Bug 5092

Summary: Random crashes when running the layout tests
Product: WebKit Reporter: mitz
Component: New BugsAssignee: Dave Hyatt <hyatt>
Status: VERIFIED FIXED    
Severity: Major CC: eric
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Eliminate the pending stuff from the tokenizer mjs: review+

mitz
Reported 2005-09-21 22:45:15 PDT
When running run-webkit-tests, DumpRenderTree crashes at random (i.e. not always, and not always on the same test) on one of the tests in dom/html/level2/html Sometimes it also prints the following message a few tests before crashing: DumpRenderTree(5131,0xa000ed68) malloc: *** error for object 0x73bd600: incorrect checksum for freed object - object was probably modified after being freed, break at szone_error to debug Crash backtrace: 0 com.apple.WebCore 0x01358cd4 KXMLCore::SharedPtr<DOM::NodeImpl>::get() const + 20 (shared_ptr.h:47) 1 com.apple.WebCore 0x0137cc8c KJS::DOMNode::impl() const + 40 (kjs_dom.h:57) 2 com.apple.WebCore 0x010d9a10 KJS::ScriptInterpreter::mark() + 232 (kjs_binding.cpp:169) 3 com.apple.JavaScriptCore 0x06a663ec KJS::InterpreterImp::mark() + 88 (internal.cpp:643) 4 com.apple.JavaScriptCore 0x06a4fc1c KJS::Collector::collect() + 148 (collector.cpp:387) 5 com.apple.WebCore 0x0111e4bc KJS::Window::clear(KJS::ExecState*) + 336 (kjs_window.cpp: 1504) 6 com.apple.WebCore 0x011114e4 KJSProxyImpl::clear() + 108 (kjs_proxy.cpp:155) 7 com.apple.WebCore 0x010a0668 KHTMLPart::clear() + 260 (khtml_part.cpp:1090) 8 com.apple.WebCore 0x010a1858 KHTMLPart::~KHTMLPart [not-in-charge]() + 236 (khtml_part.cpp:354) 9 com.apple.WebCore 0x01035c48 KWQKHTMLPart::~KWQKHTMLPart [in-charge deleting]() + 452 (KWQKHTMLPart.mm:273) 10 com.apple.WebCore 0x01357f74 KParts::Part::deref() + 116 (KWQKPartsPart.h:54) 11 com.apple.WebCore 0x0109aa84 KHTMLPart::slotEndLifeSupport() + 56 (khtml_part.cpp: 5963) 12 com.apple.WebCore 0x0122bc84 KWQSlot::call() const + 356 (KWQSlot.mm:181) 13 com.apple.WebCore 0x0122b700 KWQSignal::call() const + 216 (KWQSignal.mm:86) 14 com.apple.WebCore 0x01082060 QTimer::fire() + 116 (KWQTimer.mm:153) 15 com.apple.WebCore 0x010820a4 -[KWQTimerTarget timerFired:] + 48 (KWQTimer.mm:64) 16 com.apple.Foundation 0x928d757c __NSFireTimer + 116 17 com.apple.CoreFoundation 0x90770ae0 __CFRunLoopDoTimer + 184 18 com.apple.CoreFoundation 0x9075d458 __CFRunLoopRun + 1680 19 com.apple.CoreFoundation 0x9075ca0c CFRunLoopRunSpecific + 268 20 com.apple.Foundation 0x928e3744 -[NSRunLoop runMode:beforeDate:] + 172 21 DumpRenderTree 0x00005668 dumpRenderTree + 720 (DumpRenderTree.m:476) 22 DumpRenderTree 0x00003a8c main + 2200 (DumpRenderTree.m:157) 23 DumpRenderTree 0x00002a50 _start + 344 (crt.c:272) 24 DumpRenderTree 0x000028f4 start + 60
Attachments
Eliminate the pending stuff from the tokenizer (8.21 KB, patch)
2005-09-22 13:22 PDT, Dave Hyatt 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2005-09-21 22:48:58 PDT
It is enough to run WebKitTools/Scripts/run-webkit-tests dom/html/level2 in order to see the crash.
mitz
Comment 2 2005-09-22 00:09:24 PDT
Note that you need a Development build in order to see this.
Maciej Stachowiak
Comment 3 2005-09-22 01:32:21 PDT
I can reproduce this crash pretty consistently if I run under MallocDebug, on HTML. I even caught it in the debugger, but it was not obvious what caused the failure - could have been a random memory trasher. I also found that the problem does not happen on a tree from 2005-09-20 9:00 AM. Now trying to narrow down to the change when it started.
Maciej Stachowiak
Comment 4 2005-09-22 03:00:12 PDT
It's the tokenizer part of hyatt's recent change. Rolling just that one part in starts causing crashes in the layout tests.
Dave Hyatt
Comment 5 2005-09-22 13:22:05 PDT
Created attachment 4012 [details] Eliminate the pending stuff from the tokenizer addPending did not check the destination buffer, so it was unsafe to just call it. I decided to just bite the bullet and eliminate the pending concept all together, since it is completely unnecessary to defer the processing of whitespace.
Dave Hyatt
Comment 6 2005-09-22 13:22:36 PDT
Comment on attachment 4012 [details] Eliminate the pending stuff from the tokenizer Ready for a review. The layout tests no longer crash.
Darin Adler
Comment 7 2005-09-24 22:26:08 PDT
*** Bug 5062 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.