Bug 17876

Summary:

REGRESSION (r31060): Attempting to visit Ofcom page causes crash

Product:

WebKit

Reporter:

Simon Hollingshead <me>

Component:

CSS

Assignee:

Adam Roben (:aroben) <aroben>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

darin, dave, jon, mrowe, oliver.andrich, webkit

Priority:

Keywords:

NeedsReduction, Regression

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

URL:

http://www.ofcom.org.uk/media/news/2007/02/nr_20070213b

Attachments:

Description	Flags
crash log	none
Reduction HTML	none
Reduction CSS	none
Reduction JS	none
Reduction HTML with embedded JS	none
patch	none
Patch + test + ChangeLog	sullivan: review+

Simon Hollingshead

Reported 2008-03-16 09:23:49 PDT

Attempting to visit http://www.ofcom.org.uk/media/news/2007/02/nr_20070213b causes the browser to crash.

Attachments
crash log (34.78 KB, text/plain) 2008-03-16 09:48 PDT, Robert Blaut	no flags	Details
Reduction HTML (396 bytes, text/html) 2008-03-16 10:24 PDT, Simon Hollingshead	no flags	Details
Reduction CSS (51 bytes, text/css) 2008-03-16 10:24 PDT, Simon Hollingshead	no flags	Details
Reduction JS (3.18 KB, application/x-javascript) 2008-03-16 10:25 PDT, Simon Hollingshead	no flags	Details
Reduction HTML with embedded JS (3.53 KB, text/html) 2008-03-16 10:28 PDT, Simon Hollingshead	no flags	Details
patch (1.95 KB, patch) 2008-03-16 12:45 PDT, Darin Adler	no flags	Details Formatted Diff Diff
Patch + test + ChangeLog (5.03 KB, patch) 2008-03-17 08:22 PDT, Adam Roben (:aroben)	sullivan: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Robert Blaut

Comment 1 2008-03-16 09:47:27 PDT

Confirmed in Webkit r31078 on Leopard. Crash log attached.

Robert Blaut

Comment 2 2008-03-16 09:48:17 PDT

Created attachment 19795 [details] crash log

Matt Lilek

Comment 3 2008-03-16 09:51:23 PDT

I get a different backtrace with my r31079 debug build and has no mention of : #0 0x02b60964 in WTF::RefCounted<WebCore::StringImpl>::deref (this=0x771defc6) at RefCounted.h:47 #1 0x02b60ad6 in WTF::RefPtr<WebCore::StringImpl>::operator= (this=0x1b3f2580, o=@0xbfffd9c8) at RefPtr.h:88 #2 0x02b60af4 in WebCore::String::operator= (this=0x1b3f2580) at text/PlatformString.h:48 #3 0x02bae264 in WebCore::AtomicString::operator= (this=0x1b3f2580) at text/AtomicString.h:31 #4 0x02ec99eb in WebCore::NamedAttrMap::removeAttribute (this=0x1aa4f4d0, name=@0x3565f1c) at /Users/matt/Code/WebKit/WebCore/dom/NamedAttrMap.cpp:305 #5 0x02c9aed6 in WebCore::Element::setAttribute (this=0x1a9b7570, name=@0x3565f1c, value=0x0, ec=@0xbfffda4c) at /Users/matt/Code/WebKit/WebCore/dom/Element.cpp:499 #6 0x02c9b0f3 in WebCore::Element::setAttribute (this=0x1a9b7570, name=@0x3565f1c, value=@0xbfffda8c) at /Users/matt/Code/WebKit/WebCore/dom/Element.cpp:174 #7 0x02d3a0bd in WebCore::HTMLLinkElement::setDisabled (this=0x1a9b7570, disabled=false) at /Users/matt/Code/WebKit/WebCore/html/HTMLLinkElement.cpp:267 #8 0x02e112ca in WebCore::JSHTMLLinkElement::putValueProperty (this=0x1a8d13e0, exec=0xbfffde60, token=0, value=0x2) at /Users/matt/Code/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLLinkElement.cpp:210 #9 0x02e11d76 in KJS::lookupPut<WebCore::JSHTMLLinkElement> (exec=0xbfffde60, propertyName=@0x1aa54d6c, value=0x2, table=0x351775c, thisObj=0x1a8d13e0) at lookup.h:245 #10 0x02e11daf in KJS::lookupPut<WebCore::JSHTMLLinkElement, WebCore::JSHTMLElement> (exec=0xbfffde60, propertyName=@0x1aa54d6c, value=0x2, table=0x351775c, thisObj=0x1a8d13e0) at lookup.h:260 #11 0x02e11563 in WebCore::JSHTMLLinkElement::put (this=0x1a8d13e0, exec=0xbfffde60, propertyName=@0x1aa54d6c, value=0x2) at /Users/matt/Code/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLLinkElement.cpp:202 #12 0x00a74067 in KJS::AssignDotNode::evaluate (this=0x1aa54d60, exec=0xbfffde60) at nodes.cpp:3431 #13 0x00a7372f in KJS::ExprStatementNode::execute (this=0x1aa54d80, exec=0xbfffde60) at nodes.cpp:3750 #14 0x00a7367d in KJS::IfNode::execute (this=0x1aa54da0, exec=0xbfffde60) at nodes.cpp:3787 #15 0x00a54be5 in statementListExecute (statements=@0x1aa53640, exec=0xbfffde60) at nodes.cpp:3703 #16 0x00a54c72 in KJS::BlockNode::execute (this=0x1aa53630, exec=0xbfffde60) at nodes.cpp:3728 #17 0x00a7367d in KJS::IfNode::execute (this=0x1aa53650, exec=0xbfffde60) at nodes.cpp:3787 #18 0x00a54be5 in statementListExecute (statements=@0x1aa53060, exec=0xbfffde60) at nodes.cpp:3703 #19 0x00a54c72 in KJS::BlockNode::execute (this=0x1aa53050, exec=0xbfffde60) at nodes.cpp:3728 #20 0x00a730b7 in KJS::ForNode::execute (this=0x1aa53070, exec=0xbfffde60) at nodes.cpp:3916 #21 0x00a54be5 in statementListExecute (statements=@0x1a9f4020, exec=0xbfffde60) at nodes.cpp:3703 #22 0x00a54c72 in KJS::BlockNode::execute (this=0x1a9f4010, exec=0xbfffde60) at nodes.cpp:3728 #23 0x00a62760 in KJS::FunctionBodyNode::execute (this=0x1a9f4010, exec=0xbfffde60) at nodes.cpp:4647 #24 0x00a62eca in KJS::FunctionImp::callAsFunction (this=0x1a8d0b20, exec=0xbfffe0d0, thisObj=0x1a8d0000, args=@0xbfffdf28) at function.cpp:76 #25 0x00a6ca0e in KJS::JSObject::call (this=0x1a8d0b20, exec=0xbfffe0d0, thisObj=0x1a8d0000, args=@0xbfffdf28) at object.cpp:96 #26 0x00abf7ae in KJS::ExpressionNode::resolveAndCall<(KJS::ExpressionNode::CallerType)1> (this=0x1aa73120, exec=0xbfffe0d0, ident=@0x1aa73128, args=0x1aab1410) at nodes.cpp:997 #27 0x00abf880 in KJS::FunctionCallResolveNode::inlineEvaluate (this=0x1aa73120, exec=0xbfffe0d0) at nodes.cpp:1061 #28 0x00a90adc in KJS::FunctionCallResolveNode::evaluate (this=0x1aa73120, exec=0xbfffe0d0) at nodes.cpp:1066 #29 0x00a7372f in KJS::ExprStatementNode::execute (this=0x1aa73140, exec=0xbfffe0d0) at nodes.cpp:3750 #30 0x00a54be5 in statementListExecute (statements=@0x1602e850, exec=0xbfffe0d0) at nodes.cpp:3703 #31 0x00a54c72 in KJS::BlockNode::execute (this=0x1602e840, exec=0xbfffe0d0) at nodes.cpp:3728 #32 0x00a62760 in KJS::FunctionBodyNode::execute (this=0x1602e840, exec=0xbfffe0d0) at nodes.cpp:4647 #33 0x00a62eca in KJS::FunctionImp::callAsFunction (this=0x1a8d0ca0, exec=0x4b0571c, thisObj=0x1a8d0000, args=@0xbfffe1ac) at function.cpp:76 #34 0x00a6ca0e in KJS::JSObject::call (this=0x1a8d0ca0, exec=0x4b0571c, thisObj=0x1a8d0000, args=@0xbfffe1ac) at object.cpp:96 #35 0x03119dae in WebCore::JSAbstractEventListener::handleEvent (this=0x1b534b60, ele=0x1b561560, isWindowEvent=true) at /Users/matt/Code/WebKit/WebCore/bindings/js/kjs_events.cpp:105 #36 0x02c65a95 in WebCore::Document::handleWindowEvent (this=0x48c6400, evt=0x1b561560, useCapture=false) at /Users/matt/Code/WebKit/WebCore/dom/Document.cpp:2577 #37 0x02caf15a in WebCore::EventTargetNode::dispatchWindowEvent (this=0x48c6400, eventType=@0x3565c94, canBubbleArg=false, cancelableArg=false) at /Users/matt/Code/WebKit/WebCore/dom/EventTargetNode.cpp:140 #38 0x02c6a5da in WebCore::Document::implicitClose (this=0x48c6400) at /Users/matt/Code/WebKit/WebCore/dom/Document.cpp:1523 #39 0x02cde732 in WebCore::FrameLoader::checkCallImplicitClose (this=0x48c0200) at /Users/matt/Code/WebKit/WebCore/loader/FrameLoader.cpp:1319 #40 0x02cea63a in WebCore::FrameLoader::checkCompleted (this=0x48c0200) at /Users/matt/Code/WebKit/WebCore/loader/FrameLoader.cpp:1272 #41 0x02cea785 in WebCore::FrameLoader::loadDone (this=0x48c0200) at /Users/matt/Code/WebKit/WebCore/loader/FrameLoader.cpp:1239 #42 0x02c600ba in WebCore::DocLoader::setLoadInProgress (this=0x15e90410, load=false) at /Users/matt/Code/WebKit/WebCore/loader/DocLoader.cpp:211 #43 0x0311e095 in WebCore::Loader::Host::didFinishLoading (this=0x1aa4c6b0, loader=0x4b56200) at /Users/matt/Code/WebKit/WebCore/loader/loader.cpp:274 #44 0x030b81cd in WebCore::SubresourceLoader::didFinishLoading (this=0x4b56200) at /Users/matt/Code/WebKit/WebCore/loader/SubresourceLoader.cpp:193 #45 0x02fb733a in WebCore::ResourceLoader::didFinishLoading (this=0x4b56200) at /Users/matt/Code/WebKit/WebCore/loader/ResourceLoader.cpp:372 #46 0x02fb4af5 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x1607f580, _cmd=0xc8c5c4, con=0x1b574560) at /Users/matt/Code/WebKit/WebCore/platform/network/mac/ResourceHandleMac.mm:521 #47 0x010048b7 in -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] () #48 0x01004844 in _NSURLConnectionDidFinishLoading () #49 0x025c37f3 in sendDidFinishLoadingCallback () #50 0x025c0920 in _CFURLConnectionSendCallbacks () #51 0x025c00d9 in muxerSourcePerform () #52 0x00ddd62e in CFRunLoopRunSpecific () #53 0x00dddd18 in CFRunLoopRunInMode () #54 0x0175f6a0 in RunCurrentEventLoopInMode () #55 0x0175f4b9 in ReceiveNextEventCommon () #56 0x0175f32d in BlockUntilNextEventMatchingListInMode () #57 0x916647d9 in _DPSNextEvent () #58 0x9166408e in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #59 0x0000806e in ?? () #60 0x9165d0c5 in -[NSApplication run] () #61 0x9162a30a in NSApplicationMain () #62 0x000b9a76 in ?? () Current language: auto; currently c++ (gdb)

