW9uIDApCkBAIC0w LDAgKzEsNiBAQAorPGh0bWw+CisgICAgPGJvZHk+CisgICAgICAgIDxpbnB1dCB0eXBlPSJidXR0 b24iIHZhbHVlPSJDbGljayBIZXJlIiBvbmNsaWNrPSJ3aW5kb3cub3BlbigncmVzb3VyY2VzL29w ZW4tY2xvc2UtdG9rZW5pemVyLWNyYXNoLmh0bWwnLCAnZm9vJyk7Ij4gCisgICAgICAgIENsaWNr IHRoZSBidXR0b24gYWJvdmUuIEFub3RoZXIgYnJvd3NlciB3aW5kb3cgc2hvdWxkIG9wZW4gYW5k IHRoZW4gaW1tZWRpYXRlbHkgY2xvc2Ugd2l0aG91dCBjcmFzaGluZy4KKyAgICA8L2JvZHk+Cis8 L2h0bWw+CkluZGV4OiBtYW51YWwtdGVzdHMvcmVzb3VyY2VzL2VtcHR5LWZpbGUuanMKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQpJbmRleDogbWFudWFsLXRlc3RzL3Jlc291cmNlcy9vcGVuLWNsb3NlLXRva2VuaXplci1j cmFzaC5odG1sCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0KLS0tIG1hbnVhbC10ZXN0cy9yZXNvdXJjZXMvb3Blbi1jbG9z ZS10b2tlbml6ZXItY3Jhc2guaHRtbAkocmV2aXNpb24gMCkKKysrIG1hbnVhbC10ZXN0cy9yZXNv dXJjZXMvb3Blbi1jbG9zZS10b2tlbml6ZXItY3Jhc2guaHRtbAkocmV2aXNpb24gMCkKQEAgLTAs MCArMSw4IEBACis8aHRtbD4KKzxoZWFkPgorPHNjcmlwdCBMYW5ndWFnZT0iamF2YVNjcmlwdCI+ CitzZWxmLmNsb3NlKCk7Cis8L3NjcmlwdD4KKzxzY3JpcHQgbGFuZ3VhZ2U9ImphdmFzY3JpcHQi IHNyYz0iZW1wdHktZmlsZS5qcyI+PC9zY3JpcHQ+Cis8L2hlYWQ+Cis8L2h0bWw+Cg==