Bug 48643

Summary:

XMLDocumentParser gets deleted and then used in LayoutTest/fast/frames/set-parent-src-synchronously.xhtml on QT/Linux

Product:

WebKit

Reporter:

Peter Rybin <peter.rybin>

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, commit-queue, peter.rybin

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	none

Peter Rybin

Reported 2010-10-29 09:41:55 PDT

On Qt/Linux platform in LayoutTests/fast/frames/set-parent-src-synchronously.xhtml an isntance of XMLDocumentParser gets deleted: 3:_ZN7WebCore17XMLDocumentParserD0Ev+0x6a) 4:_ZN3WTF10RefCountedIN7WebCore14DocumentParserEE5derefEv+0x43) 5:_ZN3WTF14derefIfNotNullIN7WebCore14DocumentParserEEEvPT_+0x2e) 6:_ZN3WTF6RefPtrIN7WebCore14DocumentParserEE5clearEv+0x2e) 7:_ZN7WebCore8Document12detachParserEv+0x52) 8:_ZN7WebCore8Document13cancelParsingEv+0x37) 9:_ZN7WebCore11FrameLoader5clearEbbb+0x8f) 10:_ZN7WebCore14DocumentWriter5beginERKNS_4KURLEbPNS_14SecurityOriginE+0x1b1) 11:_ZN7WebCore14DocumentWriter15replaceDocumentERKN3WTF6StringE+0x7b) 12:_ZN7WebCore16ScriptController22executeIfJavaScriptURLERKNS_4KURLENS_36ShouldReplaceDocumentIfJavaScriptURLE+0x27b) 13:_ZN7WebCore14SubframeLoader12requestFrameEPNS_21HTMLFrameOwnerElementERKN3WTF6StringERKNS3_12AtomicStringEbb+0x19c) 14:_ZN7WebCore20HTMLFrameElementBase7openURLEbb+0x171) 15:_ZN7WebCore20HTMLFrameElementBase11setLocationERKN3WTF6StringE+0xe1) 16:_ZN7WebCore20HTMLFrameElementBase20parseMappedAttributeEPNS_9AttributeE+0x6c) 17:_ZN7WebCore17HTMLIFrameElement20parseMappedAttributeEPNS_9AttributeE+0x2ce) 18:_ZN7WebCore13StyledElement16attributeChangedEPNS_9AttributeEb+0x292) 19:_ZN7WebCore7Element12setAttributeERKN3WTF12AtomicStringES4_Ri+0x308) 20:_ZN7WebCore38jsElementPrototypeFunctionSetAttributeEPN3JSC9ExecStateE+0x232) 21: *** 22: *** 23: *** 24: *** 25:_ZN7WebCore21JSMainThreadExecState8evaluateEPN3JSC9ExecStateERNS1_10ScopeChainERKNS1_10SourceCodeENS1_7JSValueE+0x54) 26:_ZN7WebCore16ScriptController15evaluateInWorldERKNS_16ScriptSourceCodeEPNS_15DOMWrapperWorldENS_14ShouldAllowXSSE+0x1bd) 27:_ZN7WebCore16ScriptController8evaluateERKNS_16ScriptSourceCodeENS_14ShouldAllowXSSE+0x3f) 28:_ZN7WebCore16ScriptController13executeScriptERKNS_16ScriptSourceCodeENS_14ShouldAllowXSSE+0xa9) 29:_ZN7WebCore17XMLDocumentParser15parseEndElementEv+0x63e) 30:_ZN7WebCore17XMLDocumentParser5parseEv+0x87) 31:_ZN7WebCore17XMLDocumentParser7doWriteERKN3WTF6StringE+0xee) 32:_ZN7WebCore17XMLDocumentParser6appendERKNS_15SegmentedStringE+0x17c) 33:_ZN7WebCore25DecodedDataDocumentParser11appendBytesEPNS_14DocumentWriterEPKcib+0xfb) 34:_ZN7WebCore14DocumentWriter7addDataEPKcib+0x275) 35:_ZN7WebCore14DocumentLoader10commitDataEPKci+0x14b) 36:_ZN7WebCore19FrameLoaderClientQt13committedLoadEPNS_14DocumentLoaderEPKci+0x39) 37:_ZN7WebCore14DocumentLoader10commitLoadEPKci+0xa1) 38:_ZN7WebCore14DocumentLoader12receivedDataEPKci+0x58) 39:_ZN7WebCore18MainResourceLoader7addDataEPKcib+0x5a) 40:_ZN7WebCore14ResourceLoader14didReceiveDataEPKcixb+0x60) 41:_ZN7WebCore18MainResourceLoader14didReceiveDataEPKcixb+0x1d3) 42:_ZN7WebCore14ResourceLoader14didReceiveDataEPNS_14ResourceHandleEPKcii+0x7c) 43:_ZN7WebCore20QNetworkReplyHandler11forwardDataEv+0x121) 44:_ZN7WebCore20QNetworkReplyHandler11qt_metacallEN11QMetaObject4CallEiPPv+0x9c) and then used again: * segfault * WebCore::XMLDocumentParser::popCurrentNode() WebCore::XMLDocumentParser::parseEndElement() WebCore::XMLDocumentParser::parse() WebCore::XMLDocumentParser::doWrite(WTF::String const&) WebCore::XMLDocumentParser::append(WebCore::SegmentedString const&) WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, int, bool) WebCore::DocumentWriter::addData(char const*, int, bool) WebCore::DocumentLoader::commitData(char const*, int) WebCore::FrameLoaderClientQt::committedLoad(WebCore::DocumentLoader*, char const*, int) WebCore::DocumentLoader::commitLoad(char const*, int) WebCore::MainResourceLoader::addData(char const*, int, bool) WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) WebCore::QNetworkReplyHandler::forwardData() WebCore::QNetworkReplyHandler::qt_metacall(QMetaObject::Call, int, void**) QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) QMetaCallEvent::placeMetaCall(QObject*) QObject::event(QEvent*) QApplicationPrivate::notify_helper(QObject*, QEvent*) QApplication::notify(QObject*, QEvent*) QCoreApplication::notifyInternal(QObject*, QEvent*) QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) QCoreApplication::sendPostedEvents(QObject*, int) Method WebCore::XMLDocumentParser::parseEndElement() in XMLDocumentParserQt.cpp seems to be a point where 2 stacktraces split. It first calls executeScript where parser gets deleted, and then -- popCurrentNode, and process fails. This segfault is very flaky. It is also often erroneously attributed to innocent LayoutTests/fast/frames/set-unloaded-frame-location.html that goes right after in the batch run.

Attachments
Patch (1.34 KB, patch) 2010-11-09 07:31 PST, Peter Rybin	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Peter Rybin

Comment 1 2010-11-09 07:31:18 PST

Created attachment 73376 [details] Patch

Adam Barth

Comment 2 2010-11-09 09:59:05 PST

Comment on attachment 73376 [details] Patch Great. Thanks for fixing the Qt bug Peter!

WebKit Commit Bot

Comment 3 2010-11-09 11:16:44 PST

Comment on attachment 73376 [details] Patch Clearing flags on attachment: 73376 Committed r71654: <http://trac.webkit.org/changeset/71654>

WebKit Commit Bot

Comment 4 2010-11-09 11:16:49 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.