17862 – REGRESSION (r31038): Reproducible crash under DocLoader::checkForReload() at marware.com

Bug 17862 - REGRESSION (r31038): Reproducible crash under DocLoader::checkForReload() at marware.com

Summary: REGRESSION (r31038): Reproducible crash under DocLoader::checkForReload() at ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.5

Importance:	P1 Major
Assignee:	Nobody

URL:	http://www.marware.com/PRODUCTS/Apple...
Keywords:

Duplicates (3):	17860 17875 17899 (view as bug list)
Depends on:
Blocks:

Reported:	2008-03-15 01:24 PDT by mitz
Modified:	2008-03-17 15:11 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
patch (5.18 KB, patch) 2008-03-15 23:44 PDT, Antti Koivisto	darin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mitz 2008-03-15 01:24:50 PDT

Opening the URL in r31072, shortly after the page appears WebKit crashes with this backtrace:

#0  0x01c0a15d in WebCore::StringImpl::length (this=0x4) at text/StringImpl.h:84
#1  0x01c0e0e3 in WebCore::StringHash::equal (a=0x4, b=0x1a2c6d10) at StringHash.h:44
#2  0x01c0f3a2 in WTF::IdentityHashTranslator<WebCore::StringImpl*, WebCore::StringImpl*, WebCore::StringHash>::equal (a=@0x19e8c9a8, b=@0xbfffcbd8) at HashTable.h:269
#3  0x01c0f48d in WTF::HashTable<WebCore::StringImpl*, WebCore::StringImpl*, WTF::IdentityExtractor<WebCore::StringImpl*>, WebCore::StringHash, WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<WebCore::StringImpl*> >::lookup<WebCore::StringImpl*, WTF::IdentityHashTranslator<WebCore::StringImpl*, WebCore::StringImpl*, WebCore::StringHash> > (this=0x3b9e2f4, key=@0xbfffcbd8) at HashTable.h:463
#4  0x01ca092e in WTF::HashTable<WebCore::StringImpl*, WebCore::StringImpl*, WTF::IdentityExtractor<WebCore::StringImpl*>, WebCore::StringHash, WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<WebCore::StringImpl*> >::contains<WebCore::StringImpl*, WTF::IdentityHashTranslator<WebCore::StringImpl*, WebCore::StringImpl*, WebCore::StringHash> > (this=0x3b9e2f4, key=@0xbfffcbd8) at HashTable.h:764
#5  0x01ca0956 in WTF::HashTable<WebCore::StringImpl*, WebCore::StringImpl*, WTF::IdentityExtractor<WebCore::StringImpl*>, WebCore::StringHash, WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<WebCore::StringImpl*> >::contains (this=0x3b9e2f4, key=@0xbfffcbd8) at HashTable.h:316
#6  0x01ca0974 in WTF::HashSet<WebCore::String, WebCore::StringHash, WTF::HashTraits<WebCore::String> >::contains (this=0x3b9e2f4, value=@0xbfffcbd8) at HashSet.h:258
#7  0x01d28c32 in WebCore::DocLoader::checkForReload (this=0x3b9e2f0, fullURL=@0xbfffcbd8) at WebCore/loader/DocLoader.cpp:76
#8  0x01d28ff8 in WebCore::DocLoader::requestResource (this=0x3b9e2f0, type=WebCore::CachedResource::ImageResource, url=@0xbfffcd04, charset=0x0, skipCanLoadCheck=false, sendResourceLoadCallbacks=true) at WebCore/loader/DocLoader.cpp:165
#9  0x01d29247 in WebCore::DocLoader::requestImage (this=0x3b9e2f0, url=@0xbfffcd04) at WebCore/loader/DocLoader.cpp:96
#10 0x01df7634 in WebCore::HTMLImageLoader::updateFromElement (this=0x1a2c6c88) at WebCore/html/HTMLImageLoader.cpp:104
#11 0x01df6825 in WebCore::HTMLImageElement::parseMappedAttribute (this=0x1a2c6c40, attr=0x1a2c6bb0) at WebCore/html/HTMLImageElement.cpp:93
#12 0x02174ea2 in WebCore::StyledElement::attributeChanged (this=0x1a2c6c40, attr=0x1a2c6bb0, preserveDecls=false) at WebCore/dom/StyledElement.cpp:173
#13 0x01d63680 in WebCore::Element::setAttributeMap (this=0x1a2c6c40, list=0x1a2c6800) at WebCore/dom/Element.cpp:534
#14 0x01e1e7a7 in WebCore::HTMLParser::parseToken (this=0x19e515b0, t=0xbfffd0f4) at WebCore/html/HTMLParser.cpp:237
#15 0x01e34f10 in WebCore::HTMLTokenizer::processToken (this=0xbfffd0e0) at WebCore/html/HTMLTokenizer.cpp:1896
#16 0x01e381da in WebCore::HTMLTokenizer::parseTag (this=0xbfffd0e0, src=@0xbfffda30, state={static EntityShift = 4, m_bits = 8388608}) at WebCore/html/HTMLTokenizer.cpp:1477
#17 0x01e38dad in WebCore::HTMLTokenizer::write (this=0xbfffd0e0, str=@0xbfffda70, appendData=true) at WebCore/html/HTMLTokenizer.cpp:1726
#18 0x01e39a76 in WebCore::parseHTMLDocumentFragment (source=@0xbfffdb84, fragment=0x197fbc00) at WebCore/html/HTMLTokenizer.cpp:2027
#19 0x01de2b6c in WebCore::HTMLElement::createContextualFragment (this=0x19e37480, html=@0xbfffdb84) at WebCore/html/HTMLElement.cpp:244
#20 0x01de30cb in WebCore::HTMLElement::setInnerHTML (this=0x19e37480, html=@0xbfffdb84, ec=@0xbfffdb6c) at WebCore/html/HTMLElement.cpp:336
