Bug 40726

Summary: HTML5 parser crash when setTimeout document.write after slow script
Product: WebKit Reporter: Tony Gentilcore <tonyg>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, bulach, eric
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
URL: http://house.focus.cn/news/2010-03-29/890844.html
Bug Depends on:    
Bug Blocks: 39259    
Attachments:
Description Flags
layout test
none
work in progress
none
Patch eric: review+, abarth: commit-queue+

Tony Gentilcore
Reported 2010-06-16 11:33:52 PDT
This showed up on the chromium reliability bots. Here's a test case: <html> <body> <script> setTimeout("document.write('foo');", 1000); </script> <script src="script-which-takes-2s-to-load.js"></script> </body> </html>
Attachments
layout test (535 bytes, patch)
2010-06-16 11:55 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
work in progress (9.34 KB, patch)
2010-06-16 12:22 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch (12.36 KB, patch)
2010-06-16 13:41 PDT, Adam Barth 		eric: review+
abarth: commit-queue+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2010-06-16 11:35:33 PDT
Ah. We don't know that we're still executing script while the timeout is going. So we don't return the proper value from executingScript() and end up getting ourselves deleted... I think.
Eric Seidel (no email)
Comment 2 2010-06-16 11:45:13 PDT
Oh, I mis-read. The parser will still be alive! We're just getting a delayed document.write() callback while we're waiting for another script to load. So the parser will be paused, but the document.write will be from some other script. Shouldn't be too hard to debug.
Adam Barth
Comment 3 2010-06-16 11:55:32 PDT
Created attachment 58917 [details] layout test
Adam Barth
Comment 4 2010-06-16 12:22:42 PDT
Created attachment 58921 [details] work in progress
Adam Barth
Comment 5 2010-06-16 13:41:31 PDT
Created attachment 58923 [details] Patch
Eric Seidel (no email)
Comment 6 2010-06-16 13:46:37 PDT
Comment on attachment 58923 [details] Patch LGTM.
Eric Seidel (no email)
Comment 7 2010-06-16 13:47:04 PDT
This might break pages, but it's good to agree with the spec an mindfield.
Adam Barth
Comment 8 2010-06-16 13:49:15 PDT
Comment on attachment 58923 [details] Patch I think this is one of the handful of evangelism bugs Henri has open.
Adam Barth
Comment 9 2010-06-16 14:57:44 PDT
Committed r61286: <http://trac.webkit.org/changeset/61286>
Note You need to log in before you can comment on or make changes to this bug.