Bug 17876

Summary: REGRESSION (r31060): Attempting to visit Ofcom page causes crash
Product: WebKit Reporter: Simon Hollingshead <me>
Component: CSSAssignee: Adam Roben (:aroben) <aroben>
Status: RESOLVED FIXED    
Severity: Critical CC: darin, dave, jon, mrowe, oliver.andrich, webkit
Priority: P1 Keywords: NeedsReduction, Regression
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://www.ofcom.org.uk/media/news/2007/02/nr_20070213b
Attachments:
Description Flags
crash log
none
Reduction HTML
none
Reduction CSS
none
Reduction JS
none
Reduction HTML with embedded JS
none
patch
none
Patch + test + ChangeLog sullivan: review+

Description Simon Hollingshead 2008-03-16 09:23:49 PDT 
Attempting to visit http://www.ofcom.org.uk/media/news/2007/02/nr_20070213b causes the browser to crash.
Comment 1 Robert Blaut 2008-03-16 09:47:27 PDT 
Confirmed in Webkit r31078 on Leopard. Crash log attached.
Comment 2 Robert Blaut 2008-03-16 09:48:17 PDT 
Created attachment 19795 [details]
crash log
Comment 3 Matt Lilek 2008-03-16 09:51:23 PDT 
I get a different backtrace with my r31079 debug build and has no mention of :

