Bug 11010

Summary: REGRESSION: Repro crash in <script> onload event dispatch
Product: WebKit Reporter: mitz
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, ddkilzer, miles_b
Priority: P1 Keywords: HasReduction, InRadar, Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://apartmentcities.com/Apartments/map.asp?apt=12606
Attachments:
Description Flags
Reduction (will crash) none

mitz
Reported 2006-09-24 13:29:10 PDT
This is what I get going to the above URL with TOT: EXC_BAD_ACCESS (0x0001) KERN_PROTECTION_FAILURE (0x0002) at 0x003a0033 Thread 0 Crashed: 0 WebCore::TreeShared<WebCore::Node>::ref() + 32 (Shared.h:51) 1 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 304 (EventTargetNode.cpp:179) 2 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 348 (EventTargetNode.cpp:292) 3 WebCore::EventTargetNode::dispatchHTMLEvent(WebCore::AtomicString const&, bool, bool) + 172 (EventTargetNode.cpp:481) 4 WebCore::HTMLScriptElement::notifyFinished(WebCore::CachedResource*) + 244 (HTMLScriptElement.cpp:155) 5 WebCore::CachedScript::checkNotify() + 112 (CachedScript.cpp:108) 6 WebCore::CachedScript::data(WTF::Vector<char, (unsigned long)0>&, bool) + 184 (CachedScript.cpp:100) 7 WebCore::Loader::receivedAllData(WebCore::ResourceLoader*, NSData*) + 464 (loader.cpp:138) 8 -[WebCoreResourceLoaderImp finishJobAndHandle:] + 180 (WebCoreResourceLoaderImp.mm:98) 9 -[WebCoreResourceLoaderImp finishWithData:] + 196 (WebCoreResourceLoaderImp.mm:130) ...
Attachments
Reduction (will crash) (306 bytes, text/html)
2006-09-25 09:18 PDT, mitz 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2006-09-24 23:33:49 PDT
The problem appears to be a script that deletes its own <script> element. Looks like the fix is for HTMLScriptElement::notifyFinished() to protect itself with a ref()/deref() (it will also be cleaner to change the cs->deref(this) to m_cachedScript->deref(this) only if m_cachedScript is still non-0). Other callers to HTMLScriptElement::evaluateScript() appear to be safe, since it's the last thing they call.
mitz
Comment 2 2006-09-25 09:18:00 PDT
Created attachment 10758 [details] Reduction (will crash) Crashes run-webkit-tests immediately, in Safari you need to reload to get the crash (might be a good junk/bad junk thing).
Stephanie Lewis
Comment 3 2006-11-06 21:53:37 PST
radar 4701860
mitz
Comment 4 2006-12-15 02:01:40 PST
*** Bug 11837 has been marked as a duplicate of this bug. ***
mitz
Comment 5 2006-12-19 22:36:48 PST
Fixed (completely independently of this Bugzilla bug) by Anders in r18335.
David Kilzer (:ddkilzer)
Comment 6 2006-12-20 03:03:56 PST
(In reply to comment #3) > radar 4701860 Per r18335, also: <rdar://problem/4726407> [9A255] Crash in WebCore::EventTargetNode::dispatchEvent http://trac.webkit.org/projects/webkit/changeset/18335
Note You need to log in before you can comment on or make changes to this bug.