WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
CLOSED FIXED
128051
Crash in WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy()
https://bugs.webkit.org/show_bug.cgi?id=128051
Summary
Crash in WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy()
Dimitris Apostolou
Reported
2014-02-01 14:15:06 PST
Created
attachment 222891
[details]
Crash log
r163227
Reproducibility: always Steps: 1.
https://www.google.com/maps/preview/
2. Type something in search box. 3. Click on any of the suggested results. What happened: 3. Crash. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000111a5f8a9 WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy() + 41 1 com.apple.WebCore 0x000000011101ac8f WebCore::CachedResourceLoader::canRequest(WebCore::CachedResource::Type, WebCore::URL const&, WebCore::ResourceLoaderOptions const&, bool) + 95 2 com.apple.WebCore 0x000000011101b0c8 WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&) + 360 3 com.apple.WebCore 0x000000011101abf8 WebCore::CachedResourceLoader::requestImage(WebCore::CachedResourceRequest&) + 328 4 com.apple.WebCore 0x00000001110c426c WebCore::CSSImageValue::cachedImage(WebCore::CachedResourceLoader*, WebCore::ResourceLoaderOptions const&) + 540 5 com.apple.WebCore 0x0000000111b0154b WebCore::StyleResolver::loadPendingImage(WebCore::StylePendingImage*, WebCore::ResourceLoaderOptions const&) + 91 6 com.apple.WebCore 0x0000000111b01a56 WebCore::StyleResolver::loadPendingImages() + 870 7 com.apple.WebCore 0x0000000111af6f5f WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 1951 8 com.apple.WebCore 0x0000000111af4cfb WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion*) + 1083 9 com.apple.WebCore 0x000000011124afdb WebCore::Element::styleForRenderer() + 107 10 com.apple.WebCore 0x0000000111041c5f WebCore::Style::attachRenderTree(WebCore::Element&, WTF::PassRefPtr<WebCore::RenderStyle>) + 495 11 com.apple.WebCore 0x0000000111042251 WebCore::Style::attachChildren(WebCore::ContainerNode&) + 321 12 com.apple.WebCore 0x0000000111042052 WebCore::Style::attachRenderTree(WebCore::Element&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1506 13 com.apple.WebCore 0x0000000111040e4b WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 523 14 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 15 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 16 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 17 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 18 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 19 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 20 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 21 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 22 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 23 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 24 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 25 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 26 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 27 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 28 com.apple.WebCore 0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929 29 com.apple.WebCore 0x0000000111040c26 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 278 30 com.apple.WebCore 0x000000011118e60b WebCore::Document::recalcStyle(WebCore::Style::Change) + 235 31 com.apple.WebCore 0x000000011118b773 WebCore::Document::updateStyleIfNeeded() + 147 32 com.apple.WebCore 0x000000011118c23e WebCore::Document::updateLayout() + 126 33 com.apple.WebCore 0x000000011118ec76 WebCore::Document::updateLayoutIgnorePendingStylesheets() + 262 34 com.apple.WebCore 0x0000000111247e66 WebCore::Element::offsetHeight() + 22 35 com.apple.WebCore 0x00000001115aa0ee WebCore::jsElementOffsetHeight(JSC::ExecState*, long long, long long, JSC::PropertyName) + 110 36 ??? 0x000022fe6fb0e27a 0 + 38476190900858 37 com.apple.JavaScriptCore 0x0000000110c75006 llint_op_call + 132 38 ??? 0x000000011de536c0 0 + 4796528320 39 com.apple.JavaScriptCore 0x0000000110c708dc callToJavaScript + 321 40 ??? 0x0000000119cef000 0 + 4727959552 41 com.apple.JavaScriptCore 0x0000000110b868b3 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 35 42 com.apple.JavaScriptCore 0x0000000110b629f7 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 439 43 com.apple.JavaScriptCore 0x0000000110a035be JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 44 com.apple.JavaScriptCore 0x0000000110bdb5d1 JSC::boundFunctionCall(JSC::ExecState*) + 577 45 com.apple.JavaScriptCore 0x0000000110c70a84 callToNativeFunction + 327 46 ??? 000000000000000000 0 + 0 47 com.apple.JavaScriptCore 0x0000000110b62a34 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 500 48 com.apple.JavaScriptCore 0x0000000110a035be JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 49 com.apple.WebCore 0x0000000111a58f92 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 466 50 com.apple.WebCore 0x0000000111a58c42 WebCore::ScheduledAction::execute(WebCore::Document*) + 146 51 com.apple.WebCore 0x0000000111207e10 WebCore::DOMTimer::fired() + 304 52 com.apple.WebCore 0x0000000111bf51bf WebCore::ThreadTimers::sharedTimerFiredInternal() + 175 53 com.apple.WebCore 0x0000000111aa961a WebCore::timerFired(__CFRunLoopTimer*, void*) + 58 54 com.apple.CoreFoundation 0x00007fff8fa69564 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 55 com.apple.CoreFoundation 0x00007fff8fa6909f __CFRunLoopDoTimer + 1151 56 com.apple.CoreFoundation 0x00007fff8fada5aa __CFRunLoopDoTimers + 298 57 com.apple.CoreFoundation 0x00007fff8fa248e5 __CFRunLoopRun + 1525 58 com.apple.CoreFoundation 0x00007fff8fa240b5 CFRunLoopRunSpecific + 309 59 com.apple.HIToolbox 0x00007fff91ef1a0d RunCurrentEventLoopInMode + 226 60 com.apple.HIToolbox 0x00007fff91ef17b7 ReceiveNextEventCommon + 479 61 com.apple.HIToolbox 0x00007fff91ef15bc _BlockUntilNextEventMatchingListInModeWithFilter + 65 62 com.apple.AppKit 0x00007fff8ce7a3de _DPSNextEvent + 1434 63 com.apple.AppKit 0x00007fff8ce79a2b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 64 com.apple.AppKit 0x00007fff8ce6db2c -[NSApplication run] + 553 65 com.apple.AppKit 0x00007fff8ce58913 NSApplicationMain + 940 66 com.apple.XPCService 0x00007fff95a26c0f _xpc_main + 385 67 libxpc.dylib 0x00007fff8b8f7bde xpc_main + 399 68 com.apple.WebKit.WebContent.Development 0x000000010d3b26a0 main + 16 69 libdyld.dylib 0x00007fff91cd95fd start + 1 Expected result: 3. Webkit does not crash.
Attachments
Crash log
(62.62 KB, application/octet-stream)
2014-02-01 14:15 PST
,
Dimitris Apostolou
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Dimitris Apostolou
Comment 1
2014-02-02 14:23:23 PST
Same crash by visiting
https://www.facebook.com/earndit?filter=2
Dimitris Apostolou
Comment 2
2014-02-05 23:58:01 PST
Fixed with
r163498
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug