26826 – Hang when clicking on link from kuwo.cn

Bug 26826 - Hang when clicking on link from kuwo.cn

Summary: Hang when clicking on link from kuwo.cn

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore JavaScript (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Windows XP

Importance:	P2 Major
Assignee:	Nobody

URL:	http://yinyue.kuwo.cn/yy/geshou-dengl...
Keywords:	InRadar, NeedsReduction

Depends on:
Blocks:

Reported:	2009-06-29 21:48 PDT by opensource
Modified:	2009-06-29 23:32 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description opensource 2009-06-29 21:48:55 PDT

please open http://yinyue.kuwo.cn/yy/geshou-denglijun/%E9%82%93%E4%B8%BD%E5%90%9B_mv_1.htm and click the link: [ÉÕÈâôÕ]. Safari will have no response.
In chrome I found it may be stack overflow.

backtrace is here in chrome:

!v8::internal::Runtime_StackGuard(v8::internal::Arguments args={...})  Line 4751	C++
 	055b018b()	
 	!v8::internal::Invoke(bool construct=false, v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01aaf2a8, bool * has_pending_exception=0x01aaf237)  Line 93 + 0x34 bytes	C++
 	!v8::internal::Execution::Call(v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01aaf2a8, bool * pending_exception=0x01aaf237)  Line 119 + 0x1f bytes	C++
 	!v8::Function::Call(v8::Handle<v8::Object> recv={...}, int argc=1, v8::Handle<v8::Value> * argv=0x01aaf2a8)  Line 2232 + 0x1d bytes	C++
 	!WebCore::V8Proxy::CallFunction(v8::Handle<v8::Function> function={...}, v8::Handle<v8::Object> receiver={...}, int argc=1, v8::Handle<v8::Value> * args=0x01aaf2a8)  Line 1147 + 0x1f bytes	C++
 	!WebCore::V8EventListener::callListenerFunction(v8::Handle<v8::Value> jsEvent={...}, WebCore::Event * event=0x0aa23ce8, bool isWindowEvent=true)  Line 86 + 0x26 bytes	C++
 	!WebCore::V8AbstractEventListener::invokeEventHandler(v8::Handle<v8::Context> context={...}, WebCore::Event * event=0x0aa23ce8, v8::Handle<v8::Value> jsEvent={...}, bool isWindowEvent=true)  Line 84 + 0x1f bytes	C++
 	!WebCore::V8AbstractEventListener::handleEvent(WebCore::Event * event=0x0aa23ce8, bool isWindowEvent=true)  Line 136	C++
 	!WebCore::Document::handleWindowEvent(WebCore::Event * event=0x0aa23ce8, bool useCapture=false)  Line 2778 + 0x20 bytes	C++
 	!WebCore::Node::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event> e={...})  Line 2522	C++
 	!WebCore::Node::dispatchWindowEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false)  Line 2530	C++
 	!WebCore::EventHandler::sendResizeEvent()  Line 2364	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1115	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::RenderWidget::updateWidgetPosition()  Line 262	C++
 	!WebCore::RenderView::updateWidgetPositions()  Line 530 + 0xf bytes	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1099	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::Document::updateLayout()  Line 1238	C++
 	!WebCore::Document::updateLayoutIgnorePendingStylesheets()  Line 1270	C++
 	!WebCore::HTMLBodyElement::scrollHeight()  Line 286	C++
 	!WebCore::ElementInternal::scrollHeightAttrGetter(v8::Local<v8::String> name={...}, const v8::AccessorInfo & info={...})  Line 182 + 0x12 bytes	C++
 	!v8::internal::LoadCallbackProperty(v8::internal::Arguments args={...})  Line 687 + 0x1e bytes	C++
 	055b018b()	
 	!v8::internal::Invoke(bool construct=false, v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01aaf9e8, bool * has_pending_exception=0x01aaf977)  Line 93 + 0x34 bytes	C++
 	!v8::internal::Execution::Call(v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01aaf9e8, bool * pending_exception=0x01aaf977)  Line 119 + 0x1f bytes	C++
 	!v8::Function::Call(v8::Handle<v8::Object> recv={...}, int argc=1, v8::Handle<v8::Value> * argv=0x01aaf9e8)  Line 2232 + 0x1d bytes	C++
 	!WebCore::V8Proxy::CallFunction(v8::Handle<v8::Function> function={...}, v8::Handle<v8::Object> receiver={...}, int argc=1, v8::Handle<v8::Value> * args=0x01aaf9e8)  Line 1147 + 0x1f bytes	C++
