Bug 9016

Summary: crash loading live.com in TreeShared::ref because accessing RenderTextField::text() can destroy the RenderTextField
Product: WebKit Reporter: Geoffrey Garen <ggaren>
Component: FormsAssignee: Adele Peterson <adele>
Status: RESOLVED FIXED    
Severity: Normal CC: adele, chezsmithy
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.live.com
Bug Depends on:    
Bug Blocks: 7788    
Attachments:
Description Flags
patch mjs: review+

Geoffrey Garen
Reported 2006-05-20 14:00:55 PDT
You can see the evolution of this crash most clearly if you set a breakpoint on ~RenderTextField. You'll notice that RenderTextField::text() ends up calling RenderTextField:~RenderTextField, so the RenderTextField destroys itself. The issue here is that the RenderTextField accesses innerText() on its associated HTMLElement. That access can force a recalcStyle, which can destroy the renderer. (gdb) c Continuing. Program received signal: "EXC_BAD_ACCESS". (gdb) frame #0 0x01b81cc0 in WebCore::TreeShared<WebCore::Node>::ref (this=0x55555555) 51 void ref() { ++m_refCount; } (gdb) bt #0 0x01b81cc0 in WebCore::TreeShared<WebCore::Node>::ref (this=0x55555555) #1 0x01b8fab8 in WTF::RefPtr<WebCore::Document>::RefPtr (this=0x132452d4, ptr=0x55555555) #2 0x01793478 in WebCore::Range::Range (this=0x132452d0, ownerDocument=0x55555555) #3 0x01796758 in WebCore::rangeOfContents (node=0x184ab050) #4 0x01775d3c in WebCore::HTMLElement::innerText (this=0x184ab050) #5 0x0199d988 in WebCore::RenderTextField::text (this=0x184aaf9c) #6 0x0199e2dc in WebCore::RenderTextField::updateFromElement (this=0x184aaf9c) #7 0x0185b6dc in WebCore::HTMLGenericFormElement::attach (this=0x184aad50) #8 0x01859e6c in WebCore::HTMLInputElement::attach (this=0x184aad50) #9 0x018af478 in WebCore::ContainerNode::appendChild (this=0x184aa590, newChild=@0xbfff6c94, ec=@0xbfff6cc0) #10 0x01a7f94c in KJS::DOMNodeProtoFunc::callAsFunction (this=0x17ed6618, exec=0xbfff7020, thisObj=0x17c869a0, args=@0xbfff6d98) #11 0x0103efd0 in KJS::JSObject::call (this=0x17ed6618, exec=0xbfff7020, thisObj=0x17c869a0, args=@0xbfff6d98) #12 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x17ffadd0, exec=0xbfff7020) #13 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17ffad00, exec=0xbfff7020) #14 0x01030adc in KJS::IfNode::execute (this=0x17ffac30, exec=0xbfff7020) #15 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17ffcde0, exec=0xbfff7020) #16 0x0102af08 in KJS::BlockNode::execute (this=0x17ff1920, exec=0xbfff7020) #17 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x18024508, exec=0xbfff7020) #18 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x18024508, exec=0xbfff7470, thisObj=0x18028e50, args=@0xbfff7158) #19 0x0103efd0 in KJS::JSObject::call (this=0x18024508, exec=0xbfff7470, thisObj=0x18028e50, args=@0xbfff7158) #20 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x18423930, exec=0xbfff7470) #21 0x01037c5c in KJS::AssignResolveNode::evaluate (this=0x18423b10, exec=0xbfff7470) #22 0x01030c54 in KJS::ExprStatementNode::execute (this=0x18423b30, exec=0xbfff7470) #23 0x0102d380 in KJS::SourceElementsNode::execute (this=0x184231e0, exec=0xbfff7470) #24 0x0102af08 in KJS::BlockNode::execute (this=0x18425d30, exec=0xbfff7470) #25 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x17e559a0, exec=0xbfff7470) #26 