Bug 17329

Summary: Crash in JSGlobalObject::popActivation when inserting hyperlink in Wordpress
Product: WebKit Reporter: Steven Hollingsworth <ampcoder>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Severity: Normal CC: ap, aroben, ggaren, mitz, zwarich
Priority: P1 Keywords: InRadar, NeedsReduction
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.5   
URL: http://wp.chrisjohnston.org/wp-admin
Description Flags
Problem Report for WebKit
Problem Report for WebKit none

Description Steven Hollingsworth 2008-02-12 10:16:19 PST
To reproduce this:

1) Login to http://wp.chrisjohnston.org/wp-admin with username/password: admin/demo.
2) Go to edit a page.
3) Double click a word in the post to select it.
4) Click on the "Make Hyperlink" button on the menu bar.
5) Fill in the text boxes with whatever you want.
6) Click on "Insert"
7) WebKit crashes
Comment 1 Steven Hollingsworth 2008-02-12 10:16:55 PST
Created attachment 19093 [details]
Problem Report for WebKit

Crash log from reproducible bug.
Comment 2 Steven Hollingsworth 2008-02-12 10:17:19 PST
Created attachment 19094 [details]
Problem Report for WebKit

Crash log from reproducible bug.
Comment 3 mitz 2008-02-12 10:29:14 PST
Comment 4 Geoffrey Garen 2008-02-12 15:29:22 PST
Top of debug backtrace:

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x005da9b2 WTF::Vector<KJS::LocalStorageEntry, 32ul>::shrink(unsigned long) + 130 (Vector.h:635)
1   com.apple.JavaScriptCore      	0x006042fa KJS::JSGlobalObject::popActivation() + 96 (JSGlobalObject.cpp:543)
2   com.apple.JavaScriptCore      	0x0059611d KJS::FunctionExecState::~FunctionExecState() + 137 (ExecState.cpp:213)
3   com.apple.JavaScriptCore      	0x0059613f KJS::FunctionExecState::~FunctionExecState() + 17 (ExecState.cpp:213)
4   com.apple.JavaScriptCore      	0x0059b512 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 214 (function.cpp:83)
Comment 5 Adam Roben (:aroben) 2008-02-13 08:28:26 PST
*** Bug 17338 has been marked as a duplicate of this bug. ***
Comment 6 Adam Roben (:aroben) 2008-02-13 08:29:14 PST
ee bug 17388 for a testcase that triggers this same crash in a different way.
Comment 7 Adam Roben (:aroben) 2008-02-13 08:29:50 PST
Sorry, that should have been:

See bug 17338 for a testcase that triggers this same crash in a different way
Comment 8 Geoffrey Garen 2008-02-13 10:46:12 PST
The crash happens because the global object's "activations" stack is NULL.
Comment 9 Cameron Zwarich (cpst) 2008-02-13 14:11:00 PST
I found the cause of the bug. For some reason, JSGlobalObject::reset() is being called, which changes activationCount from 6 to 0. This triggers the test in checkActivation() which then sets activationStackNode to NULL.
Comment 10 Geoffrey Garen 2008-02-13 14:44:50 PST
JSGlobalObject::reset gets called as a result of loading a javascript: URL into the script's <iframe>.
Comment 11 Geoffrey Garen 2008-02-13 14:52:31 PST
I think the error here is that the javascript: URL loads synchronously, potentially navigating during a script execution. See this comment, from the coder who came across this bug last, but decided not to fix it:

    // FIXME: We should always replace the document, but doing so
    //        synchronously can cause crashes:
    //        http://bugs.webkit.org/show_bug.cgi?id=16782
    if (replaceDocument) {
        begin(m_URL, true, currentSecurityOrigin);

Comment 12 Cameron Zwarich (cpst) 2008-02-13 23:04:42 PST
The example wasn't working for me because of the changes to disable local storage in clients that don't implement the proper delegate methods. Mark sent me a patch that removes this restriction, and I was able to reproduce the bug.

It crashes for the same reason as bug 17329, JSGlobalObject::reset() is called while there is still a single element on the activation stack, causing the next call to JSGlobalObject::popActivation() to segfault. However, bug 17329 was traced by Geoff down to javascript: links, whereas none of those appear in this example. Therefore, I think that calling this a duplicate of bug 17329 is premature. I will trace the calls to JSGlobalObject::reset() and see why it is being called in the middle of script execution.
Comment 13 Cameron Zwarich (cpst) 2008-02-13 23:05:36 PST
Oops. I posted in the wrong bug. :P
Comment 14 Geoffrey Garen 2008-02-14 15:31:23 PST