Bug 26671

Summary: Safari 4.0 crashes in WebCore::DOMTimer::fired()
Product: WebKit Reporter: David Carter <david.carter>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: VERIFIED FIXED    
Severity: Major CC: mitz, mrowe
Priority: P1 Keywords: InRadar, NeedsReduction
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://lite.maps.nsw.gov.au/
Attachments:
Description Flags
Possible fix (no change log, no layout test)
none
Patch, including change log and regression test darin: review+

David Carter
Reported 2009-06-24 00:02:20 PDT
Safari 4.0 (530.17) crashes in WebCore::DOMTimer::fired(). The crash did not occur in Safari 3.2.2 (from http://support.apple.com/downloads/Safari_3_2_2_for_Windows). To repeat the crash, follow these steps: 1. Load http://lite.maps.nsw.gov.au/ 2. Click the zoom box tool on the circular navigator. 3. Click and drag the map to zoom into an area. Safari will crash. I checked out and debugged the latest WebKit code in Visual Studio, and found the crash was occurring in WebCore::DOMTimer::fired(). The error reported by Visual Stuio when the crash occurs is "A buffer overrun has occurred in Safari.exe which has corrupted the program's internal state.". Also, here is the Visual Studio call stack at the time of the crash: WebKit.dll!__crt_debugger_hook() Unknown WebKit.dll!__report_gsfailure() Line 298 + 0x7 bytes C WebKit.dll!WebCore::Node::compareDocumentPosition(WebCore::Node * otherNode=0x00000000) Line 2073 + 0x15 bytes C++ WebKit.dll!WebCore::Document::addStyleSheetCandidateNode(WebCore::Node * node=0x7e9bb160, bool createdByParser=true) Line 2287 C++ WebKit.dll!WebCore::ProcessingInstruction::insertedIntoDocument() Line 254 C++ WebKit.dll!WebCore::dispatchChildInsertionEvents(WebCore::Node * child=0x7e9bb160, int & ec=0) Line 874 C++ WebKit.dll!WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node> newChild={...}, int & ec=2124132704, bool shouldLazyAttach=true) Line 483 + 0x7 bytes C++ WebKit.dll!WebCore::JSNode::appendChild(JSC::ExecState * exec=0x0c568944, const JSC::ArgList & args={...}) Line 105 C++ WebKit.dll!WebCore::jsNodePrototypeFunctionAppendChild(JSC::ExecState * exec=0x00000000, JSC::JSObject * __formal=0x0f662e14, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 1295 + 0xd bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x7fd81d88, JSC::ExecState * callFrame=0x0c568024, JSC::JSGlobalData * globalData=0x00000000, JSC::JSValue * exception=0x0012f980) Line 83 + 0x1d bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramNode * programNode=, JSC::ExecState * callFrame=, JSC::ScopeChainNode * scopeChain=, JSC::JSObject * thisObj=, JSC::JSValue * exception=) Line 644 + 0x26 bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x7fe62500, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 69 C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode=) Line 103 C++ WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::ScriptSourceCode & sourceCode={...}) Line 781 C++ WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::String & script={...}, bool forceUserGesture=false) Line 768 + 0x6f bytes C++ WebKit.dll!WebCore::ScheduledAction::execute(WebCore::Document * document=0x00000000) Line 128 + 0x12 bytes C++ WebKit.dll!WebCore::DOMTimer::fired() Line 125 + 0x18 bytes C++
Attachments
Possible fix (no change log, no layout test) (1.90 KB, patch)
2009-06-25 08:55 PDT, mitz 		no flags
DetailsFormatted DiffDiff
Patch, including change log and regression test (5.53 KB, patch)
2009-06-25 10:08 PDT, mitz 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-06-24 00:47:35 PDT
<rdar://problem/7001880>
Mark Rowe (bdash)
Comment 2 2009-06-24 10:03:47 PDT
Does this reproduce in a nightly build of WebKit?
David Carter
Comment 3 2009-06-24 19:29:23 PDT
The problem still occurs in the latest WebKit nightly build (r44969 / 24th June 2009).
Mark Rowe (bdash)
Comment 4 2009-06-24 19:36:41 PDT
Thanks. This may be Windows-specific. In my quick test I couldn't reproduce this on Mac OS X.
mitz
Comment 5 2009-06-25 08:55:48 PDT
Created attachment 31860 [details] Possible fix (no change log, no layout test) I think the problem is that stale nodes remain in the document’s style sheet candidate set. This patch fixes the crash.
mitz
Comment 6 2009-06-25 10:08:16 PDT
Created attachment 31862 [details] Patch, including change log and regression test
mitz
Comment 7 2009-06-25 12:45:53 PDT
Fixed in <http://trac.webkit.org/projects/webkit/changeset/45180>.
David Carter
Comment 8 2009-06-28 19:01:56 PDT
I've confirmed the crash no longer occurs in the latest WebKit nightly build. Thank you :)
Note You need to log in before you can comment on or make changes to this bug.