Bug 18615

Summary:

Crash in PluginPackage::hash

Product:

WebKit

Reporter:

Joey Geraci <joey2264>

Component:

WebKit Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Major

CC:

aroben, dev+webkit

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

Windows XP

URL:

http://www.google.com/reader

Attachments:

Description	Flags
Dr. Watson dmp file from crash	none
Patch v1 with ChangeLog	andersca: review+

Joey Geraci

Reported 2008-04-18 21:44:49 PDT

On at least the last three nightly webkit builds, Safari 3.1.1 crashes when a complicated site is attempted to be reached. On a couple of occasions, it would just sit there, refusing to load the site. But it crashes on Google Reader, and on cramster.com, among other sites. It looks Google Custom Homepage fine. Don't understand! Safari 3.1.1 runs fine when run normally (instead of with a nightly webkit build), and nightly webkit builds ran fine before on the Safari 3.1 beta.

Attachments
Dr. Watson dmp file from crash (42.75 KB, application/octet-stream) 2008-04-18 21:50 PDT, Joey Geraci	no flags	Details
Patch v1 with ChangeLog (1.69 KB, patch) 2008-04-21 12:49 PDT, Adam Roben (:aroben)	andersca: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Joey Geraci

Comment 1 2008-04-18 21:50:49 PDT

Created attachment 20682 [details] Dr. Watson dmp file from crash

Matt Lilek

Comment 2 2008-04-18 21:59:52 PDT

Stack trace from dump: > WebKit.dll!WebCore::PluginPackage::hash() Line 364 C++ WebKit.dll!WTF::HashTable<int,int,WTF::IdentityExtractor<int>,WebCore::PluginPackageHash,WTF::HashTraits<int>,WTF::HashTraits<int> >::add<WTF::RefPtr<WebCore::PluginPackage>,WTF::RefPtr<WebCore::PluginPackage>,WTF::HashSetTranslator<0,WTF::RefPtr<WebCore::PluginPackage>,WTF::HashTraits<WTF::RefPtr<WebCore::PluginPackage> >,WTF::HashTraits<int>,WebCore::PluginPackageHash> >(const WTF::RefPtr<WebCore::PluginPackage> & key={...}, const WTF::RefPtr<WebCore::PluginPackage> & extra={...}) Line 613 + 0x16 bytes C++ WebKit.dll!WebCore::PluginDatabase::add(WTF::PassRefPtr<WebCore::PluginPackage> prpPackage={...}) Line 251 + 0x1b bytes C++ WebKit.dll!WebCore::PluginDatabase::refresh() Line 109 + 0x3b bytes C++ WebKit.dll!WebCore::PluginDatabase::installedPlugins() Line 47 C++ WebKit.dll!WebCore::PluginData::initPlugins() Line 32 C++ WebKit.dll!WebCore::PluginData::PluginData(const WebCore::Page * page=0x7feb9a28) Line 34 C++ WebKit.dll!WebCore::PluginData::create(const WebCore::Page * page=0x7feb9a28) Line 49 + 0x69 bytes C++ WebKit.dll!WebCore::Page::pluginData() Line 260 + 0xa bytes C++ WebKit.dll!WebCore::PluginArray::length() Line 42 C++ WebKit.dll!KJS::staticValueGetter<WebCore::JSPluginArray>(KJS::ExecState * exec=0x0012ef70, KJS::JSObject * __formal=0x045e6000, KJS::JSObject * __formal=0x045e6000, const KJS::PropertySlot & slot={...}) Line 109 + 0xb bytes C++ WebKit.dll!KJS::JSObject::get(KJS::ExecState * exec=0x10276270, const KJS::Identifier & propertyName={...}) Line 174 + 0x16 bytes C++ WebKit.dll!KJS::DotAccessorNode::evaluate(KJS::ExecState * exec=0x0012ef70) Line 966 + 0x15 bytes C++ WebKit.dll!KJS::LogicalAndNode::evaluateToBoolean(KJS::ExecState * exec=0x0012ef70) Line 3366 + 0xf bytes C++ WebKit.dll!KJS::IfElseNode::execute(KJS::ExecState * exec=0x0012ef70) Line 4044 C++ WebKit.dll!KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>,0> & statements={...}, KJS::ExecState * exec=0x00000000) Line 3947 C++ WebKit.dll!KJS::FunctionBodyNode::execute(KJS::ExecState * exec=0x00000005) Line 4890 + 0x8 bytes C++ WebKit.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0012f0c8, KJS::JSObject * thisObj=0x045e0000, const KJS::List & args={...}) Line 101 + 0x191 bytes C++ WebKit.dll!KJS::ScopedVarFunctionCallNode::evaluate(KJS::ExecState * exec=0x0012f0c8) Line 1320 + 0x11 bytes C++ WebKit.dll!KJS::AssignLocalVarNode::evaluate(KJS::ExecState * exec=0x0012f0c8) Line 3556 C++ WebKit.dll!KJS::ExprStatementNode::execute(KJS::ExecState * exec=0x0012f0c8) Line 3994 C++ WebKit.dll!KJS::IfNode::execute(KJS::ExecState * exec=0x0012f0c8) Line 4030 + 0xb bytes C++ WebKit.dll!KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>,0> & statements={...