#21 0x01ec3902 in WebCore::JSHTMLElement::putValueProperty (this=0x1a6620c0, exec=0xbfffde00, token=5, value=0x1a662040) at WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLElement.cpp:244
#22 0x01ec43d6 in KJS::lookupPut<WebCore::JSHTMLElement> (exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040, table=0x25d09bc, thisObj=0x1a6620c0) at lookup.h:245
#23 0x01ec440f in KJS::lookupPut<WebCore::JSHTMLElement, WebCore::JSElement> (exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040, table=0x25d09bc, thisObj=0x1a6620c0) at lookup.h:260
#24 0x01ec3af3 in WebCore::JSHTMLElement::put (this=0x1a6620c0, exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040) at WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLElement.cpp:210
#25 0x01eeba44 in KJS::lookupPut<WebCore::JSHTMLTableCellElement, WebCore::JSHTMLElement> (exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040, table=0x25d897c, thisObj=0x1a6620c0) at lookup.h:261
#26 0x01eeb057 in WebCore::JSHTMLTableCellElement::put (this=0x1a6620c0, exec=0xbfffde00, propertyName=@0x197fbe8c, value=0x1a662040) at WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLTableCellElement.cpp:223
#27 0x005e015d in KJS::AssignDotNode::evaluate (this=0x197fbe80, exec=0xbfffde00) at nodes.cpp:3431
#28 0x005df825 in KJS::ExprStatementNode::execute (this=0x197fbea0, exec=0xbfffde00) at nodes.cpp:3750
#29 0x005c07ed in statementListExecute (statements=@0x17d3c080, exec=0xbfffde00) at nodes.cpp:3703
#30 0x005c087a in KJS::BlockNode::execute (this=0x17d3c070, exec=0xbfffde00) at nodes.cpp:3728
#31 0x005ce5e0 in KJS::FunctionBodyNode::execute (this=0x17d3c070, exec=0xbfffde00) at nodes.cpp:4647
#32 0x005cedb8 in KJS::FunctionImp::callAsFunction (this=0x19bd5500, exec=0xbfffe070, thisObj=0x19bd0000, args=@0xbfffdec8) at function.cpp:76
#33 0x005d8ade in KJS::JSObject::call (this=0x19bd5500, exec=0xbfffe070, thisObj=0x19bd0000, args=@0xbfffdec8) at object.cpp:96
#34 0x0062f0ec in KJS::ExpressionNode::resolveAndCall<(KJS::ExpressionNode::CallerType)1> (this=0x1a297f60, exec=0xbfffe070, ident=@0x1a297f68, args=0x1a299750) at nodes.cpp:997
#35 0x0062f1be in KJS::FunctionCallResolveNode::inlineEvaluate (this=0x1a297f60, exec=0xbfffe070) at nodes.cpp:1061
#36 0x005fcd68 in KJS::FunctionCallResolveNode::evaluate (this=0x1a297f60, exec=0xbfffe070) at nodes.cpp:1066
#37 0x005df825 in KJS::ExprStatementNode::execute (this=0x1a29d100, exec=0xbfffe070) at nodes.cpp:3750
#38 0x005c07ed in statementListExecute (statements=@0x1a2bdf20, exec=0xbfffe070) at nodes.cpp:3703
#39 0x005c087a in KJS::BlockNode::execute (this=0x1a2bdf10, exec=0xbfffe070) at nodes.cpp:3728
#40 0x005ce5e0 in KJS::FunctionBodyNode::execute (this=0x1a2bdf10, exec=0xbfffe070) at nodes.cpp:4647
#41 0x005cedb8 in KJS::FunctionImp::callAsFunction (this=0x1a661c40, exec=0x417b51c, thisObj=0x19bd0000, args=@0xbfffe14c) at function.cpp:76
#42 0x005d8ade in KJS::JSObject::call (this=0x1a661c40, exec=0x417b51c, thisObj=0x19bd0000, args=@0xbfffe14c) at object.cpp:96
#43 0x021d973a in WebCore::JSAbstractEventListener::handleEvent (this=0x17dee920, ele=0x1a2b29b0, isWindowEvent=true) at WebCore/bindings/js/kjs_events.cpp:105
#44 0x01d2e573 in WebCore::Document::handleWindowEvent (this=0x40c9800, evt=0x1a2b29b0, useCapture=false) at WebCore/dom/Document.cpp:2519
#45 0x01d76944 in WebCore::EventTargetNode::dispatchWindowEvent (this=0x40c9800, eventType=@0x2623634, canBubbleArg=false, cancelableArg=false) at WebCore/dom/EventTargetNode.cpp:140
#46 0x01d32940 in WebCore::Document::implicitClose (this=0x40c9800) at WebCore/dom/Document.cpp:1519
#47 0x01da5fea in WebCore::FrameLoader::checkCallImplicitClose (this=0x40c4400) at WebCore/loader/FrameLoader.cpp:1319
#48 0x01db1938 in WebCore::FrameLoader::checkCompleted (this=0x40c4400) at WebCore/loader/FrameLoader.cpp:1272
#49 0x01db1a83 in WebCore::FrameLoader::loadDone (this=0x40c4400) at WebCore/loader/FrameLoader.cpp:1239
#50 0x01d28900 in WebCore::DocLoader::setLoadInProgress (this=0x3b9e2f0, load=false) at WebCore/loader/DocLoader.cpp:211
#51 0x021dd7ff in WebCore::Loader::Host::didFinishLoading (this=0x1978ca60, loader=0x4429c00) at WebCore/loader/loader.cpp:273
#52 0x02178295 in WebCore::SubresourceLoader::didFinishLoading (this=0x4429c00) at WebCore/loader/SubresourceLoader.cpp:193
#53 0x02079a80 in WebCore::ResourceLoader::didFinishLoading (this=0x4429c00) at WebCore/loader/ResourceLoader.cpp:372
#54 0x0207722b in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x1a298c40, _cmd=0x901495c4, con=0x1a298d10) at WebCore/platform/network/mac/ResourceHandleMac.mm:521

Comment 1 Antti Koivisto 2008-03-15 23:44:05 PDT

Created attachment 19790 [details]
patch

This was a memory smasher introduced by the preloading patch. If a script resource was marked uncacheable, early deletion of the Request object would cause deletion of the CachedResource too if it was referred more than once in a single document.

Comment 2 Antti Koivisto 2008-03-16 00:03:09 PDT

*** Bug 17860 has been marked as a duplicate of this bug. ***

Comment 3 Matt Lilek 2008-03-16 09:45:15 PDT

*** Bug 17875 has been marked as a duplicate of this bug. ***

Comment 4 Antti Koivisto 2008-03-16 13:00:00 PDT

*** Bug 17878 has been marked as a duplicate of this bug. ***

Comment 5 Darin Adler 2008-03-16 13:36:47 PDT

Comment on attachment 19790 [details]
patch

r=me

Comment 6 Antti Koivisto 2008-03-16 14:00:05 PDT

Sending        LayoutTests/ChangeLog
Adding         LayoutTests/http/tests/misc/resources/uncacheable-script.cgi
Adding         LayoutTests/http/tests/misc/uncacheable-script-repeated-expected.txt
Adding         LayoutTests/http/tests/misc/uncacheable-script-repeated.html
Sending        WebCore/ChangeLog
Sending        WebCore/loader/loader.cpp
Transmitting file data ......
Committed revision 31084.

Comment 7 Mark Rowe (bdash) 2008-03-17 15:11:23 PDT

*** Bug 17899 has been marked as a duplicate of this bug. ***