Bug 53837

Summary: Crash in WebCore::TextEncoding::decode below XSSFilter::init
Product: WebKit Reporter: Stephanie Lewis <slewis>
Component: DOMAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, commit-queue, dbates
Priority: P1 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.6   
URL: http://www.amazon.com/gp/product/044101996X/ref=s9_simh_gw_p14_d0_i2?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-2&pf_rd_r=0DNBJWF3X5Z25VS7NDG4&pf_rd_t=101&pf_rd_p=470938631&pf_rd_i=507846
Attachments:
Description Flags
Patch none

Stephanie Lewis
Reported 2011-02-04 19:57:29 PST
Crashing on most pages on Amazon.com. If the above doesn't work click a few more product pages. Testing on 10.6.6 with WebKit 2 from r77713 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000010 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000102085317 WebCore::TextEncoding::decode(char const*, unsigned long, bool, bool&) const + 39 (TextEncoding.cpp:68) 1 com.apple.WebCore 0x000000010178d6a5 WebCore::TextEncoding::decode(char const*, unsigned long) const + 57 (TextEncoding.h:70) 2 com.apple.WebCore 0x0000000102159ff2 WebCore::(anonymous namespace)::decodeURL(WTF::String const&, WebCore::TextEncoding const&) + 146 (XSSFilter.cpp:119) 3 com.apple.WebCore 0x000000010215a17a WebCore::XSSFilter::init() + 312 (XSSFilter.cpp:165) 4 com.apple.WebCore 0x000000010215a4ac WebCore::XSSFilter::filterToken(WebCore::HTMLToken&) + 40 (XSSFilter.cpp:191) 5 com.apple.WebCore 0x0000000101877706 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 702 (HTMLDocumentParser.cpp:239) 6 com.apple.WebCore 0x0000000101877a4d WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 161 (HTMLDocumentParser.cpp:172) 7 com.apple.WebCore 0x0000000101877f16 WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 176 (HTMLDocumentParser.cpp:327) 8 com.apple.WebCore 0x000000010164be9e WebCore::DocumentWriter::replaceDocument(WTF::String const&) + 292 (DocumentWriter.cpp:81) 9 com.apple.WebCore 0x0000000101f09b72 WebCore::ScriptController::executeIfJavaScriptURL(WebCore::KURL const&, WebCore::ShouldReplaceDocumentIfJavaScriptURL) + 566 (ScriptControllerBase.cpp:117) 10 com.apple.WebCore 0x0000000101fa10a2 WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement*, WTF::String const&, WTF::AtomicString const&, bool, bool) + 342 (SubframeLoader.cpp:89) 11 com.apple.WebCore 0x000000010189d847 WebCore::HTMLFrameElementBase::openURL(bool, bool) + 237 (HTMLFrameElementBase.cpp:106) 12 com.apple.WebCore 0x000000010189d9b0 WebCore::HTMLFrameElementBase::setNameAndOpenURL() + 114 (HTMLFrameElementBase.cpp:157) 13 com.apple.WebCore 0x000000010189da6a WebCore::HTMLFrameElementBase::insertedIntoDocument() + 184 (HTMLFrameElementBase.cpp:191) 14 com.apple.WebCore 0x00000001018a0fec WebCore::HTMLIFrameElement::insertedIntoDocument() + 74 (HTMLIFrameElement.cpp:150) 15 com.apple.WebCore 0x00000001014d02f5 WebCore::ContainerNode::parserAddChild(WTF::PassRefPtr<WebCore::Node>) + 305 (ContainerNode.cpp:647) 16 com.apple.WebCore 0x0000000101870e52 WTF::PassRefPtr<WebCore::Element> WebCore::HTMLConstructionSite::attach<WebCore::Element>(WebCore::ContainerNode*, WTF::PassRefPtr<WebCore::Element>) + 272 (HTMLConstructionSite.cpp:98) 17 com.apple.WebCore 0x000000010186f384 WebCore::HTMLConstructionSite::attachToCurrent(WTF::PassRefPtr<WebCore::Element>) + 66 (HTMLConstructionSite.cpp:237) 18 com.apple.WebCore 0x000000010186f6a6 WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&) + 50 (HTMLConstructionSite.cpp:267) 19 com.apple.WebCore 0x00000001018e5e4e WebCore::HTMLTreeBuilder::processGenericRawTextStartTag(WebCore::AtomicHTMLToken&) + 106 (HTMLTreeBuilder.cpp:2777) 20 com.apple.WebCore 0x00000001018eab2d WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&) + 5221 (HTMLTreeBuilder.cpp:947) 21 com.apple.WebCore 0x00000001018ebd84 WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&) + 1876 (HTMLTreeBuilder.cpp:1221) 22 com.apple.WebCore 0x00000001018ede5e WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&) + 188 (HTMLTreeBuilder.cpp:473) 23 com.apple.WebCore 0x00000001018f2a24 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) + 30 (HTMLTreeBuilder.cpp:458) 24 com.apple.WebCore 0x00000001018f2e16 WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) + 42 (HTMLTreeBuilder.cpp:448) 25 com.apple.WebCore 0x000000010187772c WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 740 (HTMLDocumentParser.cpp:240) 26 com.apple.WebCore 0x0000000101877a4d WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 161 (HTMLDocumentParser.cpp:172) 27 com.apple.WebCore 0x0000000101877b0f WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() + 191 (HTMLDocumentParser.cpp:442) 28 com.apple.WebCore 0x0000000101877cb3 WebCore::HTMLDocumentParser::executeScriptsWaitingForStylesheets() + 409 (HTMLDocumentParser.cpp:512) 29 com.apple.WebCore 0x000000010160f484 WebCore::Document::removePendingSheet() + 178 (Document.cpp:2855) 30 com.apple.WebCore 0x00000001018ac5fa WebCore::HTMLLinkElement::removePendingSheet() + 92 (HTMLLinkElement.cpp:478) 31 com.apple.WebCore 0x00000001018ac621 WebCore::HTMLLinkElement::sheetLoaded() + 37 (HTMLLinkElement.cpp:405) 32 com.apple.WebCore 0x00000001015bb95a WebCore::CSSStyleSheet::checkLoaded() + 138 (CSSStyleSheet.cpp:230) 33 com.apple.WebCore 0x00000001018ae182 WebCore::HTMLLinkElement::setCSSStyleSheet(WTF::String const&, WebCore::KURL const&, WTF::String const&, WebCore::CachedCSSStyleSheet const*) + 1422 (HTMLLinkElement.cpp:372) 34 com.apple.WebCore 0x000000010146d199 WebCore::CachedCSSStyleSheet::checkNotify() + 169 (CachedCSSStyleSheet.cpp:116) 35 com.apple.WebCore 0x000000010146d42c WebCore::CachedCSSStyleSheet::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 354 (CachedCSSStyleSheet.cpp:106) 36 com.apple.WebCore 0x00000001014869b3 WebCore::CachedResourceRequest::didFinishLoading(WebCore::SubresourceLoader*) + 423 (CachedResourceRequest.cpp:160) 37 com.apple.WebCore 0x0000000101fa1b11 WebCore::SubresourceLoader::didFinishLoading(double) + 169 (SubresourceLoader.cpp:183) 38 com.apple.WebCore 0x0000000101ede3dc WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 48 (ResourceLoader.cpp:435) 39 com.apple.WebCore 0x0000000101ed98d1 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 274 (ResourceHandleMac.mm:920) 40 com.apple.Foundation 0x00007fff8436a728 _NSURLConnectionDidFinishLoading + 113 41 com.apple.CFNetwork 0x00007fff81f672a0 URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 174 42 com.apple.CFNetwork 0x00007fff81fcc9c6 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 254 43 com.apple.CFNetwork 0x00007fff81fccc32 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 874 44 com.apple.CFNetwork 0x00007fff81fccc32 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 874 45 com.apple.CFNetwork 0x00007fff81fccc32 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 874 46 com.apple.CFNetwork 0x00007fff81f5396d URLConnectionClient::processEvents() + 121 47 com.apple.CFNetwork 0x00007fff81f53748 MultiplexerSource::perform() + 160 48 com.apple.CoreFoundation 0x00007fff80cc5401 __CFRunLoopDoSources0 + 1361 49 com.apple.CoreFoundation 0x00007fff80cc35f9 __CFRunLoopRun + 873 50 com.apple.CoreFoundation 0x00007fff80cc2dbf CFRunLoopRunSpecific + 575 51 com.apple.HIToolbox 0x00007fff8637993a RunCurrentEventLoopInMode + 333 52 com.apple.HIToolbox 0x00007fff8637973f ReceiveNextEventCommon + 310 53 com.apple.HIToolbox 0x00007fff863795f8 BlockUntilNextEventMatchingListInMode + 59 54 com.apple.AppKit 0x00007fff80205e64 _DPSNextEvent + 718 55 com.apple.AppKit 0x00007fff802057a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155 56 com.apple.AppKit 0x00007fff801cb48b -[NSApplication run] + 395 57 com.apple.WebKit2 0x0000000100243a54 RunLoop::run() + 54 (RunLoopMac.mm:56) 58 com.apple.WebKit2 0x00000001002c861c WebKit::WebProcessMain(WebKit::CommandLine const&) + 448 (WebProcessMainMac.mm:108) 59 com.apple.WebKit2 0x000000010027450f WebKitMain(WebKit::CommandLine const&) + 159 (WebKitMain.cpp:48) 60 com.apple.WebKit2 0x00000001002745ce WebKitMain + 155 (WebKitMain.cpp:72) 61 com.apple.WebProcess 0x0000000100000e33 main + 233 62 com.apple.WebProcess 0x0000000100000d14 start + 52
Attachments
Patch (4.03 KB, patch)
2011-02-04 20:52 PST, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2011-02-04 20:10:01 PST
This crash occurs reproducibly for me when loading <http://www.answers.com/topic/lorn>.
Mark Rowe (bdash)
Comment 2 2011-02-04 20:11:54 PST
<rdar://problem/8963096>
Adam Barth
Comment 3 2011-02-04 20:19:07 PST
Looking.
Adam Barth
Comment 4 2011-02-04 20:52:16 PST
Created attachment 81347 [details] Patch
Maciej Stachowiak
Comment 5 2011-02-04 20:55:24 PST
Comment on attachment 81347 [details] Patch r=me
Adam Barth
Comment 6 2011-02-04 20:58:40 PST
Thanks.
WebKit Commit Bot
Comment 7 2011-02-04 21:17:44 PST
Comment on attachment 81347 [details] Patch Clearing flags on attachment: 81347 Committed r77730: <http://trac.webkit.org/changeset/77730>
WebKit Commit Bot
Comment 8 2011-02-04 21:17:49 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.