}, KJS::ExecState * exec=0x00000000) Line 3947 C++ WebKit.dll!KJS::FunctionBodyNode::execute(KJS::ExecState * exec=0x00000009) Line 4890 + 0x8 bytes C++ WebKit.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0012f270, KJS::JSObject * thisObj=0x045e0000, const KJS::List & args={...}) Line 101 + 0x191 bytes C++ WebKit.dll!KJS::ScopedVarFunctionCallNode::evaluate(KJS::ExecState * exec=0x0012f270) Line 1320 + 0x11 bytes C++ WebKit.dll!KJS::ReadModifyLocalVarNode::evaluate(KJS::ExecState * exec=) Line 3537 + 0x138 bytes C++ WebKit.dll!KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>,0> & statements={...}, KJS::ExecState * exec=0x00000000) Line 3947 C++ WebKit.dll!KJS::IfNode::execute(KJS::ExecState * exec=0x0012f270) Line 4030 + 0xb bytes C++ WebKit.dll!KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>,0> & statements={...}, KJS::ExecState * exec=0x00000000) Line 3947 C++ WebKit.dll!KJS::FunctionBodyNode::execute(KJS::ExecState * exec=0x00000006) Line 4890 + 0x8 bytes C++ WebKit.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0012f3a4, KJS::JSObject * thisObj=0x045e0000, const KJS::List & args={...}) Line 101 + 0x191 bytes C++ WebKit.dll!KJS::ScopedVarFunctionCallNode::evaluate(KJS::ExecState * exec=0x0012f3a4) Line 1320 + 0x11 bytes C++ WebKit.dll!KJS::ExprStatementNode::execute(KJS::ExecState * exec=0x0012f3a4) Line 3994 C++ WebKit.dll!KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>,0> & statements={...}, KJS::ExecState * exec=0x00000000) Line 3947 C++ WebKit.dll!KJS::FunctionBodyNode::execute(KJS::ExecState * exec=0x0000000c) Line 4890 + 0x8 bytes C++ WebKit.dll!KJS::JSObject::call(KJS::ExecState * exec=0x0012f4e0, KJS::JSObject * thisObj=0x045e0000, const KJS::List & args={...}) Line 101 + 0x191 bytes C++ WebKit.dll!KJS::LocalVarFunctionCallNode::evaluate(KJS::ExecState * exec=0x0012f4e0) Line 1266 + 0x11 bytes C++ WebKit.dll!KJS::ExprStatementNode::execute(KJS::ExecState * exec=0x0012f4e0) Line 3994 C++ WebKit.dll!KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>,0> & statements={...}, KJS::ExecState * exec=0x00000000) Line 3947 C++ WebKit.dll!KJS::ProgramNode::execute(KJS::ExecState * exec=0x00000000) Line 4878 + 0x8 bytes C++ WebKit.dll!KJS::Interpreter::evaluate(KJS::ExecState * exec=0x7fead61c, const KJS::UString & sourceURL={...}, int startingLineNumber=70, const wchar_t * code=0x7fbc4dc0, int codeLength=165, KJS::JSValue * thisV=0x045e0000) Line 110 C++ WebKit.dll!WebCore::KJSProxy::evaluate(const WebCore::String & filename={...}, int baseLine=70, const WebCore::String & str={...}) Line 87 + 0x39 bytes C++ WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::String & url={...}, int baseLine=70, const WebCore::String & script={...}) Line 773 C++ WebKit.dll!WebCore::HTMLTokenizer::scriptExecution(const WebCore::String & str={...}, WebCore::HTMLTokenizer::State state={...}, const WebCore::String & scriptURL={...}, int baseLine=70) Line 543 C++ WebKit.dll!WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State state={...}) Line 480 + 0x1c bytes C++ WebKit.dll!WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...}) Line 330 + 0xf bytes C++ WebKit.dll!WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...}) Line 1492 + 0x26 bytes C++ WebKit.dll!WebCore::HTMLTokenizer::write(const WebCore::SegmentedString & str=, bool appendData=) Line 1673 C++ WebKit.dll!WTF::HashMap<WebCore::Node *,WebCore::JSNode *,WTF::PtrHash<WebCore::Node *>,WTF::HashTraits<WebCore::Node *>,WTF::HashTraits<WebCore::JSNode *> >::take(WebCore::Node * const & key=) Line 333 C++ WebKit.dll!WebCore::Event::`scalar deleting destructor'() + 0x95 bytes C++

Adam Roben (:aroben)

Comment 3 2008-04-21 12:34:40 PDT

It looks like PluginPackage::createPackage is returning 0, leading to a null deref in HashTable. We should be able to fix this pretty easily by changing PluginDatabase::refresh not to call add() when createPackage returns 0.

Adam Roben (:aroben)

Comment 4 2008-04-21 12:49:31 PDT

Created attachment 20737 [details] Patch v1 with ChangeLog

Anders Carlsson

Comment 5 2008-04-21 13:08:35 PDT

Comment on attachment 20737 [details] Patch v1 with ChangeLog r=me

Adam Roben (:aroben)

Comment 6 2008-04-21 13:18:40 PDT

Committed in r32340

Note You need to log in before you can comment on or make changes to this bug.