Summary: | Crash in JSGlobalObject::popActivation when inserting hyperlink in Wordpress | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Steven Hollingsworth <ampcoder> | ||||||
Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | ap, aroben, ggaren, mitz, zwarich | ||||||
Priority: | P1 | Keywords: | InRadar, NeedsReduction | ||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | Mac (Intel) | ||||||||
OS: | OS X 10.5 | ||||||||
URL: | http://wp.chrisjohnston.org/wp-admin | ||||||||
Attachments: |
|
Description
Steven Hollingsworth
2008-02-12 10:16:19 PST
Created attachment 19093 [details]
Problem Report for WebKit
Crash log from reproducible bug.
Created attachment 19094 [details]
Problem Report for WebKit
Crash log from reproducible bug.
Top of debug backtrace: Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x005da9b2 WTF::Vector<KJS::LocalStorageEntry, 32ul>::shrink(unsigned long) + 130 (Vector.h:635) 1 com.apple.JavaScriptCore 0x006042fa KJS::JSGlobalObject::popActivation() + 96 (JSGlobalObject.cpp:543) 2 com.apple.JavaScriptCore 0x0059611d KJS::FunctionExecState::~FunctionExecState() + 137 (ExecState.cpp:213) 3 com.apple.JavaScriptCore 0x0059613f KJS::FunctionExecState::~FunctionExecState() + 17 (ExecState.cpp:213) 4 com.apple.JavaScriptCore 0x0059b512 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 214 (function.cpp:83) *** Bug 17338 has been marked as a duplicate of this bug. *** ee bug 17388 for a testcase that triggers this same crash in a different way. Sorry, that should have been: See bug 17338 for a testcase that triggers this same crash in a different way The crash happens because the global object's "activations" stack is NULL. I found the cause of the bug. For some reason, JSGlobalObject::reset() is being called, which changes activationCount from 6 to 0. This triggers the test in checkActivation() which then sets activationStackNode to NULL. JSGlobalObject::reset gets called as a result of loading a javascript: URL into the script's <iframe>. I think the error here is that the javascript: URL loads synchronously, potentially navigating during a script execution. See this comment, from the coder who came across this bug last, but decided not to fix it: // FIXME: We should always replace the document, but doing so // synchronously can cause crashes: // http://bugs.webkit.org/show_bug.cgi?id=16782 if (replaceDocument) { begin(m_URL, true, currentSecurityOrigin); write(scriptResult); end(); } The example wasn't working for me because of the changes to disable local storage in clients that don't implement the proper delegate methods. Mark sent me a patch that removes this restriction, and I was able to reproduce the bug. It crashes for the same reason as bug 17329, JSGlobalObject::reset() is called while there is still a single element on the activation stack, causing the next call to JSGlobalObject::popActivation() to segfault. However, bug 17329 was traced by Geoff down to javascript: links, whereas none of those appear in this example. Therefore, I think that calling this a duplicate of bug 17329 is premature. I will trace the calls to JSGlobalObject::reset() and see why it is being called in the middle of script execution. Oops. I posted in the wrong bug. :P |