#0  0x02b60964 in WTF::RefCounted<WebCore::StringImpl>::deref (this=0x771defc6) at RefCounted.h:47
#1  0x02b60ad6 in WTF::RefPtr<WebCore::StringImpl>::operator= (this=0x1b3f2580, o=@0xbfffd9c8) at RefPtr.h:88
#2  0x02b60af4 in WebCore::String::operator= (this=0x1b3f2580) at text/PlatformString.h:48
#3  0x02bae264 in WebCore::AtomicString::operator= (this=0x1b3f2580) at text/AtomicString.h:31
#4  0x02ec99eb in WebCore::NamedAttrMap::removeAttribute (this=0x1aa4f4d0, name=@0x3565f1c) at /Users/matt/Code/WebKit/WebCore/dom/NamedAttrMap.cpp:305
#5  0x02c9aed6 in WebCore::Element::setAttribute (this=0x1a9b7570, name=@0x3565f1c, value=0x0, ec=@0xbfffda4c) at /Users/matt/Code/WebKit/WebCore/dom/Element.cpp:499
#6  0x02c9b0f3 in WebCore::Element::setAttribute (this=0x1a9b7570, name=@0x3565f1c, value=@0xbfffda8c) at /Users/matt/Code/WebKit/WebCore/dom/Element.cpp:174
#7  0x02d3a0bd in WebCore::HTMLLinkElement::setDisabled (this=0x1a9b7570, disabled=false) at /Users/matt/Code/WebKit/WebCore/html/HTMLLinkElement.cpp:267
#8  0x02e112ca in WebCore::JSHTMLLinkElement::putValueProperty (this=0x1a8d13e0, exec=0xbfffde60, token=0, value=0x2) at /Users/matt/Code/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLLinkElement.cpp:210
#9  0x02e11d76 in KJS::lookupPut<WebCore::JSHTMLLinkElement> (exec=0xbfffde60, propertyName=@0x1aa54d6c, value=0x2, table=0x351775c, thisObj=0x1a8d13e0) at lookup.h:245
#10 0x02e11daf in KJS::lookupPut<WebCore::JSHTMLLinkElement, WebCore::JSHTMLElement> (exec=0xbfffde60, propertyName=@0x1aa54d6c, value=0x2, table=0x351775c, thisObj=0x1a8d13e0) at lookup.h:260
#11 0x02e11563 in WebCore::JSHTMLLinkElement::put (this=0x1a8d13e0, exec=0xbfffde60, propertyName=@0x1aa54d6c, value=0x2) at /Users/matt/Code/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLLinkElement.cpp:202
#12 0x00a74067 in KJS::AssignDotNode::evaluate (this=0x1aa54d60, exec=0xbfffde60) at nodes.cpp:3431
#13 0x00a7372f in KJS::ExprStatementNode::execute (this=0x1aa54d80, exec=0xbfffde60) at nodes.cpp:3750
#14 0x00a7367d in KJS::IfNode::execute (this=0x1aa54da0, exec=0xbfffde60) at nodes.cpp:3787
#15 0x00a54be5 in statementListExecute (statements=@0x1aa53640, exec=0xbfffde60) at nodes.cpp:3703
#16 0x00a54c72 in KJS::BlockNode::execute (this=0x1aa53630, exec=0xbfffde60) at nodes.cpp:3728
#17 0x00a7367d in KJS::IfNode::execute (this=0x1aa53650, exec=0xbfffde60) at nodes.cpp:3787
#18 0x00a54be5 in statementListExecute (statements=@0x1aa53060, exec=0xbfffde60) at nodes.cpp:3703
#19 0x00a54c72 in KJS::BlockNode::execute (this=0x1aa53050, exec=0xbfffde60) at nodes.cpp:3728
#20 0x00a730b7 in KJS::ForNode::execute (this=0x1aa53070, exec=0xbfffde60) at nodes.cpp:3916
#21 0x00a54be5 in statementListExecute (statements=@0x1a9f4020, exec=0xbfffde60) at nodes.cpp:3703
#22 0x00a54c72 in KJS::BlockNode::execute (this=0x1a9f4010, exec=0xbfffde60) at nodes.cpp:3728
#23 0x00a62760 in KJS::FunctionBodyNode::execute (this=0x1a9f4010, exec=0xbfffde60) at nodes.cpp:4647
#24 0x00a62eca in KJS::FunctionImp::callAsFunction (this=0x1a8d0b20, exec=0xbfffe0d0, thisObj=0x1a8d0000, args=@0xbfffdf28) at function.cpp:76
#25 0x00a6ca0e in KJS::JSObject::call (this=0x1a8d0b20, exec=0xbfffe0d0, thisObj=0x1a8d0000, args=@0xbfffdf28) at object.cpp:96
#26 0x00abf7ae in KJS::ExpressionNode::resolveAndCall<(KJS::ExpressionNode::CallerType)1> (this=0x1aa73120, exec=0xbfffe0d0, ident=@0x1aa73128, args=0x1aab1410) at nodes.cpp:997
#27 0x00abf880 in KJS::FunctionCallResolveNode::inlineEvaluate (this=0x1aa73120, exec=0xbfffe0d0) at nodes.cpp:1061
#28 0x00a90adc in KJS::FunctionCallResolveNode::evaluate (this=0x1aa73120, exec=0xbfffe0d0) at nodes.cpp:1066
#29 0x00a7372f in KJS::ExprStatementNode::execute (this=0x1aa73140, exec=0xbfffe0d0) at nodes.cpp:3750
#30 0x00a54be5 in statementListExecute (statements=@0x1602e850, exec=0xbfffe0d0) at nodes.cpp:3703
#31 0x00a54c72 in KJS::BlockNode::execute (this=0x1602e840, exec=0xbfffe0d0) at nodes.cpp:3728
#32 0x00a62760 in KJS::FunctionBodyNode::execute (this=0x1602e840, exec=0xbfffe0d0) at nodes.cpp:4647
#33 0x00a62eca in KJS::FunctionImp::callAsFunction (this=0x1a8d0ca0, exec=0x4b0571c, thisObj=0x1a8d0000, args=@0xbfffe1ac) at function.cpp:76
#34 0x00a6ca0e in KJS::JSObject::call (this=0x1a8d0ca0, exec=0x4b0571c, thisObj=0x1a8d0000, args=@0xbfffe1ac) at object.cpp:96
#35 0x03119dae in WebCore::JSAbstractEventListener::handleEvent (this=0x1b534b60, ele=0x1b561560, isWindowEvent=true) at /Users/matt/Code/WebKit/WebCore/bindings/js/kjs_events.cpp:105
#36 0x02c65a95 in WebCore::Document::handleWindowEvent (this=0x48c6400, evt=0x1b561560, useCapture=false) at /Users/matt/Code/WebKit/WebCore/dom/Document.cpp:2577
#37 0x02caf15a in WebCore::EventTargetNode::dispatchWindowEvent (this=0x48c6400, eventType=@0x3565c94, canBubbleArg=false, cancelableArg=false) at /Users/matt/Code/WebKit/WebCore/dom/EventTargetNode.cpp:140
#38 0x02c6a5da in WebCore::Document::implicitClose (this=0x48c6400) at /Users/matt/Code/WebKit/WebCore/dom/Document.cpp:1523
#39 0x02cde732 in WebCore::FrameLoader::checkCallImplicitClose (this=0x48c0200) at /Users/matt/Code/WebKit/WebCore/loader/FrameLoader.cpp:1319
#40 0x02cea63a in WebCore::FrameLoader::checkCompleted (this=0x48c0200) at /Users/matt/Code/WebKit/WebCore/loader/FrameLoader.cpp:1272
#41 0x02cea785 in WebCore::FrameLoader::loadDone (this=0x48c0200) at /Users/matt/Code/WebKit/WebCore/loader/FrameLoader.cpp:1239
#42 0x02c600ba in WebCore::DocLoader::setLoadInProgress (this=0x15e90410, load=false) at /Users/matt/Code/WebKit/WebCore/loader/DocLoader.cpp:211
#43 0x0311e095 in WebCore::Loader::Host::didFinishLoading (this=0x1aa4c6b0, loader=0x4b56200) at /Users/matt/Code/WebKit/WebCore/loader/loader.cpp:274
#44 0x030b81cd in WebCore::SubresourceLoader::didFinishLoading (this=0x4b56200) at /Users/matt/Code/WebKit/WebCore/loader/SubresourceLoader.cpp:193
#45 0x02fb733a in WebCore::ResourceLoader::didFinishLoading (this=0x4b56200) at /Users/matt/Code/WebKit/WebCore/loader/ResourceLoader.cpp:372
#46 0x02fb4af5 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x1607f580, _cmd=0xc8c5c4, con=0x1b574560) at /Users/matt/Code/WebKit/WebCore/platform/network/mac/ResourceHandleMac.mm:521
#47 0x010048b7 in -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] ()
#48 0x01004844 in _NSURLConnectionDidFinishLoading ()
#49 0x025c37f3 in sendDidFinishLoadingCallback ()
#50 0x025c0920 in _CFURLConnectionSendCallbacks ()
#51 0x025c00d9 in muxerSourcePerform ()
#52 0x00ddd62e in CFRunLoopRunSpecific ()
#53 0x00dddd18 in CFRunLoopRunInMode ()
#54 0x0175f6a0 in RunCurrentEventLoopInMode ()
#55 0x0175f4b9 in ReceiveNextEventCommon ()
#56 0x0175f32d in BlockUntilNextEventMatchingListInMode ()
#57 0x916647d9 in _DPSNextEvent ()
#58 0x9166408e in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#59 0x0000806e in ?? ()
#60 0x9165d0c5 in -[NSApplication run] ()
#61 0x9162a30a in NSApplicationMain ()
#62 0x000b9a76 in ?? ()
Current language:  auto; currently c++
(gdb)
Comment 4 Matt Lilek 2008-03-16 09:54:42 PDT 
(In reply to comment #3)
> I get a different backtrace with my r31079 debug build 
> 