 	!WebCore::V8EventListener::callListenerFunction(v8::Handle<v8::Value> jsEvent={...}, WebCore::Event * event=0x0aa23788, bool isWindowEvent=true)  Line 86 + 0x26 bytes	C++
 	!WebCore::V8AbstractEventListener::invokeEventHandler(v8::Handle<v8::Context> context={...}, WebCore::Event * event=0x0aa23788, v8::Handle<v8::Value> jsEvent={...}, bool isWindowEvent=true)  Line 84 + 0x1f bytes	C++
 	!WebCore::V8AbstractEventListener::handleEvent(WebCore::Event * event=0x0aa23788, bool isWindowEvent=true)  Line 136	C++
 	!WebCore::Document::handleWindowEvent(WebCore::Event * event=0x0aa23788, bool useCapture=false)  Line 2778 + 0x20 bytes	C++
 	!WebCore::Node::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event> e={...})  Line 2522	C++
 	!WebCore::Node::dispatchWindowEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false)  Line 2530	C++
 	!WebCore::EventHandler::sendResizeEvent()  Line 2364	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1115	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::RenderWidget::updateWidgetPosition()  Line 262	C++
 	!WebCore::RenderView::updateWidgetPositions()  Line 530 + 0xf bytes	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1099	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::Document::updateLayout()  Line 1238	C++
 	!WebCore::Document::updateLayoutIgnorePendingStylesheets()  Line 1270	C++
 	!WebCore::HTMLBodyElement::scrollHeight()  Line 286	C++
 	!WebCore::ElementInternal::scrollHeightAttrGetter(v8::Local<v8::String> name={...}, const v8::AccessorInfo & info={...})  Line 182 + 0x12 bytes	C++
 	!v8::internal::LoadCallbackProperty(v8::internal::Arguments args={...})  Line 687 + 0x1e bytes	C++
 	055b018b()	
 	!v8::internal::Invoke(bool construct=false, v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01ab0128, bool * has_pending_exception=0x01ab00b7)  Line 93 + 0x34 bytes	C++
 	!v8::internal::Execution::Call(v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01ab0128, bool * pending_exception=0x01ab00b7)  Line 119 + 0x1f bytes	C++
 	!v8::Function::Call(v8::Handle<v8::Object> recv={...}, int argc=1, v8::Handle<v8::Value> * argv=0x01ab0128)  Line 2232 + 0x1d bytes	C++
 	!WebCore::V8Proxy::CallFunction(v8::Handle<v8::Function> function={...}, v8::Handle<v8::Object> receiver={...}, int argc=1, v8::Handle<v8::Value> * args=0x01ab0128)  Line 1147 + 0x1f bytes	C++
 	!WebCore::V8EventListener::callListenerFunction(v8::Handle<v8::Value> jsEvent={...}, WebCore::Event * event=0x0aa23e78, bool isWindowEvent=true)  Line 86 + 0x26 bytes	C++
 	!WebCore::V8AbstractEventListener::invokeEventHandler(v8::Handle<v8::Context> context={...}, WebCore::Event * event=0x0aa23e78, v8::Handle<v8::Value> jsEvent={...}, bool isWindowEvent=true)  Line 84 + 0x1f bytes	C++
 	!WebCore::V8AbstractEventListener::handleEvent(WebCore::Event * event=0x0aa23e78, bool isWindowEvent=true)  Line 136	C++
 	!WebCore::Document::handleWindowEvent(WebCore::Event * event=0x0aa23e78, bool useCapture=false)  Line 2778 + 0x20 bytes	C++
 	!WebCore::Node::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event> e={...})  Line 2522	C++
 	!WebCore::Node::dispatchWindowEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false)  Line 2530	C++
 	!WebCore::EventHandler::sendResizeEvent()  Line 2364	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1115	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::RenderWidget::updateWidgetPosition()  Line 262	C++
 	!WebCore::RenderView::updateWidgetPositions()  Line 530 + 0xf bytes	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1099	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::Document::updateLayout()  Line 1238	C++
 	!WebCore::Document::updateLayoutIgnorePendingStylesheets()  Line 1270	C++
 	!WebCore::HTMLBodyElement::scrollHeight()  Line 286	C++
 	!WebCore::ElementInternal::scrollHeightAttrGetter(v8::Local<v8::String> name={...}, const v8::AccessorInfo & info={...})  Line 182 + 0x12 bytes	C++
