Bug 120577

Summary: REGRESSION (r154881): Crash on Macworld.com when expanding comments
Product: WebKit Reporter: Philippe Wittenbergh <phiw2>
Component: DOMAssignee: Arpita Bahuguna <arpitabahuguna>
Status: RESOLVED FIXED    
Severity: Major CC: a.bah, andersca, ap, arpitabahuguna, cmarcelo, commit-queue, darin, esprehn+autocc, kangil.han, kling, rniwa
Priority: P1 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.macworld.com/article/2047899/macalope-weekly-the-axis-of-dumb.html
Bug Depends on: 120293    
Bug Blocks:    
Attachments:
Description Flags
Patch koivisto: review-

Philippe Wittenbergh
Reported 2013-09-01 02:51:35 PDT
1. Load URL: http://www.macworld.com/article/2047899/macalope-weekly-the-axis-of-dumb.html 2. scroll down to comments, sort by oldest first. 3. scroll down further, click button ‘show more’ result: poof, crash Reproduced with r154939, r154932, possibly older, but I don’t have time to test right now. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010d19995d WebCore::HTMLElement::eventNameForAttributeName(WebCore::QualifiedName const&) const + 29 1 com.apple.WebCore 0x000000010d19ce60 WebCore::HTMLElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) + 288 2 com.apple.WebCore 0x000000010d08dada WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) + 42 3 com.apple.WebCore 0x000000010d0946b4 WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 500 4 com.apple.WebCore 0x000000010d08d9e4 WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&, int&) + 260 5 com.apple.WebCore 0x000000010d3b9fd7 WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) + 567 6 ??? 0x000032d959401045 0 + 55909086662725 7 com.apple.JavaScriptCore 0x000000010ca66601 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 49 8 com.apple.JavaScriptCore 0x000000010ca4cf4d JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 573 9 com.apple.JavaScriptCore 0x000000010c9234e5 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 10 com.apple.WebCore 0x000000010d3cc78c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 908 11 com.apple.WebCore 0x000000010d0b4b6c WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 364 12 com.apple.WebCore 0x000000010d0b4815 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 469 13 com.apple.WebCore 0x000000010d61dca3 WebCore::Node::handleLocalEvents(WebCore::Event*) + 67 14 com.apple.WebCore 0x000000010d09c137 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const + 87 15 com.apple.WebCore 0x000000010d09cf21 WebCore::EventDispatcher::dispatch() + 721 16 com.apple.WebCore 0x000000010d60b37f WebCore::MouseEventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 159 17 com.apple.WebCore 0x000000010d09c34c WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 124 18 com.apple.WebCore 0x000000010d61e3a5 WebCore::Node::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Node*) + 133 19 com.apple.WebCore 0x000000010d0a3afb WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 107 20 com.apple.WebCore 0x000000010d0a55ae WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 1198 21 com.apple.WebKit2 0x000000010c59c4e8 WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) + 419 22 com.apple.WebKit2 0x000000010c59c309 WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) + 221 23 com.apple.WebKit2 0x000000010c5af354 void CoreIPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(CoreIPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) + 83 24 com.apple.WebKit2 0x000000010c4e4963 CoreIPC::MessageReceiverMap::dispatchMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 137 25 com.apple.WebKit2 0x000000010c5ea59e WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 34 26 com.apple.WebKit2 0x000000010c4b9fc5 CoreIPC::Connection::dispatchMessage(WTF::PassOwnPtr<CoreIPC::MessageDecoder>) + 105 27 com.apple.WebKit2 0x000000010c4bbb2e CoreIPC::Connection::dispatchOneMessage() + 106 28 com.apple.WebCore 0x000000010d7f6e11 WebCore::RunLoop::performWork() + 129 29 com.apple.WebCore 0x000000010d7f73d2 WebCore::RunLoop::performWork(void*) + 34 30 com.apple.CoreFoundation 0x00007fff93f94b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 31 com.apple.CoreFoundation 0x00007fff93f94455 __CFRunLoopDoSources0 + 245 32 com.apple.CoreFoundation 0x00007fff93fb77f5 __CFRunLoopRun + 789 33 com.apple.CoreFoundation 0x00007fff93fb70e2 CFRunLoopRunSpecific + 290 34 com.apple.HIToolbox 0x00007fff93770eb4 RunCurrentEventLoopInMode + 209 35 com.apple.HIToolbox 0x00007fff93770c52 ReceiveNextEventCommon + 356 36 com.apple.HIToolbox 0x00007fff93770ae3 BlockUntilNextEventMatchingListInMode + 62 37 com.apple.AppKit 0x00007fff914b2533 _DPSNextEvent + 685 38 com.apple.AppKit 0x00007fff914b1df2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 39 com.apple.AppKit 0x00007fff914a91a3 -[NSApplication run] + 517 40 com.apple.WebCore 0x000000010d7f7a52 WebCore::RunLoop::run() + 82 41 com.apple.WebKit2 0x000000010c55a26a int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 422 42 com.apple.WebProcess 0x000000010c472e23 main + 337 43 libdyld.dylib 0x00007fff89efb7e1 start + 1 Thread 1:: Dispatch queue: com.apple.libdispatch-manager 0 libsystem_kernel.dylib 0x00007fff8e7e0d16 kevent + 10 1 libdispatch.dylib 0x00007fff93a46dea _dispatch_mgr_invoke + 883 2 libdispatch.dylib 0x00007fff93a469ee _dispatch_mgr_thread + 54 Thread 2:: JavaScriptCore::BlockFree 0 libsystem_kernel.dylib 0x00007fff8e7e00fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff8c04bfe9 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x000000010cc2ec26 WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 118 3 com.apple.JavaScriptCore 0x000000010c90981b JSC::BlockAllocator::blockFreeingThreadMain() + 123 4 com.apple.JavaScriptCore 0x000000010cc2df3f WTF::wtfThreadEntryPoint(void*) + 15 5 libsystem_c.dylib 0x00007fff8c0477a2 _pthread_start + 327 6 libsystem_c.dylib 0x00007fff8c0341e1 thread_start + 13 Thread 3:: JavaScriptCore::Marking 0 libsystem_kernel.dylib 0x00007fff8e7e00fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff8c04bfe9 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x000000010ca3f0eb JSC::GCThread::waitForNextPhase() + 123 3 com.apple.JavaScriptCore 0x000000010ca3f1af JSC::GCThread::gcThreadMain() + 143 4 com.apple.JavaScriptCore 0x000000010cc2df3f WTF::wtfThreadEntryPoint(void*) + 15 5 libsystem_c.dylib 0x00007fff8c0477a2 _pthread_start + 327 6 libsystem_c.dylib 0x00007fff8c0341e1 thread_start + 13 Thread 4:: WebCore: Scrolling 0 libsystem_kernel.dylib 0x00007fff8e7de686 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fff8e7ddc42 mach_msg + 70 2 com.apple.CoreFoundation 0x00007fff93fb2233 __CFRunLoopServiceMachPort + 195 3 com.apple.CoreFoundation 0x00007fff93fb7916 __CFRunLoopRun + 1078 4 com.apple.CoreFoundation 0x00007fff93fb70e2 CFRunLoopRunSpecific + 290 5 com.apple.CoreFoundation 0x00007fff93fc5dd1 CFRunLoopRun + 97 6 com.apple.WebCore 0x000000010d8229ce WebCore::ScrollingThread::initializeRunLoop() + 254 7 com.apple.JavaScriptCore 0x000000010cc2df3f WTF::wtfThreadEntryPoint(void*) + 15 8 libsystem_c.dylib 0x00007fff8c0477a2 _pthread_start + 327 9 libsystem_c.dylib 0x00007fff8c0341e1 thread_start + 13 Thread 5:: com.apple.NSURLConnectionLoader 0 libsystem_kernel.dylib 0x00007fff8e7de686 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fff8e7ddc42 mach_msg + 70 2 com.apple.CoreFoundation 0x00007fff93fb2233 __CFRunLoopServiceMachPort + 195 3 com.apple.CoreFoundation 0x00007fff93fb7916 __CFRunLoopRun + 1078 4 com.apple.CoreFoundation 0x00007fff93fb70e2 CFRunLoopRunSpecific + 290 5 com.apple.Foundation 0x00007fff8c55c546 +[NSURLConnection(Loader) _resourceLoadLoop:] + 356 6 com.apple.Foundation 0x00007fff8c5ba562 __NSThread__main__ + 1345 7 libsystem_c.dylib 0x00007fff8c0477a2 _pthread_start + 327 8 libsystem_c.dylib 0x00007fff8c0341e1 thread_start + 13 Thread 6:: com.apple.CFSocket.private 0 libsystem_kernel.dylib 0x00007fff8e7e0322 __select + 10 1 com.apple.CoreFoundation 0x00007fff93ff6f46 __CFSocketManager + 1302 2 libsystem_c.dylib 0x00007fff8c0477a2 _pthread_start + 327 3 libsystem_c.dylib 0x00007fff8c0341e1 thread_start + 13 Thread 7:: JSC Compilation Thread 0 libsystem_kernel.dylib 0x00007fff8e7e00fa __psynch_cvwait + 10 1 libsystem_c.dylib 0x00007fff8c04bfe9 _pthread_cond_wait + 869 2 com.apple.JavaScriptCore 0x000000010ca3379b JSC::DFG::Worklist::runThread() + 763 3 com.apple.JavaScriptCore 0x000000010cc2df3f WTF::wtfThreadEntryPoint(void*) + 15 4 libsystem_c.dylib 0x00007fff8c0477a2 _pthread_start + 327 5 libsystem_c.dylib 0x00007fff8c0341e1 thread_start + 13 Thread 8:: QTKit: listenOnDelegatePort 0 libsystem_kernel.dylib 0x00007fff8e7de686 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fff8e7ddc42 mach_msg + 70 2 com.apple.CoreFoundation 0x00007fff93fb2233 __CFRunLoopServiceMachPort + 195 3 com.apple.CoreFoundation 0x00007fff93fb7916 __CFRunLoopRun + 1078 4 com.apple.CoreFoundation 0x00007fff93fb70e2 CFRunLoopRunSpecific + 290 5 com.apple.CoreFoundation 0x00007fff93fc5dd1 CFRunLoopRun + 97 6 com.apple.QTKit 0x00007fff89d9b2d6 listenOnDelegatePort + 403 7 libsystem_c.dylib 0x00007fff8c0477a2 _pthread_start + 327 8 libsystem_c.dylib 0x00007fff8c0341e1 thread_start + 13 Thread 9:: QTKit: listenOnNotificationPort 0 libsystem_kernel.dylib 0x00007fff8e7de686 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fff8e7ddc42 mach_msg + 70 2 com.apple.CoreFoundation 0x00007fff93fb2233 __CFRunLoopServiceMachPort + 195 3 com.apple.CoreFoundation 0x00007fff93fb7916 __CFRunLoopRun + 1078 4 com.apple.CoreFoundation 0x00007fff93fb70e2 CFRunLoopRunSpecific + 290 5 com.apple.CoreFoundation 0x00007fff93fc5dd1 CFRunLoopRun + 97 6 com.apple.QTKit 0x00007fff89d9b771 listenOnNotificationPort + 371 7 libsystem_c.dylib 0x00007fff8c0477a2 _pthread_start + 327 8 libsystem_c.dylib 0x00007fff8c0341e1 thread_start + 13 Thread 10: 0 libsystem_kernel.dylib 0x00007fff8e7e06d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff8c049f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff8c049d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff8c0341d1 start_wqthread + 13 Thread 