Bug 11010

Summary: REGRESSION: Repro crash in <script> onload event dispatch
Product: WebKit Reporter: mitz
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, ddkilzer, miles_b
Priority: P1 Keywords: HasReduction, InRadar, Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://apartmentcities.com/Apartments/map.asp?apt=12606
Attachments:
Description Flags
Reduction (will crash) none

Description mitz 2006-09-24 13:29:10 PDT 
This is what I get going to the above URL with TOT:

EXC_BAD_ACCESS (0x0001)
KERN_PROTECTION_FAILURE (0x0002) at 0x003a0033

Thread 0 Crashed:
0    WebCore::TreeShared<WebCore::Node>::ref() + 32 (Shared.h:51)
1    WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 304 (EventTargetNode.cpp:179)
2    WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 348 (EventTargetNode.cpp:292)
3    WebCore::EventTargetNode::dispatchHTMLEvent(WebCore::AtomicString const&, bool, bool) + 172 (EventTargetNode.cpp:481)
4    WebCore::HTMLScriptElement::notifyFinished(WebCore::CachedResource*) + 244 (HTMLScriptElement.cpp:155)
5    WebCore::CachedScript::checkNotify() + 112 (CachedScript.cpp:108)
6    WebCore::CachedScript::data(WTF::Vector<char, (unsigned long)0>&, bool) + 184 (CachedScript.cpp:100)
7    WebCore::Loader::receivedAllData(WebCore::ResourceLoader*, NSData*) + 464 (loader.cpp:138)
8    -[WebCoreResourceLoaderImp finishJobAndHandle:] + 180 (WebCoreResourceLoaderImp.mm:98)
9    -[WebCoreResourceLoaderImp finishWithData:] + 196 (WebCoreResourceLoaderImp.mm:130)
...
Comment 1 mitz 2006-09-24 23:33:49 PDT 
The problem appears to be a script that deletes its own <script> element. Looks like the fix is for
HTMLScriptElement::notifyFinished() to protect itself with a ref()/deref() (it will also be cleaner to change the cs->deref(this) to m_cachedScript->deref(this) only if m_cachedScript is still non-0). Other callers to HTMLScriptElement::evaluateScript() appear to be safe, since it's the last thing they call.
Comment 2 mitz 2006-09-25 09:18:00 PDT 
Created attachment 10758 [details]
Reduction (will crash)

Crashes run-webkit-tests immediately, in Safari you need to reload to get the crash (might be a good junk/bad junk thing).
Comment 3 Stephanie Lewis 2006-11-06 21:53:37 PST 
radar 4701860
Comment 4 mitz 2006-12-15 02:01:40 PST 
*** Bug 11837 has been marked as a duplicate of this bug. ***
Comment 5 mitz 2006-12-19 22:36:48 PST 
Fixed (completely independently of this Bugzilla bug) by Anders in r18335.
Comment 6 David Kilzer (:ddkilzer) 2006-12-20 03:03:56 PST 
(In reply to comment #3)
> radar 4701860

Per r18335, also:

<rdar://problem/4726407> [9A255] Crash in WebCore::EventTargetNode::dispatchEvent

http://trac.webkit.org/projects/webkit/changeset/18335