WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
21329
REGRESSION: crash in ScriptElement::notifyFinished
https://bugs.webkit.org/show_bug.cgi?id=21329
Summary
REGRESSION: crash in ScriptElement::notifyFinished
Darin Fisher (:fishd, Google)
Reported
2008-10-03 01:05:22 PDT
REGRESSION: crash in ScriptElement::notifyFinished I observed this crash on
http://www.kino.de/kinosuche.php4
(you might have to load that site a couple times to repro the crash) I found that some code changed recently that probably explains the crash. Compare: -void HTMLScriptElement::notifyFinished(CachedResource* o) -{ - CachedScript* cs = static_cast<CachedScript*>(o); - - ASSERT(cs == m_cachedScript); - - // Evaluating the script could lead to a garbage collection which - // can delete the script element so we need to protect it. - RefPtr<HTMLScriptElement> protect(this); - - if (cs->errorOccurred()) - dispatchHTMLEvent(errorEvent, true, false); - else { - evaluateScript(cs->url(), cs->script()); - dispatchHTMLEvent(loadEvent, false, false); - } - - // script evaluation may have dereffed it already - if (m_cachedScript) { - m_cachedScript->removeClient(this); - m_cachedScript = 0; - } -} To: void ScriptElementData::notifyFinished(CachedResource* o) { CachedScript* cs = static_cast<CachedScript*>(o); ASSERT(cs == m_cachedScript); if (cs->errorOccurred()) m_scriptElement->dispatchErrorEvent(); else { RefPtr<Element> protector(m_element); evaluateScript(cs->url(), cs->script()); m_scriptElement->dispatchLoadEvent(); } stopLoadRequest(); } The crash I get is inside stopLoadRequest() with |this| having been trashed. m_element owns |this|. Here's the interesting portion of the crash stack: chrome.dll!WTF::HashTable<WebCore::RenderObject *,std::pair<WebCore::RenderObject *,WebCore::RenderBlock::FloatingObject *>,WTF::PairFirstExtractor<std::pair<WebCore::RenderObject *,WebCore::RenderBlock::FloatingObject *> >,WTF::PtrHash<WebCore::RenderObject *>,WTF::PairHashTraits<WTF::HashTraits<WebCore::RenderObject *>,WTF::HashTraits<WebCore::RenderBlock::FloatingObject *>
>,WTF::HashTraits<WebCore::RenderObject *> >::find<WebCore::RenderObject *,WTF::IdentityHashTranslator<WebCore::RenderObject
*,std::pair<WebCore::RenderObject *,WebCore::RenderBlock::FloatingObject *>,WTF::PtrHash<WebCore::RenderObject *> > >(WebCore::RenderObject * const & key=0x0232775c) Line 751 C++ chrome.dll!WebCore::CachedResource::removeClient(WebCore::CachedResourceClient * c=0x0232775c) Line 131 + 0x12 bytes C++
> chrome.dll!WebCore::ScriptElementData::notifyFinished(WebCore::CachedResource * o=0x02330e58) Line 191 + 0xd bytes C++
chrome.dll!WebCore::CachedScript::checkNotify() Line 95 + 0xa bytes C++ chrome.dll!WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer> data={...}, bool allDataReceived=true) Line 85 + 0xe bytes C++ chrome.dll!WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader * loader=0x034297f8) Line 278 C++ chrome.dll!WebCore::SubresourceLoader::didFinishLoading() Line 195 C++ chrome.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x01f31cf8) Line 399 C++ Originally identified here:
http://code.google.com/p/chromium/issues/detail?id=3056
In the old code, the protector was also ensuring that |this| remained valid until after stopLoadRequest() is called. I think this is an apparent goof in the recent code change.
Attachments
v1 patch
(1.43 KB, patch)
2008-10-03 17:14 PDT
,
Darin Fisher (:fishd, Google)
no flags
Details
Formatted Diff
Diff
v2 patch - same as before, but includes bug title in ChangeLog
(1.48 KB, patch)
2008-10-03 18:08 PDT
,
Darin Fisher (:fishd, Google)
eric
: review+
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1
2008-10-03 01:11:31 PDT
(In reply to
comment #0
)
> I found that some code changed recently that probably explains the crash.
<
http://trac.webkit.org/changeset/35744
>.
