Bug 17559

Summary:

REGRESSION(r30466): 15 out of 60 tests in fast/media crash under guard malloc

Product:

WebKit

Reporter:

Mark Rowe (bdash) <mrowe>

Component:

WebCore Misc.

Assignee:

Dave Hyatt <hyatt>

Status:

RESOLVED FIXED

Severity:

Major

CC:

bfulgham, hyatt, mrowe

Priority:

Keywords:

InRadar, Regression

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.5

Attachments:

Description	Flags
Crash log from one of the crashes	none
Patch to fix the problem.	aroben: review+

Mark Rowe (bdash)

Reported 2008-02-26 15:04:45 PST

$ run-webkit-tests -g --debug fast/media Testing 60 test cases. fast/media ............. fast/media/mq-compound-query-05.html -> crashed ..................... fast/media/mq-min-constraint.html -> crashed ... fast/media/mq-relative-constraints-02.html -> crashed . fast/media/mq-relative-constraints-03.html -> crashed . fast/media/mq-relative-constraints-04.html -> crashed . fast/media/mq-relative-constraints-05.html -> crashed . fast/media/mq-relative-constraints-06.html -> crashed . fast/media/mq-relative-constraints-07.html -> crashed . fast/media/mq-relative-constraints-08.html -> crashed . fast/media/mq-relative-constraints-09.html -> crashed ............ fast/media/mq-width-absolute-01.html -> crashed . fast/media/mq-width-absolute-02.html -> crashed . fast/media/mq-width-absolute-03.html -> crashed . fast/media/mq-width-absolute-04.html -> crashed . fast/media/viewport-media-query.html -> crashed 934.60s total testing time 45 test cases (75%) succeeded 15 test cases (25%) crashed $

Attachments
Crash log from one of the crashes (25.38 KB, text/plain) 2008-02-26 15:08 PST, Mark Rowe (bdash)	no flags	Details
Patch to fix the problem. (3.39 KB, patch) 2008-02-29 13:03 PST, Dave Hyatt	aroben: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2008-02-26 15:05:02 PST

<rdar://problem/5766945>

Mark Rowe (bdash)

Comment 2 2008-02-26 15:08:43 PST

Created attachment 19386 [details] Crash log from one of the crashes All of the crashes appear to have similar crash logs.

Mark Rowe (bdash)

Comment 3 2008-02-27 13:10:30 PST

The crash was introduced in r30466.

Brent Fulgham

Comment 4 2008-02-28 21:17:24 PST

I notice that if a place a breakpoint in CSSStyleSelector::addViewportDependentMediaQueryResult, the first time I enter the method m_viewportDependentMediaQueryResults has a size of zero. After the append, the size is 1. So far, so good. The second time I hit the breakpoint, the size of m_viewportDependentMediaQueryResults is now 4277075694. There seems to be a timing element; if I set the breakpoint and wait a while I can often run without error. But if I move to a new page (with media content) and don't pause I get the crash.

Jon Honeycutt

Comment 5 2008-02-28 21:29:33 PST

It looks like m_viewportDependentMediaQueryResults is not initialized at the point that we start adding items to it. It should be initialized earlier in CSSStyleSelector's constructor.

Brent Fulgham

Comment 6 2008-02-28 22:02:53 PST

There seems to be some kind of access to the CSSStyleSelector after it is deallocated. I keep hitting the destructor for a CSSStyleSelector (with particular address), then enter the constructor (with a new address). I then enter the CSSStyleSelector::addViewportDependentMediaQueryResult for the original (destroyed) this pointer. The elements are all in an uninitialized state, and then the program crashes.

Dave Hyatt

Comment 7 2008-02-29 13:03:17 PST

Created attachment 19457 [details] Patch to fix the problem.

Adam Roben (:aroben)

Comment 8 2008-02-29 13:13:04 PST

Comment on attachment 19457 [details] Patch to fix the problem. r=me

Mark Rowe (bdash)

Comment 9 2008-02-29 14:13:12 PST

This was landed in r30670.

Note You need to log in before you can comment on or make changes to this bug.