Matt Lilek

Comment 4 2008-03-16 09:54:42 PDT

(In reply to comment #3) > I get a different backtrace with my r31079 debug build > They're the same after frame 4 of mine (frame 2 of the attached crash log).

Simon Hollingshead

Comment 5 2008-03-16 10:23:34 PDT

I created a somewhat smaller file that still crashed for me (although the javascript seems to dictate which css to use so I couldnt embed the css within the page, and it might also mean your browser might not crash)

Simon Hollingshead

Comment 6 2008-03-16 10:24:13 PDT

Created attachment 19797 [details] Reduction HTML

Simon Hollingshead

Comment 7 2008-03-16 10:24:44 PDT

Created attachment 19798 [details] Reduction CSS

Simon Hollingshead

Comment 8 2008-03-16 10:25:13 PDT

Created attachment 19799 [details] Reduction JS

Simon Hollingshead

Comment 9 2008-03-16 10:28:22 PDT

Created attachment 19800 [details] Reduction HTML with embedded JS

Matt Lilek

Comment 10 2008-03-16 12:07:30 PDT

*** Bug 17880 has been marked as a duplicate of this bug. ***

Matt Lilek

Comment 11 2008-03-16 12:12:36 PDT

*** Bug 17879 has been marked as a duplicate of this bug. ***

Mark Rowe (bdash)

Comment 12 2008-03-16 12:28:21 PDT

The attached reduction does not crash for me. The original page does.

Matt Lilek

Comment 13 2008-03-16 12:31:51 PDT

(In reply to comment #12) > The attached reduction does not crash for me. The original page does. > The attached JS is incomplete - I'm working on further reducing this.

Darin Adler

Comment 14 2008-03-16 12:45:07 PDT

Created attachment 19804 [details] patch

mitz

Comment 15 2008-03-16 12:46:55 PDT

Comment on attachment 19804 [details] patch r=me

Darin Adler

Comment 16 2008-03-16 13:15:47 PDT

Committed revision 31080.

Matt Lilek

Comment 17 2008-03-16 14:39:47 PDT

*** Bug 17882 has been marked as a duplicate of this bug. ***

Matt Lilek

Comment 18 2008-03-16 14:51:00 PDT

Darin's patch didn't fix this, see bug 17882.

Darin Adler

Comment 19 2008-03-16 14:58:11 PDT

Oops. OK, what my patch fixed may have been something else, then! Reopening.

Darin Adler

Comment 20 2008-03-16 14:58:30 PDT

Comment on attachment 19804 [details] patch Cleared review flag since this patch was landed and the bug was reopened.

Adam Roben (:aroben)

Comment 21 2008-03-17 08:14:59 PDT

I have a fix for this. It's a regression caused by r31060.

Adam Roben (:aroben)

Comment 22 2008-03-17 08:22:45 PDT

Created attachment 19835 [details] Patch + test + ChangeLog

Adam Roben (:aroben)

Comment 23 2008-03-17 08:25:20 PDT

Committed in r31095.

Note You need to log in before you can comment on or make changes to this bug.