Bug 11010 - REGRESSION: Repro crash in <script> onload event dispatch
Summary: REGRESSION: Repro crash in <script> onload event dispatch
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 420+
Hardware: Macintosh OS X 10.4
: P1 Normal
Assignee: Nobody
URL: http://apartmentcities.com/Apartments...
Keywords: HasReduction, InRadar, Regression
: 11837 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-09-24 13:29 PDT by mitz
Modified: 2006-12-20 03:03 PST (History)
3 users (show)

See Also:


Attachments
Reduction (will crash) (306 bytes, text/html)
2006-09-25 09:18 PDT, mitz
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mitz 2006-09-24 13:29:10 PDT
This is what I get going to the above URL with TOT:

EXC_BAD_ACCESS (0x0001)
KERN_PROTECTION_FAILURE (0x0002) at 0x003a0033

Thread 0 Crashed:
0    WebCore::TreeShared<WebCore::Node>::ref() + 32 (Shared.h:51)
1    WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 304 (EventTargetNode.cpp:179)
2    WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 348 (EventTargetNode.cpp:292)
3    WebCore::EventTargetNode::dispatchHTMLEvent(WebCore::AtomicString const&, bool, bool) + 172 (EventTargetNode.cpp:481)
4    WebCore::HTMLScriptElement::notifyFinished(WebCore::CachedResource*) + 244 (HTMLScriptElement.cpp:155)
5    WebCore::CachedScript::checkNotify() + 112 (CachedScript.cpp:108)
6    WebCore::CachedScript::data(WTF::Vector<char, (unsigned long)0>&, bool) + 184 (CachedScript.cpp:100)
7    WebCore::Loader::receivedAllData(WebCore::ResourceLoader*, NSData*) + 464 (loader.cpp:138)
8    -[WebCoreResourceLoaderImp finishJobAndHandle:] + 180 (WebCoreResourceLoaderImp.mm:98)
9    -[WebCoreResourceLoaderImp finishWithData:] + 196 (WebCoreResourceLoaderImp.mm:130)
...
Comment 1 mitz 2006-09-24 23:33:49 PDT
The problem appears to be a script that deletes its own <script> element. Looks like the fix is for
HTMLScriptElement::notifyFinished() to protect itself with a ref()/deref() (it will also be cleaner to change the cs->deref(this) to m_cachedScript->deref(this) only if m_cachedScript is still non-0). Other callers to HTMLScriptElement::evaluateScript() appear to be safe, since it's the last thing they call.
Comment 2 mitz 2006-09-25 09:18:00 PDT
Created attachment 10758 [details]
Reduction (will crash)

Crashes run-webkit-tests immediately, in Safari you need to reload to get the crash (might be a good junk/bad junk thing).
Comment 3 Stephanie Lewis 2006-11-06 21:53:37 PST
radar 4701860
Comment 4 mitz 2006-12-15 02:01:40 PST
*** Bug 11837 has been marked as a duplicate of this bug. ***
Comment 5 mitz 2006-12-19 22:36:48 PST
Fixed (completely independently of this Bugzilla bug) by Anders in r18335.
Comment 6 David Kilzer (:ddkilzer) 2006-12-20 03:03:56 PST
(In reply to comment #3)
> radar 4701860

Per r18335, also:

<rdar://problem/4726407> [9A255] Crash in WebCore::EventTargetNode::dispatchEvent

http://trac.webkit.org/projects/webkit/changeset/18335