They're the same after frame 4 of mine (frame 2 of the attached crash log).
Comment 5 Simon Hollingshead 2008-03-16 10:23:34 PDT 
I created a somewhat smaller file that still crashed for me (although the javascript seems to dictate which css to use so I couldnt embed the css within the page, and it might also mean your browser might not crash)
Comment 6 Simon Hollingshead 2008-03-16 10:24:13 PDT 
Created attachment 19797 [details]
Reduction HTML
Comment 7 Simon Hollingshead 2008-03-16 10:24:44 PDT 
Created attachment 19798 [details]
Reduction CSS
Comment 8 Simon Hollingshead 2008-03-16 10:25:13 PDT 
Created attachment 19799 [details]
Reduction JS
Comment 9 Simon Hollingshead 2008-03-16 10:28:22 PDT 
Created attachment 19800 [details]
Reduction HTML with embedded JS
Comment 10 Matt Lilek 2008-03-16 12:07:30 PDT 
*** Bug 17880 has been marked as a duplicate of this bug. ***
Comment 11 Matt Lilek 2008-03-16 12:12:36 PDT 
*** Bug 17879 has been marked as a duplicate of this bug. ***
Comment 12 Mark Rowe (bdash) 2008-03-16 12:28:21 PDT 
The attached reduction does not crash for me.  The original page does.
Comment 13 Matt Lilek 2008-03-16 12:31:51 PDT 
(In reply to comment #12)
> The attached reduction does not crash for me.  The original page does.
> 

The attached JS is incomplete - I'm working on further reducing this.
Comment 14 Darin Adler 2008-03-16 12:45:07 PDT 
Created attachment 19804 [details]
patch
Comment 15 mitz 2008-03-16 12:46:55 PDT 
Comment on attachment 19804 [details]
patch

r=me
Comment 16 Darin Adler 2008-03-16 13:15:47 PDT 
Committed revision 31080.
Comment 17 Matt Lilek 2008-03-16 14:39:47 PDT 
*** Bug 17882 has been marked as a duplicate of this bug. ***
Comment 18 Matt Lilek 2008-03-16 14:51:00 PDT 
Darin's patch didn't fix this, see bug 17882.
Comment 19 Darin Adler 2008-03-16 14:58:11 PDT 
Oops. OK, what my patch fixed may have been something else, then! Reopening.
Comment 20 Darin Adler 2008-03-16 14:58:30 PDT 
Comment on attachment 19804 [details]
patch

Cleared review flag since this patch was landed and the bug was reopened.
Comment 21 Adam Roben (:aroben) 2008-03-17 08:14:59 PDT 
I have a fix for this. It's a regression caused by r31060.
Comment 22 Adam Roben (:aroben) 2008-03-17 08:22:45 PDT 
Created attachment 19835 [details]
Patch + test + ChangeLog
Comment 23 Adam Roben (:aroben) 2008-03-17 08:25:20 PDT 
Committed in r31095.