Bug 17862

Summary: REGRESSION (r31038): Reproducible crash under DocLoader::checkForReload() at marware.com
Product: WebKit Reporter: mitz
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: ampcoder, andersca, grahamburnette, koivisto, sdwr98, webkit
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://www.marware.com/PRODUCTS/Apple-Laptop-Products/Sportfolio-Deluxe-for-MacBook-MacBook-Pro
Attachments:
Description Flags
patch darin: review+

mitz
Reported 2008-03-15 01:24:50 PDT
Opening the URL in r31072, shortly after the page appears WebKit crashes with this backtrace: #0 0x01c0a15d in WebCore::StringImpl::length (this=0x4) at text/StringImpl.h:84 #1 0x01c0e0e3 in WebCore::StringHash::equal (a=0x4, b=0x1a2c6d10) at StringHash.h:44 #2 0x01c0f3a2 in WTF::IdentityHashTranslator<WebCore::StringImpl*, WebCore::StringImpl*, WebCore::StringHash>::equal (a=@0x19e8c9a8, b=@0xbfffcbd8) at HashTable.h:269 #3 0x01c0f48d in WTF::HashTable<WebCore::StringImpl*, WebCore::StringImpl*, WTF::IdentityExtractor<WebCore::StringImpl*>, WebCore::StringHash, WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<WebCore::StringImpl*> >::lookup<WebCore::StringImpl*, WTF::IdentityHashTranslator<WebCore::StringImpl*, WebCore::StringImpl*, WebCore::StringHash> > (this=0x3b9e2f4, key=@0xbfffcbd8) at HashTable.h:463 #4 0x01ca092e in WTF::HashTable<WebCore::StringImpl*, WebCore::StringImpl*, WTF::IdentityExtractor<WebCore::StringImpl*>, WebCore::StringHash, WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<WebCore::StringImpl*> >::contains<WebCore::StringImpl*, WTF::IdentityHashTranslator<WebCore::StringImpl*, WebCore::StringImpl*, WebCore::StringHash> > (this=0x3b9e2f4, key=@0xbfffcbd8) at HashTable.h:764 #5 0x01ca0956 in WTF::HashTable<WebCore::StringImpl*, WebCore::StringImpl*, WTF::IdentityExtractor<WebCore::StringImpl*>, WebCore::StringHash, WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<WebCore::StringImpl*> >::contains (this=0x3b9e2f4, key=@0xbfffcbd8) at HashTable.h:316 #6 0x01ca0974 in WTF::HashSet<WebCore::String, WebCore::StringHash, WTF::HashTraits<WebCore::String> >::contains (this=0x3b9e2f4, value=@0xbfffcbd8) at HashSet.h:258 #7 0x01d28c32 in WebCore::DocLoader::checkForReload (this=0x3b9e2f0, fullURL=@0xbfffcbd8) at WebCore/loader/DocLoader.cpp:76 #8 0x01d28ff8 in WebCore::DocLoader::requestResource (this=0x3b9e2f0, type=WebCore::CachedResource::ImageResource, url=@0xbfffcd04, charset=0x0, skipCanLoadCheck=false, sendResourceLoadCallbacks=true) at WebCore/loader/DocLoader.cpp:165 #9 0x01d29247 in WebCore::DocLoader::requestImage (this=0x3b9e2f0, url=@0xbfffcd04) at WebCore/loader/DocLoader.cpp:96 #10 0x01df7634 in WebCore::HTMLImageLoader::updateFromElement (this=0x1a2c6c88) at WebCore/html/HTMLImageLoader.cpp:104 #11 0x01df6825 in WebCore::HTMLImageElement::parseMappedAttribute (this=0x1a2c6c40, attr=0x1a2c6bb0) at WebCore/html/HTMLImageElement.cpp:93 #12 0x02174ea2 in WebCore::StyledElement::attributeChanged (this=0x1a2c6c40, attr=0x1a2c6bb0, preserveDecls=false) at WebCore/dom/StyledElement.cpp:173 #13 0x01d63680 in WebCore::Element::setAttributeMap (this=0x1a2c6c40, list=0x1a2c6800) at WebCore/dom/Element.cpp:534 #14 0x01e1e7a7 in WebCore::HTMLParser::parseToken (this=0x19e515b0, t=0xbfffd0f4) at WebCore/html/HTMLParser.cpp:237 #15 0x01e34f10 in WebCore::HTMLTokenizer::processToken (this=0xbfffd0e0) at