Bug 18551

Summary:

REGRESSION (r31801?): Crash in ContainerNode::removedFromDocument on many SVG tests

Product:

WebKit

Reporter:

Adam Roben (:aroben) <aroben>

Component:

SVG

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

koivisto

Priority:

Keywords:

LayoutTestFailure

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
patch	oliver: review+

Adam Roben (:aroben)

Reported 2008-04-17 12:40:20 PDT

Many SVG regression tests are crashing on Windows. I believe they all contain SVG animation.

Attachments
patch (7.11 KB, patch) 2008-04-18 10:55 PDT, Antti Koivisto	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Adam Roben (:aroben)

Comment 1 2008-04-17 12:41:06 PDT

One set of failing tests: svg/W3C-SVG-1.1/animate-elem-03-t.svg svg/W3C-SVG-1.1/animate-elem-05-t.svg svg/W3C-SVG-1.1/animate-elem-09-t.svg svg/W3C-SVG-1.1/animate-elem-11-t.svg svg/W3C-SVG-1.1/animate-elem-13-t.svg svg/W3C-SVG-1.1/animate-elem-15-t.svg svg/W3C-SVG-1.1/animate-elem-17-t.svg svg/W3C-SVG-1.1/animate-elem-19-t.svg svg/W3C-SVG-1.1/animate-elem-23-t.svg svg/W3C-SVG-1.1/animate-elem-29-b.svg svg/W3C-SVG-1.1/animate-elem-31-t.svg svg/W3C-SVG-1.1/animate-elem-33-t.svg svg/W3C-SVG-1.1/animate-elem-36-t.svg svg/W3C-SVG-1.1/animate-elem-40-t.svg svg/W3C-SVG-1.1/animate-elem-44-t.svg svg/W3C-SVG-1.1/animate-elem-52-t.svg svg/W3C-SVG-1.1/animate-elem-61-t.svg svg/W3C-SVG-1.1/animate-elem-65-t.svg svg/W3C-SVG-1.1/animate-elem-67-t.svg svg/W3C-SVG-1.1/animate-elem-69-t.svg svg/W3C-SVG-1.1/animate-elem-77-t.svg svg/W3C-SVG-1.1/animate-elem-80-t.svg svg/W3C-SVG-1.1/animate-elem-82-t.svg svg/W3C-SVG-1.1/color-prof-01-f.svg svg/W3C-SVG-1.1/pservers-pattern-01-b.svg These all crash with the following backtrace. It seems that `this` has been deleted. WebKit_debug.dll!WebCore::ContainerNode::removedFromDocument() Line 672 WebKit_debug.dll!WebCore::Element::removedFromDocument() Line 714 WebKit_debug.dll!WebCore::ContainerNode::addChildNodesToDeletionQueue(WebCore::Node * & head=0x06f99b28, WebCore::Node * & tail=0x01fa16a8, WebCore::ContainerNode * container=0x06f66650) Line 82 WebKit_debug.dll!WebCore::ContainerNode::removeAllChildren() Line 109 WebKit_debug.dll!WebCore::Document::removedLastRef() Line 381 WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::deref() Line 69 WebKit_debug.dll!WTF::RefPtr<WebCore::Document>::operator=(const WTF::PassRefPtr<WebCore::Document> & o={...}) Line 121 WebKit_debug.dll!WebCore::Frame::setDocument(WTF::PassRefPtr<WebCore::Document> newDoc={...}) Line 257 WebKit_debug.dll!WebCore::FrameLoader::clear(bool clearWindowProperties=true, bool clearScriptObjects=true) Line 840 WebKit_debug.dll!WebCore::FrameLoader::begin(const WebCore::KURL & url={...}, bool dispatch=false, WebCore::SecurityOrigin * origin=0x00000000) Line 913 WebKit_debug.dll!WebCore::FrameLoader::receivedFirstData() Line 864 WebKit_debug.dll!WebCore::FrameLoader::setEncoding(const WebCore::String & name={...}, bool userChosen=false) Line 1833 WebKit_debug.dll!WebFrameLoaderClient::receivedData(const char * data=0x07037e50, int length=8526, const WebCore::String & textEncoding={...}) Line 411 WebKit_debug.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * loader=0x06eeb188, const char * data=0x07037e50, int length=8526) Line 383 WebKit_debug.dll!WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader * loader=0x06eeb188, const char * data=0x07037e50, int length=8526) Line 3332 WebKit_debug.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x07037e50, int length=8526) Line 343 WebKit_debug.dll!WebCore::DocumentLoader::receivedData(const char * data=0x07037e50, int length=8526) Line 355 WebKit_debug.dll!WebCore::FrameLoader::receivedData(const char * data=0x07037e50, int length=8526) Line 2287 WebKit_debug.dll!WebCore::MainResourceLoader::addData(const char * data=0x07037e50, int length=8526, bool allAtOnce=false) Line 139 WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x07037e50, int length=8526, __int64 lengthReceived=8526, bool allAtOnce=false) Line 244 WebKit_debug.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x07037e50, int length=8526, __int64 lengthReceived=8526, bool allAtOnce=false) Line 297 WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x06faaa78, const char * data=0x07037e50, int length=8526, int lengthReceived=8526) Line 375 WebKit_debug.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x01fd9a98, const __CFData * data=0x07037e38, long originalLength=8526, const void * clientInfo=0x06faaa78) Line 107