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x17e559a0, exec=0xbfff77d0, thisObj=0x17e4f9d0, args=@0xbfff75a8) #27 0x0103efd0 in KJS::JSObject::call (this=0x17e559a0, exec=0xbfff77d0, thisObj=0x17e4f9d0, args=@0xbfff75a8) #28 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x17f52690, exec=0xbfff77d0) #29 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17f526b0, exec=0xbfff77d0) #30 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17f558f0, exec=0xbfff77d0) #31 0x0102af08 in KJS::BlockNode::execute (this=0x17f52750, exec=0xbfff77d0) #32 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x17e2eef8, exec=0xbfff77d0) #33 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x17e2eef8, exec=0xbfff7c20, thisObj=0x17e2d1a8, args=@0xbfff7908) #34 0x0103efd0 in KJS::JSObject::call (this=0x17e2eef8, exec=0xbfff7c20, thisObj=0x17e2d1a8, args=@0xbfff7908) #35 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x18284760, exec=0xbfff7c20) #36 0x01037c5c in KJS::AssignResolveNode::evaluate (this=0x18284780, exec=0xbfff7c20) #37 0x01030c54 in KJS::ExprStatementNode::execute (this=0x182847a0, exec=0xbfff7c20) #38 0x0102d380 in KJS::SourceElementsNode::execute (this=0x18283a40, exec=0xbfff7c20) #39 0x0102af08 in KJS::BlockNode::execute (this=0x18285980, exec=0xbfff7c20) #40 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1806fb20, exec=0xbfff7c20) #41 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1806fb20, exec=0xbfff80b0, thisObj=0x180390b8, args=@0xbfff7d58) #42 0x0103efd0 in KJS::JSObject::call (this=0x1806fb20, exec=0xbfff80b0, thisObj=0x180390b8, args=@0xbfff7d58) #43 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x18270370, exec=0xbfff80b0) #44 0x01030c54 in KJS::ExprStatementNode::execute (this=0x18270390, exec=0xbfff80b0) #45 0x0102d230 in KJS::SourceElementsNode::execute (this=0x182703b0, exec=0xbfff80b0) #46 0x0102af08 in KJS::BlockNode::execute (this=0x18270460, exec=0xbfff80b0) #47 0x01030adc in KJS::IfNode::execute (this=0x18270490, exec=0xbfff80b0) #48 0x0102d380 in KJS::SourceElementsNode::execute (this=0x182702d0, exec=0xbfff80b0) #49 0x0102af08 in KJS::BlockNode::execute (this=0x182706a0, exec=0xbfff80b0) #50 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1803a708, exec=0xbfff80b0) #51 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1803a708, exec=0xbfff8630, thisObj=0x136e5450, args=@0xbfff81f4) #52 0x0103efd0 in KJS::JSObject::call (this=0x1803a708, exec=0xbfff8630, thisObj=0x136e5450, args=@0xbfff81f4) #53 0x01034afc in KJS::FunctionCallResolveNode::evaluate (this=0x17d9fe40, exec=0xbfff8630) #54 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17dd7fb0, exec=0xbfff8630) #55 0x0102d230 in KJS::SourceElementsNode::execute (this=0x17dd7fd0, exec=0xbfff8630) #56 0x0102af08 in KJS::BlockNode::execute (this=0x17dd7ff0, exec=0xbfff8630) #57 0x0102c1d4 in KJS::TryNode::execute (this=0x17dd8030, exec=0xbfff8630) #58 0x01030adc in KJS::IfNode::execute (this=0x17dd8050, exec=0xbfff8630) #59 0x0102d230 in KJS::SourceElementsNode::execute (this=0x17dd8070, exec=0xbfff8630) #60 0x0102af08 in KJS::BlockNode::execute (this=0x17dd8090, exec=0xbfff8630) #61 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x180749e0, exec=0xbfff8630) #62 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x180749e0, exec=0xbfff8dc0, thisObj=0x136e5450, args=@0xbfff890c) #63 