WebCore/html/HTMLTokenizer.cpp:1896 #16 0x01e381da in WebCore::HTMLTokenizer::parseTag (this=0xbfffd0e0, src=@0xbfffda30, state={static EntityShift = 4, m_bits = 8388608}) at WebCore/html/HTMLTokenizer.cpp:1477 #17 0x01e38dad in WebCore::HTMLTokenizer::write (this=0xbfffd0e0, str=@0xbfffda70, appendData=true) at WebCore/html/HTMLTokenizer.cpp:1726 #18 0x01e39a76 in WebCore::parseHTMLDocumentFragment (source=@0xbfffdb84, fragment=0x197fbc00) at WebCore/html/HTMLTokenizer.cpp:2027 #19 0x01de2b6c in WebCore::HTMLElement::createContextualFragment (this=0x19e37480, html=@0xbfffdb84) at WebCore/html/HTMLElement.cpp:244 #20 0x01de30cb in WebCore::HTMLElement::setInnerHTML (this=0x19e37480, html=@0xbfffdb84, ec=@0xbfffdb6c) at WebCore/html/HTMLElement.cpp:336 #21 0x01ec3902 in WebCore::JSHTMLElement::putValueProperty (this=0x1a6620c0, exec=0xbfffde00, token=5, value=0x1a662040) at WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLElement.cpp:244 #22 0x01ec43d6 in KJS::lookupPut<WebCore::JSHTMLElement> (exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040, table=0x25d09bc, thisObj=0x1a6620c0) at lookup.h:245 #23 0x01ec440f in KJS::lookupPut<WebCore::JSHTMLElement, WebCore::JSElement> (exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040, table=0x25d09bc, thisObj=0x1a6620c0) at lookup.h:260 #24 0x01ec3af3 in WebCore::JSHTMLElement::put (this=0x1a6620c0, exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040) at WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLElement.cpp:210 #25 0x01eeba44 in KJS::lookupPut<WebCore::JSHTMLTableCellElement, WebCore::JSHTMLElement> (exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040, table=0x25d897c, thisObj=0x1a6620c0) at lookup.h:261 #26 0x01eeb057 in WebCore::JSHTMLTableCellElement::put (this=0x1a6620c0, exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040) at WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLTableCellElement.cpp:223 #27 0x005e015d in KJS::AssignDotNode::evaluate (this=0x197fbe80, exec=0xbfffde00) at nodes.cpp:3431 #28 0x005df825 in KJS::ExprStatementNode::execute (this=0x197fbea0, exec=0xbfffde00) at nodes.cpp:3750 #29 0x005c07ed in statementListExecute (statements=@0x17d3c080, exec=0xbfffde00) at nodes.cpp:3703 #30 0x005c087a in KJS::BlockNode::execute (this=0x17d3c070, exec=0xbfffde00) at nodes.cpp:3728 #31 0x005ce5e0 in KJS::FunctionBodyNode::execute (this=0x17d3c070, exec=0xbfffde00) at nodes.cpp:4647 #32 0x005cedb8 in KJS::FunctionImp::callAsFunction (this=0x19bd5500, exec=0xbfffe070, thisObj=0x19bd0000, args=@0xbfffdec8) at function.cpp:76 #33 0x005d8ade in KJS::JSObject::call (this=0x19bd5500, exec=0xbfffe070, thisObj=0x19bd0000, args=@0xbfffdec8) at object.cpp:96 #34 0x0062f0ec in KJS::ExpressionNode::resolveAndCall<(KJS::ExpressionNode::CallerType)1> (this=0x1a297f60, exec=0xbfffe070, ident=@0x1a297f68, args=0x1a299750) at nodes.cpp:997 #35 0x0062f1be in KJS::FunctionCallResolveNode::inlineEvaluate (this=0x1a297f60, exec=0xbfffe070) at nodes.cpp:1061 #36 0x005fcd68 in KJS::FunctionCallResolveNode::evaluate (this=0x1a297f60, exec=0xbfffe070) at nodes.cpp:1066 #37 0x005df825 in KJS::ExprStatementNode::execute (this=0x1a29d100, exec=0xbfffe070) at nodes.cpp:3750 #38 0x005c07ed in statementListExecute (statements=@0x1a2bdf20, exec=0xbfffe070) at nodes.cpp:3703 #39 0x005c087a in KJS::BlockNode::execute (this=0x1a2bdf10, exec=0xbfffe070) at nodes.cpp:3728 #40 0x005ce5e0 in KJS::FunctionBodyNode::execute (this=0x1a2bdf10, exec=0xbfffe070) at nodes.cpp:4647 #41 0x005cedb8 in KJS::FunctionImp::callAsFunction (this=0x1a661c40, exec=0x417b51c, thisObj=0x19bd0000, args=@0xbfffe14c) at function.cpp:76 #42 0x005d8ade in KJS::JSObject::call (this=0x1a661c40, exec=0x417b51c, thisObj=0x19bd0000, args=@0xbfffe14c) at object.cpp:96 #43 0x021d973a in WebCore::JSAbstractEventListener::handleEvent (this=0x17dee920, ele=0x1a2b29b0, isWindowEvent=true) at WebCore/bindings/js/kjs_events.cpp:105 #44 0x01d2e573 in WebCore::Document::handleWindowEvent (this=0x40c9800, evt=0x1a2b29b0, useCapture=false) at WebCore/dom/Document.cpp:2519 #45 0x01d76944 in WebCore::EventTargetNode::dispatchWindowEvent (this=0x40c9800, eventType=@0x2623634, canBubbleArg=false, cancelableArg=false) at WebCore/dom/EventTargetNode.cpp:140 #46 0x01d32940 in WebCore::Document::implicitClose (this=0x40c9800) at WebCore/dom/Document.cpp:1519 #47 0x01da5fea in WebCore::FrameLoader::checkCallImplicitClose (this=0x40c4400) at WebCore/loader/FrameLoader.cpp:1319 #48 0x01db1938 in WebCore::FrameLoader::checkCompleted (this=0x40c4400) at WebCore/loader/FrameLoader.cpp:1272 #49 0x01db1a83 in WebCore::FrameLoader::loadDone (this=0x40c4400) at WebCore/loader/FrameLoader.cpp:1239 #50 0x01d28900 in WebCore::DocLoader::setLoadInProgress (this=0x3b9e2f0, load=false) at WebCore/loader/DocLoader.cpp:211 #51 0x021dd7ff in WebCore::Loader::Host::didFinishLoading (this=0x1978ca60, loader=0x4429c00) at WebCore/loader/loader.cpp:273 #52 0x02178295 in WebCore::SubresourceLoader::didFinishLoading (this=0x4429c00) at WebCore/loader/SubresourceLoader.cpp:193 #53 0x02079a80 in WebCore::ResourceLoader::didFinishLoading (this=0x4429c00) at WebCore/loader/ResourceLoader.cpp:372 #54 0x0207722b in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x1a298c40, _cmd=0x901495c4, con=0x1a298d10) at WebCore/platform/network/mac/ResourceHandleMac.mm:521
Attachments
patch (5.18 KB, patch)
2008-03-15 23:44 PDT, Antti Koivisto 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2008-03-15 23:44:05 PDT
Created attachment 19790 [details] patch This was a memory smasher introduced by the preloading patch. If a script resource was marked uncacheable, early deletion of the Request object would cause deletion of the CachedResource too if it was referred more than once in a single document.
Antti Koivisto
Comment 2 2008-03-16 00:03:09 PDT
*** Bug 17860 has been marked as a duplicate of this bug. ***
Matt Lilek
Comment 3 2008-03-16 09:45:15 PDT
*** Bug 17875 has been marked as a duplicate of this bug. ***
Antti Koivisto
Comment 4 2008-03-16 13:00:00 PDT
*** Bug 17878 has been marked as a duplicate of this bug. ***
Darin Adler
Comment 5 2008-03-16 13:36:47 PDT
Comment on attachment 19790 [details] patch r=me
Antti Koivisto
Comment 6 2008-03-16 14:00:05 PDT
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/misc/resources/uncacheable-script.cgi Adding LayoutTests/http/tests/misc/uncacheable-script-repeated-expected.txt Adding LayoutTests/http/tests/misc/uncacheable-script-repeated.html Sending WebCore/ChangeLog Sending WebCore/loader/loader.cpp Transmitting file data ...... Committed revision 31084.
Mark Rowe (bdash)
Comment 7 2008-03-17 15:11:23 PDT
*** Bug 17899 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.