Bug 26671

Summary:

Safari 4.0 crashes in WebCore::DOMTimer::fired()

Product:

WebKit

Reporter:

David Carter <david.carter>

Component:

DOM

Assignee:

Nobody <webkit-unassigned>

Status:

VERIFIED FIXED

Severity:

Major

CC:

mitz, mrowe

Priority:

Keywords:

InRadar, NeedsReduction

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

URL:

http://lite.maps.nsw.gov.au/

Attachments:

Description	Flags
Possible fix (no change log, no layout test)	none
Patch, including change log and regression test	darin: review+

Description David Carter 2009-06-24 00:02:20 PDT

Safari 4.0 (530.17) crashes in WebCore::DOMTimer::fired().  The crash did not occur in Safari 3.2.2 (from http://support.apple.com/downloads/Safari_3_2_2_for_Windows).

To repeat the crash, follow these steps: 

1. Load http://lite.maps.nsw.gov.au/

2. Click the zoom box tool on the circular navigator. 

3. Click and drag the map to zoom into an area. Safari will crash.

I checked out and debugged the latest WebKit code in Visual Studio, and found the crash was occurring in WebCore::DOMTimer::fired().  The error reported by Visual Stuio when the crash occurs is "A buffer overrun has occurred in Safari.exe which has corrupted the program's internal state.".  Also, here is the Visual Studio call stack at the time of the crash:

WebKit.dll!__crt_debugger_hook() 	Unknown
WebKit.dll!__report_gsfailure()  Line 298 + 0x7 bytes	C
WebKit.dll!WebCore::Node::compareDocumentPosition(WebCore::Node * otherNode=0x00000000)  Line 2073 + 0x15 bytes	C++
WebKit.dll!WebCore::Document::addStyleSheetCandidateNode(WebCore::Node * node=0x7e9bb160, bool createdByParser=true)  Line 2287	C++
WebKit.dll!WebCore::ProcessingInstruction::insertedIntoDocument()  Line 254	C++
WebKit.dll!WebCore::dispatchChildInsertionEvents(WebCore::Node * child=0x7e9bb160, int & ec=0)  Line 874	C++
WebKit.dll!WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node> newChild={...}, int & ec=2124132704, bool shouldLazyAttach=true)  Line 483 + 0x7 bytes	C++
WebKit.dll!WebCore::JSNode::appendChild(JSC::ExecState * exec=0x0c568944, const JSC::ArgList & args={...})  Line 105	C++
WebKit.dll!WebCore::jsNodePrototypeFunctionAppendChild(JSC::ExecState * exec=0x00000000, JSC::JSObject * __formal=0x0f662e14, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...})  Line 1295 + 0xd bytes	C++
JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x7fd81d88, JSC::ExecState * callFrame=0x0c568024, JSC::JSGlobalData * globalData=0x00000000, JSC::JSValue * exception=0x0012f980)  Line 83 + 0x1d bytes	C++
JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramNode * programNode=, JSC::ExecState * callFrame=, JSC::ScopeChainNode * scopeChain=, JSC::JSObject * thisObj=, JSC::JSValue * exception=)  Line 644 + 0x26 bytes	C++
JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x7fe62500, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...})  Line 69	C++
WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode=)  Line 103	C++
WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::ScriptSourceCode & sourceCode={...})  Line 781	C++
WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::String & script={...}, bool forceUserGesture=false)  Line 768 + 0x6f bytes	C++
WebKit.dll!WebCore::ScheduledAction::execute(WebCore::Document * document=0x00000000)  Line 128 + 0x12 bytes	C++
WebKit.dll!WebCore::DOMTimer::fired()  Line 125 + 0x18 bytes	C++

Comment 1 Mark Rowe (bdash) 2009-06-24 00:47:35 PDT

<rdar://problem/7001880>

Comment 2 Mark Rowe (bdash) 2009-06-24 10:03:47 PDT

Does this reproduce in a nightly build of WebKit?

Comment 3 David Carter 2009-06-24 19:29:23 PDT

The problem still occurs in the latest WebKit nightly build (r44969 / 24th June 2009).

Comment 4 Mark Rowe (bdash) 2009-06-24 19:36:41 PDT

Thanks.  This may be Windows-specific.  In my quick test I couldn't reproduce this on Mac OS X.

Comment 5 mitz 2009-06-25 08:55:48 PDT

Created attachment 31860 [details]
Possible fix (no change log, no layout test)

I think the problem is that stale nodes remain in the document’s style sheet candidate set. This patch fixes the crash.

Comment 6 mitz 2009-06-25 10:08:16 PDT

Created attachment 31862 [details]
Patch, including change log and regression test

Comment 7 mitz 2009-06-25 12:45:53 PDT

Fixed in <http://trac.webkit.org/projects/webkit/changeset/45180>.

Comment 8 David Carter 2009-06-28 19:01:56 PDT

I've confirmed the crash no longer occurs in the latest WebKit nightly build. Thank you :)