0x0103efd0 in KJS::JSObject::call (this=0x180749e0, exec=0xbfff8dc0, thisObj=0x136e5450, args=@0xbfff890c) #64 0x0100dcbc in KJS::ArrayProtoFunc::callAsFunction (this=0x17e60920, exec=0xbfff8dc0, thisObj=0x18075818, args=@0xbfff8b38) #65 0x0103efd0 in KJS::JSObject::call (this=0x17e60920, exec=0xbfff8dc0, thisObj=0x18075818, args=@0xbfff8b38) #66 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x17f12940, exec=0xbfff8dc0) #67 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17f12960, exec=0xbfff8dc0) #68 0x01030b60 in KJS::IfNode::execute (this=0x17f12980, exec=0xbfff8dc0) #69 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17f12350, exec=0xbfff8dc0) #70 0x0102af08 in KJS::BlockNode::execute (this=0x17f129c0, exec=0xbfff8dc0) #71 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x17cb5a60, exec=0xbfff8dc0) #72 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x17cb5a60, exec=0xbfff9120, thisObj=0x17cb6898, args=@0xbfff8ef8) #73 0x0103efd0 in KJS::JSObject::call (this=0x17cb5a60, exec=0xbfff9120, thisObj=0x17cb6898, args=@0xbfff8ef8) #74 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x17dd7250, exec=0xbfff9120) #75 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17dd7270, exec=0xbfff9120) #76 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17ddd750, exec=0xbfff9120) #77 0x0102af08 in KJS::BlockNode::execute (this=0x17dd7310, exec=0xbfff9120) #78 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x17e2be30, exec=0xbfff9120) #79 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x17e2be30, exec=0xbfff96e0, thisObj=0x18075e70, args=@0xbfff9258) #80 0x0103efd0 in KJS::JSObject::call (this=0x17e2be30, exec=0xbfff96e0, thisObj=0x18075e70, args=@0xbfff9258) #81 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x17f4e4e0, exec=0xbfff96e0) #82 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17f4e500, exec=0xbfff96e0) #83 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17f4e400, exec=0xbfff96e0) #84 0x0102af08 in KJS::BlockNode::execute (this=0x17f4e690, exec=0xbfff96e0) #85 0x01030adc in KJS::IfNode::execute (this=0x17f4e6b0, exec=0xbfff96e0) #86 0x0102d230 in KJS::SourceElementsNode::execute (this=0x17f4e6d0, exec=0xbfff96e0) #87 0x0102af08 in KJS::BlockNode::execute (this=0x17f4e6f0, exec=0xbfff96e0) #88 0x01030adc in KJS::IfNode::execute (this=0x17f4e7c0, exec=0xbfff96e0) #89 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17f4de60, exec=0xbfff96e0) #90 0x0102af08 in KJS::BlockNode::execute (this=0x17f4e860, exec=0xbfff96e0) #91 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x17e2e590, exec=0xbfff96e0) #92 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x17e2e590, exec=0xbfff9aa0, thisObj=0x1803a200, args=@0xbfff9818) #93 0x0103efd0 in KJS::JSObject::call (this=0x17e2e590, exec=0xbfff9aa0, thisObj=0x1803a200, args=@0xbfff9818) #94 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x18273950, exec=0xbfff9aa0) #95 0x01030c54 in KJS::ExprStatementNode::execute (this=0x18273970, exec=0xbfff9aa0) #96 0x01030adc in KJS::IfNode::execute (this=0x18273aa0, exec=0xbfff9aa0) #97 0x0102d380 in KJS::SourceElementsNode::execute (this=0x18273300, exec=0xbfff9aa0) #98 0x0102af08 in KJS::BlockNode::execute (this=0x18273ae0, exec=0xbfff9aa0) #99 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1803a120, exec=0xbfff9aa0) #100 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1803a120, exec=0xbfff9e20, thisObj=0x136e5450, args=@0xbfff9be4) #101 0x0103efd0 in KJS::JSObject::call (this=0x1803a120, exec=0xbfff9e20, thisObj=0x136e5450, args=@0xbfff9be4) #102 0x01034afc in KJS::FunctionCallResolveNode::evaluate (this=0x18272d60, exec=0xbfff9e20) #103 0x01030c54 in KJS::ExprStatementNode::execute (this=0x18272d70, exec=0xbfff9e20) #104 0x0102d230 in KJS::SourceElementsNode::execute (this=0x18272d90, exec=0xbfff9e20) #105 0x0102af08 in KJS::BlockNode::execute (this=0x18272db0, exec=0xbfff9e20) #106 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x180361b0, exec=0xbfff9e20) #107 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x180361b0, exec=0xbfffa1e0, thisObj=0x1803a200, args=@0xbfff9f58) #108 0x0103efd0 in KJS::JSObject::call (this=0x180361b0, exec=0xbfffa1e0, thisObj=0x1803a200, args=@0xbfff9f58) #109 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x1826f450, exec=0xbfffa1e0) #110 0x01030c54 in KJS::ExprStatementNode::execute (this=0x1826f470, exec=0xbfffa1e0) #111 0x01030adc in KJS::IfNode::execute (this=0x1826f520, exec=0xbfffa1e0) #112 0x0102d380 in KJS::SourceElementsNode::execute (this=0x1826ef00, exec=0xbfffa1e0) #113 0x0102af08 in KJS::BlockNode::execute (this=0x1826f560, exec=0xbfffa1e0) #114 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1806efc0, exec=0xbfffa1e0) #115 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1806efc0, exec=0xbfffa540, thisObj=0x180390b8, args=@0xbfffa318) #116 0x0103efd0 in KJS::JSObject::call (this=0x1806efc0, exec=0xbfffa540, thisObj=0x180390b8, args=@0xbfffa318) #117 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x182830b0, exec=0xbfffa540) #118 0x01030c54 in KJS::ExprStatementNode::execute (this=0x182830d0, exec=0xbfffa540) #119 0x0102d380 in KJS::SourceElementsNode::execute (this=0x182803e0, exec=0xbfffa540) #120 0x0102af08 in KJS::BlockNode::execute (this=0x18283110, exec=0xbfffa540) #121 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1806fa40, exec=0xbfffa540) #122 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1806fa40, exec=0xbfffa8a0, thisObj=0x180390b8, args=@0xbfffa678) #123 0x0103efd0 in KJS::JSObject::call (this=0x1806fa40, exec=0xbfffa8a0, thisObj=0x180390b8, args=@0xbfffa678) #124 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x17f52690, exec=0xbfffa8a0) #125 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17f526b0, exec=0xbfffa8a0) #126 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17f558f0, exec=0xbfffa8a0) #127 0x0102af08 in KJS::BlockNode::execute (this=0x17f52750, exec=0xbfffa8a0) #128 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x17e2eef8, exec=0xbfffa8a0) #129 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x17e2eef8, exec=0xbfffacf0, thisObj=0x17e2d1a8, args=@0xbfffa9d8) #130 0x0103efd0 in KJS::JSObject::call (this=0x17e2eef8, exec=0xbfffacf0, thisObj=0x17e2d1a8, args=@0xbfffa9d8) #131 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x17fc4630, exec=0xbfffacf0) #132 0x01037c5c in KJS::AssignResolveNode::evaluate (this=0x17fddaf0, exec=0xbfffacf0) #133 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17fb87f0, exec=0xbfffacf0) #134 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17fd87f0, exec=0xbfffacf0) #135 0x0102af08 in KJS::BlockNode::execute (this=0x17fbc710, exec=0xbfffacf0) #136 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x180348f8, exec=0xbfffacf0) #137 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x180348f8, exec=0xbfffb1a0, thisObj=0x136e5450, args=@0xbfffae34) #138 0x0103efd0 in KJS::JSObject::call (this=0x180348f8, exec=0xbfffb1a0, thisObj=0x136e5450, args=@0xbfffae34) #139 0x01034afc in KJS::FunctionCallResolveNode::evaluate (this=0x17def560, exec=0xbfffb1a0) #140 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17fe7280, exec=0xbfffb1a0) #141 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17fe7260, exec=0xbfffb1a0) #142 0x0102af08 in KJS::BlockNode::execute (this=0x17fe72c0, exec=0xbfffb1a0) #143 0x01030adc in KJS::IfNode::execute (this=0x17fe72e0, exec=0xbfffb1a0) #144 0x0102d230 in KJS::SourceElementsNode::execute (this=0x17fe7300, exec=0xbfffb1a0) #145 0x0102af08 in KJS::BlockNode::execute (this=0x17fe7320, exec=0xbfffb1a0) #146 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x18034f88, exec=0xbfffb1a0) #147 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x18034f88, exec=0xbfffb580, thisObj=0x136e5450, args=@0xbfffb2e4) #148 0x0103efd0 in KJS::JSObject::call (this=0x18034f88, exec=0xbfffb580, thisObj=0x136e5450, args=@0xbfffb2e4) #149 0x01034afc in KJS::FunctionCallResolveNode::evaluate (this=0x182e8110, exec=0xbfffb580) #150 0x01030c54 in KJS::ExprStatementNode::execute (this=0x182e8120, exec=0xbfffb580) #151 0x01030adc in KJS::IfNode::execute (this=0x182e8140, exec=0xbfffb580) #152 0x0102d380 in KJS::SourceElementsNode::execute (this=0x182e7d80, exec=0xbfffb580) #153 0x0102af08 in KJS::BlockNode::execute (this=0x182e81b0, exec=0xbfffb580) #154 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1801bd30, exec=0xbfffb580) #155 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1801bd30, exec=0xbfffba90, thisObj=0x136e5450, args=@0xbfffb6c4) #156 0x0103efd0 in KJS::JSObject::call (this=0x1801bd30, exec=0xbfffba90, thisObj=0x136e5450, args=@0xbfffb6c4) #157 0x01034afc in KJS::FunctionCallResolveNode::evaluate (this=0x18286a00, exec=0xbfffba90) #158 0x01030c54 in KJS::ExprStatementNode::execute (this=0x182061a0, exec=0xbfffba90) #159 0x01030adc in KJS::IfNode::execute (this=0x182869b0, exec=0xbfffba90) #160 0x0102d380 in KJS::SourceElementsNode::execute (this=0x182632d0, exec=0xbfffba90) #161 0x0102af08 in KJS::BlockNode::execute (this=0x182acab0, exec=0xbfffba90) #162 0x01030adc in KJS::IfNode::execute (this=0x17fa3b30, exec=0xbfffba90) #163 0x0102d380 in KJS::SourceElementsNode::execute (this=0x1829d070, exec=0xbfffba90) #164 0x0102af08 in KJS::BlockNode::execute (this=0x182cb740, exec=0xbfffba90) #165 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1802bf88, exec=0xbfffba90) #166 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1802bf88, exec=0xbfffbdf0, thisObj=0x18018990, args=@0xbfffbbc8) #167 0x0103efd0 in KJS::JSObject::call (this=0x1802bf88, exec=0xbfffbdf0, thisObj=0x18018990, args=@0xbfffbbc8) #168 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x182e8fb0, exec=0xbfffbdf0) #169 0x01030c54 in KJS::ExprStatementNode::execute (this=0x182e8fd0, exec=0xbfffbdf0) #170 0x0102d380 in KJS::SourceElementsNode::execute (this=0x182e81f0, exec=0xbfffbdf0) #171 0x0102af08 in KJS::BlockNode::execute (this=0x182e9070, exec=0xbfffbdf0) #172 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1802ebc0, exec=0xbfffbdf0) #173 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1802ebc0, exec=0xbfffc150, thisObj=0x1802d8b8, args=@0xbfffbf28) #174 0x0103efd0 in KJS::JSObject::call (this=0x1802ebc0, exec=0xbfffc150, thisObj=0x1802d8b8, args=@0xbfffbf28) #175 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x182e72c0, exec=0xbfffc150) #176 0x0102e614 in KJS::ReturnNode::execute (this=0x182e72e0, exec=0xbfffc150) #177 0x0102d230 in KJS::SourceElementsNode::execute (this=0x182e7300, exec=0xbfffc150) #178 0x0102af08 in KJS::BlockNode::execute (this=0x182e7320, exec=0xbfffc150) #179 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1802ea70, exec=0xbfffc150) #180 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1802ea70, exec=0xbfffc4b0, thisObj=0x1802d8b8, args=@0xbfffc288) #181 0x0103efd0 in KJS::JSObject::call (this=0x1802ea70, exec=0xbfffc4b0, thisObj=0x1802d8b8, args=@0xbfffc288) #182 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x182db700, exec=0xbfffc4b0) #183 0x01030c54 in KJS::ExprStatementNode::execute (this=0x182db720, exec=0xbfffc4b0) #184 0x0102d230 in KJS::SourceElementsNode::execute (this=0x182db740, exec=0xbfffc4b0) #185 0x0102af08 in KJS::BlockNode::execute (this=0x182db760, exec=0xbfffc4b0) #186 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1802e0d0, exec=0xbfffc4b0) #187 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1802e0d0, exec=0xbfffc810, thisObj=0x1802df48, args=@0xbfffc5e8) #188 0x0103efd0 in KJS::JSObject::call (this=0x1802e0d0, exec=0xbfffc810, thisObj=0x1802df48, args=@0xbfffc5e8) #189 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x17fdcce0, exec=0xbfffc810) #190 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17fdb5f0, exec=0xbfffc810) #191 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17fcea70, exec=0xbfffc810) #192 0x0102af08 in KJS::BlockNode::execute (this=0x17fd30d0, exec=0xbfffc810) #193 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x18037ad8, exec=0xbfffc810) #194 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x18037ad8, exec=0xbfffcb70, thisObj=0x18034888, args=@0xbfffc948) #195 0x0103efd0 in KJS::JSObject::call (this=0x18037ad8, exec=0xbfffcb70, thisObj=0x18034888, args=@0xbfffc948) #196 0x01034294 in KJS::FunctionCallDotNode::evaluate (this=0x17f576f0, exec=0xbfffcb70) #197 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17f57710, exec=0xbfffcb70) #198 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17f56fe0, exec=0xbfffcb70) #199 0x0102af08 in KJS::BlockNode::execute (this=0x17f577b0, exec=0xbfffcb70) #200 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x17e2d4b8, exec=0xbfffcb70) #201 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x17e2d4b8, exec=0xbfffd330, thisObj=0x136e5450, args=@0xbfffccb4) #202 0x0103efd0 in KJS::JSObject::call (this=0x17e2d4b8, exec=0xbfffd330, thisObj=0x136e5450, args=@0xbfffccb4) #203 0x01034afc in KJS::FunctionCallResolveNode::evaluate (this=0x17f5a0e0, exec=0xbfffd330) #204 0x0102abc0 in KJS::AssignExprNode::evaluate (this=0x17f5a0f0, exec=0xbfffd330) #205 0x010310dc in KJS::VarDeclNode::evaluate (this=0x17f5a100, exec=0xbfffd330) #206 0x01030f68 in KJS::VarDeclListNode::evaluate (this=0x17f5a120, exec=0xbfffd330) #207 0x01030e20 in KJS::VarStatementNode::execute (this=0x17f5a130, exec=0xbfffd330) #208 0x0102d230 in KJS::SourceElementsNode::execute (this=0x17f5a150, exec=0xbfffd330) #209 0x0102af08 in KJS::BlockNode::execute (this=0x17f5a340, exec=0xbfffd330) #210 0x0102faa0 in KJS::ForNode::execute (this=0x17f5a360, exec=0xbfffd330) #211 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17f59990, exec=0xbfffd330) #212 0x0102af08 in KJS::BlockNode::execute (this=0x17f5a490, exec=0xbfffd330) #213 0x01030adc in KJS::IfNode::execute (this=0x17f5a750, exec=0xbfffd330) #214 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17f580d0, exec=0xbfffd330) #215 0x0102af08 in KJS::BlockNode::execute (this=0x17f5a790, exec=0xbfffd330) #216 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x17e2f320, exec=0xbfffd330) #217 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x17e2f320, exec=0xbfffd6b0, thisObj=0x136e5450, args=@0xbfffd474) #218 0x0103efd0 in KJS::JSObject::call (this=0x17e2f320, exec=0xbfffd6b0, thisObj=0x136e5450, args=@0xbfffd474) #219 0x01034afc in KJS::FunctionCallResolveNode::evaluate (this=0x17dee4b0, exec=0xbfffd6b0) #220 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17dee4c0, exec=0xbfffd6b0) #221 0x0102d230 in KJS::SourceElementsNode::execute (this=0x17dee4e0, exec=0xbfffd6b0) #222 0x0102af08 in KJS::BlockNode::execute (this=0x17dee500, exec=0xbfffd6b0) #223 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x1801df18, exec=0xbfffd6b0) #224 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x1801df18, exec=0xbfffda90, thisObj=0x136e5450, args=@0xbfffd7f4) #225 0x0103efd0 in KJS::JSObject::call (this=0x1801df18, exec=0xbfffda90, thisObj=0x136e5450, args=@0xbfffd7f4) #226 0x01034afc in KJS::FunctionCallResolveNode::evaluate (this=0x17df0d40, exec=0xbfffda90) #227 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17df0d50, exec=0xbfffda90) #228 0x01030adc in KJS::IfNode::execute (this=0x17df0d70, exec=0xbfffda90) #229 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17df0c50, exec=0xbfffda90) #230 0x0102af08 in KJS::BlockNode::execute (this=0x17df0db0, exec=0xbfffda90) #231 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x18024070, exec=0xbfffda90) #232 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x18024070, exec=0xbfffdfa0, thisObj=0x136e5450, args=@0xbfffdbd4) #233 0x0103efd0 in KJS::JSObject::call (this=0x18024070, exec=0xbfffdfa0, thisObj=0x136e5450, args=@0xbfffdbd4) #234 0x01034afc in KJS::FunctionCallResolveNode::evaluate (this=0x17f11c00, exec=0xbfffdfa0) #235 0x01030c54 in KJS::ExprStatementNode::execute (this=0x17f11c10, exec=0xbfffdfa0) #236 0x01030adc in KJS::IfNode::execute (this=0x17f11c30, exec=0xbfffdfa0) #237 0x0102d380 in KJS::SourceElementsNode::execute (this=0x17f11a40, exec=0xbfffdfa0) #238 0x0102af08 in KJS::BlockNode::execute (this=0x17f11e90, exec=0xbfffdfa0) #239 0x01030adc in KJS::IfNode::execute (this=0x17f11f10, exec=0xbfffdfa0) #240 0x0102d230 in KJS::SourceElementsNode::execute (this=0x17f11f30, exec=0xbfffdfa0) #241 0x0102af08 in KJS::BlockNode::execute (this=0x17f11f50, exec=0xbfffdfa0) #242 0x01019730 in KJS::DeclaredFunctionImp::execute (this=0x17e2ec90, exec=0xbfffdfa0) #243 0x01018d58 in KJS::FunctionImp::callAsFunction (this=0x17e2ec90, exec=0x136e5ce4, thisObj=0x180176f8, args=@0xbfffe144) #244 0x0103efd0 in KJS::JSObject::call (this=0x17e2ec90, exec=0x136e5ce4, thisObj=0x180176f8, args=@0xbfffe144) #245 0x01a8292c