Safari 4.0 (530.17) crashes in WebCore::DOMTimer::fired(). The crash did not occur in Safari 3.2.2 (from http://support.apple.com/downloads/Safari_3_2_2_for_Windows). To repeat the crash, follow these steps: 1. Load http://lite.maps.nsw.gov.au/ 2. Click the zoom box tool on the circular navigator. 3. Click and drag the map to zoom into an area. Safari will crash. I checked out and debugged the latest WebKit code in Visual Studio, and found the crash was occurring in WebCore::DOMTimer::fired(). The error reported by Visual Stuio when the crash occurs is "A buffer overrun has occurred in Safari.exe which has corrupted the program's internal state.". Also, here is the Visual Studio call stack at the time of the crash: WebKit.dll!__crt_debugger_hook() Unknown WebKit.dll!__report_gsfailure() Line 298 + 0x7 bytes C WebKit.dll!WebCore::Node::compareDocumentPosition(WebCore::Node * otherNode=0x00000000) Line 2073 + 0x15 bytes C++ WebKit.dll!WebCore::Document::addStyleSheetCandidateNode(WebCore::Node * node=0x7e9bb160, bool createdByParser=true) Line 2287 C++ WebKit.dll!WebCore::ProcessingInstruction::insertedIntoDocument() Line 254 C++ WebKit.dll!WebCore::dispatchChildInsertionEvents(WebCore::Node * child=0x7e9bb160, int & ec=0) Line 874 C++ WebKit.dll!WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node> newChild={...}, int & ec=2124132704, bool shouldLazyAttach=true) Line 483 + 0x7 bytes C++ WebKit.dll!WebCore::JSNode::appendChild(JSC::ExecState * exec=0x0c568944, const JSC::ArgList & args={...}) Line 105 C++ WebKit.dll!WebCore::jsNodePrototypeFunctionAppendChild(JSC::ExecState * exec=0x00000000, JSC::JSObject * __formal=0x0f662e14, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 1295 + 0xd bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x7fd81d88, JSC::ExecState * callFrame=0x0c568024, JSC::JSGlobalData * globalData=0x00000000, JSC::JSValue * exception=0x0012f980) Line 83 + 0x1d bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramNode * programNode=, JSC::ExecState * callFrame=, JSC::ScopeChainNode * scopeChain=, JSC::JSObject * thisObj=, JSC::JSValue * exception=) Line 644 + 0x26 bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x7fe62500, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 69 C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode=) Line 103 C++ WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::ScriptSourceCode & sourceCode={...}) Line 781 C++ WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::String & script={...}, bool forceUserGesture=false) Line 768 + 0x6f bytes C++ WebKit.dll!WebCore::ScheduledAction::execute(WebCore::Document * document=0x00000000) Line 128 + 0x12 bytes C++ WebKit.dll!WebCore::DOMTimer::fired() Line 125 + 0x18 bytes C++
<rdar://problem/7001880>
Does this reproduce in a nightly build of WebKit?
The problem still occurs in the latest WebKit nightly build (r44969 / 24th June 2009).
Thanks. This may be Windows-specific. In my quick test I couldn't reproduce this on Mac OS X.
Created attachment 31860 [details] Possible fix (no change log, no layout test) I think the problem is that stale nodes remain in the document’s style sheet candidate set. This patch fixes the crash.
Created attachment 31862 [details] Patch, including change log and regression test
Fixed in <http://trac.webkit.org/projects/webkit/changeset/45180>.
I've confirmed the crash no longer occurs in the latest WebKit nightly build. Thank you :)