Bug 128051 - Crash in WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy()
Summary: Crash in WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy()
Status: CLOSED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (Intel) OS X 10.9
: P2 Normal
Assignee: Nobody
URL: https://www.google.com/maps/preview/
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-01 14:15 PST by Dimitris Apostolou
Modified: 2014-02-05 23:58 PST (History)
0 users

See Also:

Attachments
Crash log (62.62 KB, application/octet-stream)
2014-02-01 14:15 PST, Dimitris Apostolou 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dimitris Apostolou 2014-02-01 14:15:06 PST 
Created attachment 222891 [details]
Crash log

r163227

Reproducibility: always

Steps:
1. https://www.google.com/maps/preview/
2. Type something in search box.
3. Click on any of the suggested results.

What happened:
3. Crash.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000111a5f8a9 WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy() + 41
1   com.apple.WebCore             	0x000000011101ac8f WebCore::CachedResourceLoader::canRequest(WebCore::CachedResource::Type, WebCore::URL const&, WebCore::ResourceLoaderOptions const&, bool) + 95
2   com.apple.WebCore             	0x000000011101b0c8 WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&) + 360
3   com.apple.WebCore             	0x000000011101abf8 WebCore::CachedResourceLoader::requestImage(WebCore::CachedResourceRequest&) + 328
4   com.apple.WebCore             	0x00000001110c426c WebCore::CSSImageValue::cachedImage(WebCore::CachedResourceLoader*, WebCore::ResourceLoaderOptions const&) + 540
5   com.apple.WebCore             	0x0000000111b0154b WebCore::StyleResolver::loadPendingImage(WebCore::StylePendingImage*, WebCore::ResourceLoaderOptions const&) + 91
6   com.apple.WebCore             	0x0000000111b01a56 WebCore::StyleResolver::loadPendingImages() + 870
7   com.apple.WebCore             	0x0000000111af6f5f WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 1951
8   com.apple.WebCore             	0x0000000111af4cfb WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion*) + 1083
9   com.apple.WebCore             	0x000000011124afdb WebCore::Element::styleForRenderer() + 107
10  com.apple.WebCore             	0x0000000111041c5f WebCore::Style::attachRenderTree(WebCore::Element&, WTF::PassRefPtr<WebCore::RenderStyle>) + 495
11  com.apple.WebCore             	0x0000000111042251 WebCore::Style::attachChildren(WebCore::ContainerNode&) + 321
12  com.apple.WebCore             	0x0000000111042052 WebCore::Style::attachRenderTree(WebCore::Element&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1506
13  com.apple.WebCore             	0x0000000111040e4b WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 523
14  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
15  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
16  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
17  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
18  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
19  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
20  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
21  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
22  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
23  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
24  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
25  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
26  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
27  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
28  com.apple.WebCore             	0x00000001110413c9 WebCore::Style::resolveTree(WebCore::Element&, WebCore::Style::Change) + 1929
29  com.apple.WebCore             	0x0000000111040c26 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 278
30  com.apple.WebCore             	0x000000011118e60b WebCore::Document::recalcStyle(WebCore::Style::Change) + 235
31  com.apple.WebCore             	0x000000011118b773 WebCore::Document::updateStyleIfNeeded() + 147
32  com.apple.WebCore             	0x000000011118c23e WebCore::Document::updateLayout() + 126
33  com.apple.WebCore             	0x000000011118ec76 WebCore::Document::updateLayoutIgnorePendingStylesheets() + 262
34  com.apple.WebCore             	0x0000000111247e66 WebCore::Element::offsetHeight() + 22
35  com.apple.WebCore             	0x00000001115aa0ee WebCore::jsElementOffsetHeight(JSC::ExecState*, long long, long long, JSC::PropertyName) + 110
36  ???                           	0x000022fe6fb0e27a 0 + 38476190900858
37  com.apple.JavaScriptCore      	0x0000000110c75006 llint_op_call + 132
38  ???                           	0x000000011de536c0 0 + 4796528320
39  com.apple.JavaScriptCore      	0x0000000110c708dc callToJavaScript + 321
40  ???                           	0x0000000119cef000 0 + 4727959552
41  com.apple.JavaScriptCore      	0x0000000110b868b3 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 35
42  com.apple.JavaScriptCore      	0x0000000110b629f7 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 439
43  com.apple.JavaScriptCore      	0x0000000110a035be JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62
44  com.apple.JavaScriptCore      	0x0000000110bdb5d1 JSC::boundFunctionCall(JSC::ExecState*) + 577
45  com.apple.JavaScriptCore      	0x0000000110c70a84 callToNativeFunction + 327
46  ???                           	000000000000000000 0 + 0
47  com.apple.JavaScriptCore      	0x0000000110b62a34 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 500
48  com.apple.JavaScriptCore      	0x0000000110a035be JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62
49  com.apple.WebCore             	0x0000000111a58f92 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 466
50  com.apple.WebCore             	0x0000000111a58c42 WebCore::ScheduledAction::execute(WebCore::Document*) + 146
51  com.apple.WebCore             	0x0000000111207e10 WebCore::DOMTimer::fired() + 304
52  com.apple.WebCore             	0x0000000111bf51bf WebCore::ThreadTimers::sharedTimerFiredInternal() + 175
53  com.apple.WebCore             	0x0000000111aa961a WebCore::timerFired(__CFRunLoopTimer*, void*) + 58
54  com.apple.CoreFoundation      	0x00007fff8fa69564 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
55  com.apple.CoreFoundation      	0x00007fff8fa6909f __CFRunLoopDoTimer + 1151
56  com.apple.CoreFoundation      	0x00007fff8fada5aa __CFRunLoopDoTimers + 298
57  com.apple.CoreFoundation      	0x00007fff8fa248e5 __CFRunLoopRun + 1525
58  com.apple.CoreFoundation      	0x00007fff8fa240b5 CFRunLoopRunSpecific + 309
59  com.apple.HIToolbox           	0x00007fff91ef1a0d RunCurrentEventLoopInMode + 226
60  com.apple.HIToolbox           	0x00007fff91ef17b7 ReceiveNextEventCommon + 479
61  com.apple.HIToolbox           	0x00007fff91ef15bc _BlockUntilNextEventMatchingListInModeWithFilter + 65
62  com.apple.AppKit              	0x00007fff8ce7a3de _DPSNextEvent + 1434
63  com.apple.AppKit              	0x00007fff8ce79a2b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
64  com.apple.AppKit              	0x00007fff8ce6db2c -[NSApplication run] + 553
65  com.apple.AppKit              	0x00007fff8ce58913 NSApplicationMain + 940
66  com.apple.XPCService          	0x00007fff95a26c0f _xpc_main + 385
67  libxpc.dylib                  	0x00007fff8b8f7bde xpc_main + 399
68  com.apple.WebKit.WebContent.Development	0x000000010d3b26a0 main + 16
69  libdyld.dylib                 	0x00007fff91cd95fd start + 1

Expected result:
3. Webkit does not crash.
Comment 1 Dimitris Apostolou 2014-02-02 14:23:23 PST 
Same crash by visiting https://www.facebook.com/earndit?filter=2
Comment 2 Dimitris Apostolou 2014-02-05 23:58:01 PST 
Fixed with r163498