Bug 17329

Summary: Crash in JSGlobalObject::popActivation when inserting hyperlink in Wordpress
Product: WebKit Reporter: Steven Hollingsworth <ampcoder>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, aroben, ggaren, mitz, zwarich
Priority: P1 Keywords: InRadar, NeedsReduction
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.5   
URL: http://wp.chrisjohnston.org/wp-admin
Attachments:
Description Flags
Problem Report for WebKit
none
Problem Report for WebKit none

Steven Hollingsworth
Reported 2008-02-12 10:16:19 PST
To reproduce this: 1) Login to http://wp.chrisjohnston.org/wp-admin with username/password: admin/demo. 2) Go to edit a page. 3) Double click a word in the post to select it. 4) Click on the "Make Hyperlink" button on the menu bar. 5) Fill in the text boxes with whatever you want. 6) Click on "Insert" 7) WebKit crashes
Attachments
Problem Report for WebKit (33.02 KB, text/plain)
2008-02-12 10:16 PST, Steven Hollingsworth 		no flags
Details
Problem Report for WebKit (29.01 KB, text/plain)
2008-02-12 10:17 PST, Steven Hollingsworth 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Steven Hollingsworth
Comment 1 2008-02-12 10:16:55 PST
Created attachment 19093 [details] Problem Report for WebKit Crash log from reproducible bug.
Steven Hollingsworth
Comment 2 2008-02-12 10:17:19 PST
Created attachment 19094 [details] Problem Report for WebKit Crash log from reproducible bug.
mitz
Comment 3 2008-02-12 10:29:14 PST
<rdar://problem/5737835>
Geoffrey Garen
Comment 4 2008-02-12 15:29:22 PST
Top of debug backtrace: Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x005da9b2 WTF::Vector<KJS::LocalStorageEntry, 32ul>::shrink(unsigned long) + 130 (Vector.h:635) 1 com.apple.JavaScriptCore 0x006042fa KJS::JSGlobalObject::popActivation() + 96 (JSGlobalObject.cpp:543) 2 com.apple.JavaScriptCore 0x0059611d KJS::FunctionExecState::~FunctionExecState() + 137 (ExecState.cpp:213) 3 com.apple.JavaScriptCore 0x0059613f KJS::FunctionExecState::~FunctionExecState() + 17 (ExecState.cpp:213) 4 com.apple.JavaScriptCore 0x0059b512 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 214 (function.cpp:83)
Adam Roben (:aroben)
Comment 5 2008-02-13 08:28:26 PST
*** Bug 17338 has been marked as a duplicate of this bug. ***
Adam Roben (:aroben)
Comment 6 2008-02-13 08:29:14 PST
ee bug 17388 for a testcase that triggers this same crash in a different way.
Adam Roben (:aroben)
Comment 7 2008-02-13 08:29:50 PST
Sorry, that should have been: See bug 17338 for a testcase that triggers this same crash in a different way
Geoffrey Garen
Comment 8 2008-02-13 10:46:12 PST
The crash happens because the global object's "activations" stack is NULL.
Cameron Zwarich (cpst)
Comment 9 2008-02-13 14:11:00 PST
I found the cause of the bug. For some reason, JSGlobalObject::reset() is being called, which changes activationCount from 6 to 0. This triggers the test in checkActivation() which then sets activationStackNode to NULL.
Geoffrey Garen
Comment 10 2008-02-13 14:44:50 PST
JSGlobalObject::reset gets called as a result of loading a javascript: URL into the script's <iframe>.
Geoffrey Garen
Comment 11 2008-02-13 14:52:31 PST
I think the error here is that the javascript: URL loads synchronously, potentially navigating during a script execution. See this comment, from the coder who came across this bug last, but decided not to fix it: // FIXME: We should always replace the document, but doing so // synchronously can cause crashes: // http://bugs.webkit.org/show_bug.cgi?id=16782 if (replaceDocument) { begin(m_URL, true, currentSecurityOrigin); write(scriptResult); end(); }
Cameron Zwarich (cpst)
Comment 12 2008-02-13 23:04:42 PST
The example wasn't working for me because of the changes to disable local storage in clients that don't implement the proper delegate methods. Mark sent me a patch that removes this restriction, and I was able to reproduce the bug. It crashes for the same reason as bug 17329, JSGlobalObject::reset() is called while there is still a single element on the activation stack, causing the next call to JSGlobalObject::popActivation() to segfault. However, bug 17329 was traced by Geoff down to javascript: links, whereas none of those appear in this example. Therefore, I think that calling this a duplicate of bug 17329 is premature. I will trace the calls to JSGlobalObject::reset() and see why it is being called in the middle of script execution.
Cameron Zwarich (cpst)
Comment 13 2008-02-13 23:05:36 PST
Oops. I posted in the wrong bug. :P
Geoffrey Garen
Comment 14 2008-02-14 15:31:23 PST
r30235
Note You need to log in before you can comment on or make changes to this bug.