Adam Roben (:aroben)

Comment 2 2008-04-17 12:41:40 PDT

This test: svg/W3C-SVG-1.1/animate-elem-63-t.svg crashes with a similar but different backtrace. It also seems that `this` has been deleted. WebKit_debug.dll!WebCore::ContainerNode::removedFromDocument() Line 672 WebKit_debug.dll!WebCore::Element::removedFromDocument() Line 714 WebKit_debug.dll!WebCore::ContainerNode::addChildNodesToDeletionQueue(WebCore::Node * & head=0x020c7398, WebCore::Node * & tail=0x020c8078, WebCore::ContainerNode * container=0x020c7448) Line 82 WebKit_debug.dll!WebCore::ContainerNode::removeAllChildren() Line 94 WebKit_debug.dll!WebCore::ContainerNode::~ContainerNode() Line 118 WebKit_debug.dll!WebCore::Element::~Element() Line 119 WebKit_debug.dll!WebCore::StyledElement::~StyledElement() Line 111 WebKit_debug.dll!WebCore::SVGElement::~SVGElement() Line 58 WebKit_debug.dll!WebCore::SVGStyledElement::~SVGStyledElement() Line 55 WebKit_debug.dll!WebCore::SVGStyledLocatableElement::~SVGStyledLocatableElement() Line 43 WebKit_debug.dll!WebCore::SVGStyledTransformableElement::~SVGStyledTransformableElement() Line 47 WebKit_debug.dll!WebCore::SVGGElement::~SVGGElement() Line 42 WebKit_debug.dll!WebCore::SVGGElement::`vbase destructor'() + 0x16 bytes C++ WebKit_debug.dll!WebCore::SVGGElement::`scalar deleting destructor'() + 0x16 bytes C++ WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::removedLastRef() Line 99 WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::deref() Line 69 WebKit_debug.dll!WTF::RefPtr<WebCore::SVGElement>::operator=(WebCore::SVGElement * optr=0x00000000) Line 112 WebKit_debug.dll!WebCore::SVGSMILElement::removedFromDocument() Line 128 WebKit_debug.dll!WebCore::ContainerNode::removedFromDocument() Line 672 WebKit_debug.dll!WebCore::Element::removedFromDocument() Line 714 WebKit_debug.dll!WebCore::ContainerNode::addChildNodesToDeletionQueue(WebCore::Node * & head=0x020cf3c0, WebCore::Node * & tail=0x020c7298, WebCore::ContainerNode * container=0x020b8600) Line 82 WebKit_debug.dll!WebCore::ContainerNode::removeAllChildren() Line 109 WebKit_debug.dll!WebCore::Document::removedLastRef() Line 381 WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::deref() Line 69 WebKit_debug.dll!WTF::RefPtr<WebCore::Document>::operator=(const WTF::PassRefPtr<WebCore::Document> & o={...}) Line 121 WebKit_debug.dll!WebCore::Frame::setDocument(WTF::PassRefPtr<WebCore::Document> newDoc={...}) Line 257 WebKit_debug.dll!WebCore::FrameLoader::clear(bool clearWindowProperties=true, bool clearScriptObjects=true) Line 840 WebKit_debug.dll!WebCore::FrameLoader::begin(const WebCore::KURL & url={...}, bool dispatch=false, WebCore::SecurityOrigin * origin=0x00000000) Line 913 WebKit_debug.dll!WebCore::FrameLoader::receivedFirstData() Line 864 WebKit_debug.dll!WebCore::FrameLoader::setEncoding(const WebCore::String & name={...}, bool userChosen=false) Line 1833 WebKit_debug.dll!WebFrameLoaderClient::receivedData(const char * data=0x02121350, int length=8919, const WebCore::String & textEncoding={...}) Line 411 WebKit_debug.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * loader=0x01fccca8, const char * data=0x02121350, int length=8919) Line 383 WebKit_debug.dll!WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader * loader=0x01fccca8, const char * data=0x02121350, int length=8919) Line 3332 WebKit_debug.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x02121350, int length=8919) Line 343 WebKit_debug.dll!WebCore::DocumentLoader::receivedData(const char * data=0x02121350, int length=8919) Line 355 WebKit_debug.dll!WebCore::FrameLoader::receivedData(const char * data=0x02121350, int length=8919) Line 2287 WebKit_debug.dll!WebCore::MainResourceLoader::addData(const char * data=0x02121350, int length=8919, bool allAtOnce=false) Line 139 WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x02121350, int length=8919, __int64 lengthReceived=8919, bool allAtOnce=false) Line 244 WebKit_debug.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x02121350, int length=8919, __int64 lengthReceived=8919, bool allAtOnce=false) Line 297 WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x01fb2440, const char * data=0x02121350, int length=8919, int lengthReceived=8919) Line 375 WebKit_debug.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x01fbd7e8, const __CFData * data=0x02121330, long originalLength=8919, const void * clientInfo=0x01fb2440) Line 107

Adam Roben (:aroben)

Comment 3 2008-04-17 13:05:10 PDT

It seems every other test is failing. In comment 1, I said that tests 1, 3, 5, 7, 9, 11, etc. were failing. I disabled those and now tests 4, 8, 12, 16, etc., are failing. So it seems to be every other animation test that fails.

Adam Roben (:aroben)

Comment 4 2008-04-17 13:31:13 PDT

This seems to only affect debug builds. It's possible it would happen on Mac as well if run under GuardMalloc.

Adam Roben (:aroben)

Comment 5 2008-04-17 14:16:08 PDT

Antti got the crash to reproduce under GuardMalloc on Mac.

Antti Koivisto

Comment 6 2008-04-17 18:05:33 PDT

Sending WebCore/ChangeLog Sending WebCore/svg/animation/SVGSMILElement.cpp Sending WebCore/svg/animation/SVGSMILElement.h Transmitting file data ... Committed revision 32039.

Adam Roben (:aroben)

Comment 7 2008-04-18 07:27:15 PDT

I just got this crash again while running svg/W3C-SVG-1.1/animate-elem-63-t.svg (though presumably it's the previous test that triggered the problem).

Adam Roben (:aroben)

Comment 8 2008-04-18 07:28:22 PDT

I should note that I was running r32206.

Antti Koivisto

Comment 9 2008-04-18 10:55:53 PDT

Created attachment 20672 [details] patch

Oliver Hunt

Comment 10 2008-04-18 14:05:59 PDT

Comment on attachment 20672 [details] patch Need new lines before unregister and handleEvent Otherwise this looks sane. r=me

Antti Koivisto

Comment 11 2008-04-18 15:21:03 PDT

Sending WebCore/ChangeLog Sending WebCore/svg/animation/SVGSMILElement.cpp Sending WebCore/svg/animation/SVGSMILElement.h Transmitting file data ... Committed revision 32230.

Note You need to log in before you can comment on or make changes to this bug.