in KJS::JSAbstractEventListener::handleEvent (this=0x17f6b170, ele=0x18484ba0, isWindowEvent=false) #246 0x01a43f54 in WebCore::EventTargetNode::handleLocalEvents (this=0x17ded650, evt=0x18484ba0, useCapture=false) #247 0x01a443a8 in WebCore::EventTargetNode::dispatchGenericEvent (this=0x17ded650, e=@0xbfffe2e8, tempEvent=true) #248 0x01a44d60 in WebCore::EventTargetNode::dispatchEvent (this=0x17ded650, e=@0xbfffe348, ec=@0xbfffe34c, tempEvent=true) #249 0x01a44e50 in WebCore::EventTargetNode::dispatchHTMLEvent (this=0x17ded650, eventType=@0x1d10f38, canBubbleArg=false, cancelableArg=false) #250 0x01ad17fc in WebCore::HTMLScriptElement::notifyFinished (this=0x17ded650, o=0x17f70a80) #251 0x018c70c0 in WebCore::CachedScript::checkNotify (this=0x17f70a80) #252 0x018c720c in WebCore::CachedScript::data (this=0x17f70a80, data=@0x17f4c554, eof=true) #253 0x018c9cd8 in WebCore::Loader::receivedAllData (this=0x13255860, job=0x17f60320, allData=0x17f2cc30) #254 0x017a4344 in -[KWQResourceLoader finishJobAndHandle:] (self=0x17f56b00, _cmd=0x1b3a8e4, data=0x17f2cc30) #255 0x017a45f4 in -[KWQResourceLoader finishWithData:] (self=0x17f56b00, _cmd=0x1b3a914, data=0x17f2cc30) #256 0x0033e448 in -[WebSubresourceLoader didFinishLoading] (self=0x17f6c880, _cmd=0x90a95ac4) #257 0x00342a54 in -[WebLoader connectionDidFinishLoading:] (self=0x17f6c880, _cmd=0x90a91a94, con=0x17f5cf10) #258 0x929a984c in -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] () #259 0x929a7ab8 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] () #260 0x929a7810 in _sendCallbacks () #261 0x907e44cc in __CFRunLoopDoSources0 () #262 0x907e39fc in __CFRunLoopRun () #263 0x907e347c in CFRunLoopRunSpecific () #264 0x9321e980 in RunCurrentEventLoopInMode () #265 0x9321e014 in ReceiveNextEventCommon () #266 0x9321de80 in BlockUntilNextEventMatchingListInMode () #267 0x93720e84 in _DPSNextEvent () #268 0x93720b48 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #269 0x00006df4 in ?? () #270 0x9371d08c in -[NSApplication run] () #271 0x9380dbfc in NSApplicationMain () #272 0x0005cb98 in ?? () #273 0x0005ca40 in ?? () Current language: auto; currently c++ (gdb)
Attachments
patch (1.41 KB, patch)
2006-05-21 16:33 PDT, Adele Peterson 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2006-05-20 14:02:07 PDT
Turning MallocScribble on makes this 100% reproducible.
Adele Peterson
Comment 2 2006-05-20 16:25:41 PDT
Shoot. I just changed RenderTextField::text to use innerText instead of textContent so it would take whitespace into account for textareas. We can change it back for now until we come up with a better solution to the whitespace problem.
Adele Peterson
Comment 3 2006-05-21 16:33:15 PDT
Created attachment 8453 [details] patch
Maciej Stachowiak
Comment 4 2006-05-21 16:36:31 PDT
Comment on attachment 8453 [details] patch r=me
Geoffrey Garen
Comment 5 2006-05-22 09:58:44 PDT
I think another solution might be to have the text() method update layout on the element itself instead of the whole document, which would prevent the element from being removed from the document. I don't understand the comment explaining why text() needs to update layout on the document, though, so I'm not sure that's a viable approach.
Shawn Smith
Comment 6 2006-05-22 20:35:09 PDT
*** Bug 9034 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.