11: 0 libsystem_kernel.dylib 0x00007fff8e7e06d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff8c049f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff8c049d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff8c0341d1 start_wqthread + 13 Thread 12: 0 libsystem_kernel.dylib 0x00007fff8e7e06d6 __workq_kernreturn + 10 1 libsystem_c.dylib 0x00007fff8c049f4c _pthread_workq_return + 25 2 libsystem_c.dylib 0x00007fff8c049d13 _pthread_wqthread + 412 3 libsystem_c.dylib 0x00007fff8c0341d1 start_wqthread + 13 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x000000011f3d8540 rcx: 0x000000010dfc1af8 rdx: 0x00000001139e56f0 rdi: 0x00007fff5378b4d8 rsi: 0x00000001139e56f0 rbp: 0x00007fff5378b4b0 rsp: 0x00007fff5378ad90 r8: 0x0000000112ef30b0 r9: 0x0000000112ef30d4 r10: 0x0000000117c3fb98 r11: 0x0000000000000007 r12: 0x00000001139e56f0 r13: 0x000000011f3d8540 r14: 0x00000001139e56f0 r15: 0x00007fff5378b4d8 rip: 0x000000010d19995d rfl: 0x0000000000010206 cr2: 0x0000000000000018 Logical CPU: 0
Attachments
Patch (1.94 KB, patch)
2013-09-02 02:41 PDT, Arpita Bahuguna 		koivisto: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Zan Dobersek
Comment 1 2013-09-01 05:21:35 PDT
Like in bug #120336 the crash originates in mouse event handling, but the end location differs.
Alexey Proskuryakov
Comment 2 2013-09-01 09:42:39 PDT
Regressed in <http://trac.webkit.org/changeset/154881>.
Alexey Proskuryakov
Comment 3 2013-09-01 09:42:59 PDT
<rdar://problem/14888799>
Darin Adler
Comment 4 2013-09-01 12:13:24 PDT
I have some time right now to work on this. I’ll see if I can quickly fix it.
Darin Adler
Comment 5 2013-09-01 12:30:49 PDT
I could not reproduce the crash with these steps to reproduce.
Darin Adler
Comment 6 2013-09-01 12:35:03 PDT
Not sure I understand the bug, but my guess at a fix would be to change the type of attributeName in Element::setAttributeInternal to QualifiedName instead of const QualifiedName&.
Arpita Bahuguna
Comment 7 2013-09-02 02:41:02 PDT
Created attachment 210272 [details] Patch
Antti Koivisto
Comment 8 2013-09-02 03:48:42 PDT
Comment on attachment 210272 [details] Patch This is wrong. attributeAt(index) is invoked on the line above. I suspect that the bug is that attributeName should be captured into a local variable instead of a reference. This needs a test case.
Alexey Proskuryakov
Comment 9 2013-09-02 09:14:40 PDT
Does this mean that we have a broken version of clang (such brokenness discussed in detail in bug 84980)?
Darin Adler
Comment 10 2013-09-02 23:35:16 PDT
No, I don’t think it‘s a compiler bug at all. It’s true that the compiler is supposed to extend the life if the return value is an AtomicString and it is stored in a const AtomicString& local. But I believe in this case, the return value is const AtomicString&, and it’s up to us to use the AtomicString type for the local to state that we want it to be ref'd. Although I am not sure precisely how the original AtomicString ends up being destroyed before we use the reference later in the function, I am pretty sure that is what is happening.
Alexey Proskuryakov
Comment 11 2013-09-03 09:51:46 PDT
Indeed, thank you for the explanation.
Andreas Kling
Comment 12 2013-09-03 11:30:52 PDT
Rolled out the original change in <https://trac.webkit.org/r154991>
Note You need to log in before you can comment on or make changes to this bug.