26671 – Safari 4.0 crashes in WebCore::DOMTimer::fired()

VERIFIED FIXED 26671

Safari 4.0 crashes in WebCore::DOMTimer::fired()

https://bugs.webkit.org/show_bug.cgi?id=26671

Summary Safari 4.0 crashes in WebCore::DOMTimer::fired()

David Carter

Reported 2009-06-24 00:02:20 PDT

Safari 4.0 (530.17) crashes in WebCore::DOMTimer::fired(). The crash did not occur in Safari 3.2.2 (from http://support.apple.com/downloads/Safari_3_2_2_for_Windows). To repeat the crash, follow these steps: 1. Load http://lite.maps.nsw.gov.au/ 2. Click the zoom box tool on the circular navigator. 3. Click and drag the map to zoom into an area. Safari will crash. I checked out and debugged the latest WebKit code in Visual Studio, and found the crash was occurring in WebCore::DOMTimer::fired(). The error reported by Visual Stuio when the crash occurs is "A buffer overrun has occurred in Safari.exe which has corrupted the program's internal state.". Also, here is the Visual Studio call stack at the time of the crash: WebKit.dll!__crt_debugger_hook() Unknown WebKit.dll!__report_gsfailure() Line 298 + 0x7 bytes C WebKit.dll!WebCore::Node::compareDocumentPosition(WebCore::Node * otherNode=0x00000000) Line 2073 + 0x15 bytes C++ WebKit.dll!WebCore::Document::addStyleSheetCandidateNode(WebCore::Node * node=0x7e9bb160, bool createdByParser=true) Line 2287 C++ WebKit.dll!WebCore::ProcessingInstruction::insertedIntoDocument() Line 254 C++ WebKit.dll!WebCore::dispatchChildInsertionEvents(WebCore::Node * child=0x7e9bb160, int & ec=0) Line 874 C++ WebKit.dll!WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node> newChild={...}, int & ec=2124132704, bool shouldLazyAttach=true) Line 483 + 0x7 bytes C++ WebKit.dll!WebCore::JSNode::appendChild(JSC::ExecState * exec=0x0c568944, const JSC::ArgList & args={...}) Line 105 C++ WebKit.dll!WebCore::jsNodePrototypeFunctionAppendChild(JSC::ExecState * exec=0x00000000, JSC::JSObject * __formal=0x0f662e14, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 1295 + 0xd bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x7fd81d88, JSC::ExecState * callFrame=0x0c568024, JSC::JSGlobalData * globalData=0x00000000, JSC::JSValue * exception=0x0012f980) Line 83 + 0x1d bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramNode * programNode=, JSC::ExecState * callFrame=, JSC::ScopeChainNode * scopeChain=, JSC::JSObject * thisObj=, JSC::JSValue * exception=) Line 644 + 0x26 bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x7fe62500, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 69 C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode=) Line 103 C++ WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::ScriptSourceCode & sourceCode={...}) Line 781 C++ WebKit.dll!WebCore::FrameLoader::executeScript(const WebCore::String & script={...}, bool forceUserGesture=false) Line 768 + 0x6f bytes C++ WebKit.dll!WebCore::ScheduledAction::execute(WebCore::Document * document=0x00000000) Line 128 + 0x12 bytes C++ WebKit.dll!WebCore::DOMTimer::fired() Line 125 + 0x18 bytes C++

Attachments
Possible fix (no change log, no layout test) (1.90 KB, patch) 2009-06-25 08:55 PDT, mitz	no flags	Details Formatted Diff Diff
Patch, including change log and regression test (5.53 KB, patch) 2009-06-25 10:08 PDT, mitz	darin: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2009-06-24 00:47:35 PDT

<rdar://problem/7001880>

Mark Rowe (bdash)

Comment 2 2009-06-24 10:03:47 PDT

Does this reproduce in a nightly build of WebKit?

David Carter

Comment 3 2009-06-24 19:29:23 PDT

The problem still occurs in the latest WebKit nightly build (r44969 / 24th June 2009).

Mark Rowe (bdash)

Comment 4 2009-06-24 19:36:41 PDT

Thanks. This may be Windows-specific. In my quick test I couldn't reproduce this on Mac OS X.

mitz

Comment 5 2009-06-25 08:55:48 PDT

Created attachment 31860 [details] Possible fix (no change log, no layout test) I think the problem is that stale nodes remain in the document’s style sheet candidate set. This patch fixes the crash.

mitz

Comment 6 2009-06-25 10:08:16 PDT

Created attachment 31862 [details] Patch, including change log and regression test

mitz

Comment 7 2009-06-25 12:45:53 PDT

Fixed in <http://trac.webkit.org/projects/webkit/changeset/45180>.

David Carter

Comment 8 2009-06-28 19:01:56 PDT

I've confirmed the crash no longer occurs in the latest WebKit nightly build. Thank you :)

Note You need to log in before you can comment on or make changes to this bug.

Status VERIFIED

Resolution FIXED

Priority P1

Severity Major

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component DOM

Assignee

Nobody

Reported

2009-06-24 00:02 PDT

Modified

2009-06-28 19:01 PDT History

CC List

2 users Show

URL

http://lite.maps.nsw.gov.au/

Keywords InRadar, NeedsReduction

Depends on

Blocks