Darin Fisher (:fishd, Google)
Comment 2
2008-10-03 01:16:13 PDT
This patch, which essentially just rolls back part of the original change, seems to resolve the bug. I'll work on a layout test, but it may be challenging since it is dependent on GC running at the right time. Index: ScriptElement.cpp =================================================================== --- ScriptElement.cpp (revision 2802) +++ ScriptElement.cpp (working copy) @@ -180,10 +180,13 @@ CachedScript* cs = static_cast<CachedScript*>(o); ASSERT(cs == m_cachedScript); + // Evaluating the script could lead to a garbage collection which can + // delete the script element so we need to protect it. + RefPtr<Element> protector(m_element); + if (cs->errorOccurred()) m_scriptElement->dispatchErrorEvent(); else { - RefPtr<Element> protector(m_element); evaluateScript(cs->url(), cs->script()); m_scriptElement->dispatchLoadEvent(); }
Eric Seidel (no email)
Comment 3
2008-10-03 11:30:28 PDT
(In reply to
comment #2
)
> This patch, which essentially just rolls back part of the original change, > seems to resolve the bug. I'll work on a layout test, but it may be > challenging since it is dependent on GC running at the right time. > > Index: ScriptElement.cpp > =================================================================== > --- ScriptElement.cpp (revision 2802) > +++ ScriptElement.cpp (working copy) > @@ -180,10 +180,13 @@ > CachedScript* cs = static_cast<CachedScript*>(o); > ASSERT(cs == m_cachedScript); > + // Evaluating the script could lead to a garbage collection which can > + // delete the script element so we need to protect it. > + RefPtr<Element> protector(m_element); > + > if (cs->errorOccurred()) > m_scriptElement->dispatchErrorEvent(); > else { > - RefPtr<Element> protector(m_element); > evaluateScript(cs->url(), cs->script()); > m_scriptElement->dispatchLoadEvent(); > } >
The change looks good. We just need a changelog, and ideally a layout test. gc() or GCController.collect() should be able to kick off GC when you need.
Darin Fisher (:fishd, Google)
Comment 4
2008-10-03 17:14:38 PDT
Created
attachment 24076
[details]
v1 patch Here's the patch sans layout test. Try as I might, I could not get my Mac build of WebKit to crash upon reaching ScriptElementData::stopLoadRequest despite having a junk |this| pointer.
Darin Fisher (:fishd, Google)
Comment 5
2008-10-03 18:08:53 PDT
Created
attachment 24077
[details]
v2 patch - same as before, but includes bug title in ChangeLog I tried using GuardMalloc to help create a test, but it seems like there is something else besides this issue that is causing DRT to crash under GuardMalloc. For example, fast/dom/script-element-gc.html crashes with or without my fix under GuardMalloc. I don't know how to get a call stack when GuardMalloc detects an error, so I don't know why DRT is crashing under GuardMalloc.
Eric Seidel (no email)
Comment 6
2008-10-04 02:59:40 PDT
Comment on
attachment 24077
[details]
v2 patch - same as before, but includes bug title in ChangeLog Looks great. Thanks for fixing this. It would be better w/ a layout test, but from discussions in the channel it sounds like you were having trouble getting one to work on your Mac. I think you have commit-bit these days, so you should be able to land this yourself.
Eric Seidel (no email)
Comment 7
2008-10-04 03:00:37 PDT
(In reply to
comment #5
)
> Created an attachment (id=24077) [edit] > v2 patch - same as before, but includes bug title in ChangeLog > > I tried using GuardMalloc to help create a test, but it seems like there is > something else besides this issue that is causing DRT to crash under > GuardMalloc. For example, fast/dom/script-element-gc.html crashes with or > without my fix under GuardMalloc. I don't know how to get a call stack when > GuardMalloc detects an error, so I don't know why DRT is crashing under > GuardMalloc. >
We need to file any --guard crashes for run-webkit-tests as bugs. Or rather, when you see any, don't hesitate to file them. We really should have a buildbot which runs run-webkit-tests --guard once a week or something.
Darin Fisher (:fishd, Google)
Comment 8
2008-10-04 23:51:05 PDT
I filed
bug 21380
about how "run-webkit-tests -g" just crashes for me on seemingly every test.
Nikolas Zimmermann
Comment 9
2008-10-06 06:08:01 PDT
Oops, good catch! My fault while refactoring the code... Sorry for any headaches.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug