Bug 40161

Summary: REGRESSION: crash when unloading an iFrame with Flash from the DOM
Product: WebKit Reporter: Sulka Haro <sulka>
Component: DOMAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Critical CC: ap, simon.fraser
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.6   
Attachments:
Description Flags
Patch mitz: review+

Sulka Haro
Reported 2010-06-04 03:21:29 PDT
When unloading an iFrame from DOM, which contains an embedded Flash movie, the nightly webkit crashes 100% of the time. I don't have a test case at hand right now, but I'll try to get one (this is happening on the internal development server). The stable Safari and Chrome releases do not crash. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000048 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000100f48348 WebCore::Node::setNeedsStyleRecalc(WebCore::StyleChangeType) + 8 1 com.apple.WebCore 0x0000000101002b03 WebCore::RenderLayerCompositor::detachRootPlatformLayer() + 179 2 com.apple.WebCore 0x00000001009090ce WebCore::Document::documentWillBecomeInactive() + 30 3 com.apple.WebCore 0x000000010090e256 WebCore::Document::detach() + 38 4 com.apple.WebCore 0x0000000100a31701 WebCore::Frame::setView(WTF::PassRefPtr<WebCore::FrameView>) + 129 5 com.apple.WebCore 0x0000000100a3ab6d WebCore::FrameLoader::closeAndRemoveChild(WebCore::Frame*) + 45 6 com.apple.WebCore 0x0000000100a3ed82 WebCore::FrameLoader::detachFromParent() + 162 7 com.apple.WebCore 0x0000000100acdbcd WebCore::HTMLFrameOwnerElement::willRemove() + 45 8 com.apple.WebCore 0x000000010083a52c WebCore::ContainerNode::willRemove() + 44 9 com.apple.WebCore 0x000000010083a52c WebCore::ContainerNode::willRemove() + 44 10 com.apple.WebCore 0x000000010083a52c WebCore::ContainerNode::willRemove() + 44 11 com.apple.WebCore 0x000000010083a52c WebCore::ContainerNode::willRemove() + 44 12 com.apple.WebCore 0x000000010083d1cd WebCore::ContainerNode::removeChild(WebCore::Node*, int&) + 221 13 com.apple.WebCore 0x0000000100d4e09e WebCore::JSNode::removeChild(JSC::ExecState*) + 94 14 com.apple.WebCore 0x0000000100d4afdc WebCore::jsNodePrototypeFunctionRemoveChild(JSC::ExecState*) + 124 15 ??? 0x000042e1ae00017a 0 + 73537054310778 16 com.apple.JavaScriptCore 0x00000001005a9557 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 919 17 com.apple.Safari 0x0000000100000001 0x100000000 + 1 18 ??? 0x000000011ef11cd0 0 + 4814085328 19 com.apple.WebCore 0x0000000100c45690 WebCore::JSDOMWindowShell::~JSDOMWindowShell() + 0 20 ??? 0x0000441f0f66ffff 0 + 74900193083391 Testing using Version 4.0.5 (6531.22.7, r60654).
Attachments
Patch (4.20 KB, patch)
2010-06-11 16:27 PDT, Simon Fraser (smfr) 		mitz: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-06-04 23:42:47 PDT
I couldn't reproduce this with an example of my own.
Sulka Haro
Comment 2 2010-06-05 03:06:23 PDT
Alas, we have no idea what part of the code is triggering the set of conditions needed for the crash, so I can't come up with a test case. We'll hopefully have the code in production soon - I'll send details immediately when this happens. The crash is reproducible 100% of the time and only on the nightlies, so I'm assuming it'll be there when the feature goes live.
Simon Fraser (smfr)
Comment 3 2010-06-05 08:25:23 PDT
I'm aware of this crash.
Simon Fraser (smfr)
Comment 4 2010-06-05 08:25:48 PDT
<rdar://problem/7994710>
Simon Fraser (smfr)
Comment 5 2010-06-11 16:27:55 PDT
Created attachment 58524 [details] Patch
Simon Fraser (smfr)
Comment 6 2010-06-11 16:39:17 PDT
http://trac.webkit.org/changeset/61045
Note You need to log in before you can comment on or make changes to this bug.