 	!v8::internal::LoadCallbackProperty(v8::internal::Arguments args={...})  Line 687 + 0x1e bytes	C++
 	055b018b()	
 	!v8::internal::Invoke(bool construct=false, v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01ab0868, bool * has_pending_exception=0x01ab07f7)  Line 93 + 0x34 bytes	C++
 	!v8::internal::Execution::Call(v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01ab0868, bool * pending_exception=0x01ab07f7)  Line 119 + 0x1f bytes	C++
 	!v8::Function::Call(v8::Handle<v8::Object> recv={...}, int argc=1, v8::Handle<v8::Value> * argv=0x01ab0868)  Line 2232 + 0x1d bytes	C++
 	!WebCore::V8Proxy::CallFunction(v8::Handle<v8::Function> function={...}, v8::Handle<v8::Object> receiver={...}, int argc=1, v8::Handle<v8::Value> * args=0x01ab0868)  Line 1147 + 0x1f bytes	C++
 	!WebCore::V8EventListener::callListenerFunction(v8::Handle<v8::Value> jsEvent={...}, WebCore::Event * event=0x0aa23890, bool isWindowEvent=true)  Line 86 + 0x26 bytes	C++
 	!WebCore::V8AbstractEventListener::invokeEventHandler(v8::Handle<v8::Context> context={...}, WebCore::Event * event=0x0aa23890, v8::Handle<v8::Value> jsEvent={...}, bool isWindowEvent=true)  Line 84 + 0x1f bytes	C++
 	!WebCore::V8AbstractEventListener::handleEvent(WebCore::Event * event=0x0aa23890, bool isWindowEvent=true)  Line 136	C++
 	!WebCore::Document::handleWindowEvent(WebCore::Event * event=0x0aa23890, bool useCapture=false)  Line 2778 + 0x20 bytes	C++
 	!WebCore::Node::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event> e={...})  Line 2522	C++
 	!WebCore::Node::dispatchWindowEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false)  Line 2530	C++
 	!WebCore::EventHandler::sendResizeEvent()  Line 2364	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1115	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::RenderWidget::updateWidgetPosition()  Line 262	C++
 	!WebCore::RenderView::updateWidgetPositions()  Line 530 + 0xf bytes	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1099	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::Document::updateLayout()  Line 1238	C++
 	!WebCore::Document::updateLayoutIgnorePendingStylesheets()  Line 1270	C++
 	!WebCore::HTMLBodyElement::scrollHeight()  Line 286	C++
 	!WebCore::ElementInternal::scrollHeightAttrGetter(v8::Local<v8::String> name={...}, const v8::AccessorInfo & info={...})  Line 182 + 0x12 bytes	C++
 	!v8::internal::LoadCallbackProperty(v8::internal::Arguments args={...})  Line 687 + 0x1e bytes	C++
 	055b018b()	
 	!v8::internal::Invoke(bool construct=false, v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01ab0fa8, bool * has_pending_exception=0x01ab0f37)  Line 93 + 0x34 bytes	C++
 	!v8::internal::Execution::Call(v8::internal::Handle<v8::internal::JSFunction> func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1, v8::internal::Object * * * args=0x01ab0fa8, bool * pending_exception=0x01ab0f37)  Line 119 + 0x1f bytes	C++
 	!v8::Function::Call(v8::Handle<v8::Object> recv={...}, int argc=1, v8::Handle<v8::Value> * argv=0x01ab0fa8)  Line 2232 + 0x1d bytes	C++
 	!WebCore::V8Proxy::CallFunction(v8::Handle<v8::Function> function={...}, v8::Handle<v8::Object> receiver={...}, int argc=1, v8::Handle<v8::Value> * args=0x01ab0fa8)  Line 1147 + 0x1f bytes	C++
 	!WebCore::V8EventListener::callListenerFunction(v8::Handle<v8::Value> jsEvent={...}, WebCore::Event * event=0x0aa21c80, bool isWindowEvent=true)  Line 86 + 0x26 bytes	C++
 	!WebCore::V8AbstractEventListener::invokeEventHandler(v8::Handle<v8::Context> context={...}, WebCore::Event * event=0x0aa21c80, v8::Handle<v8::Value> jsEvent={...}, bool isWindowEvent=true)  Line 84 + 0x1f bytes	C++
 	!WebCore::V8AbstractEventListener::handleEvent(WebCore::Event * event=0x0aa21c80, bool isWindowEvent=true)  Line 136	C++
 	!WebCore::Document::handleWindowEvent(WebCore::Event * event=0x0aa21c80, bool useCapture=false)  Line 2778 + 0x20 bytes	C++
 	!WebCore::Node::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event> e={...})  Line 2522	C++
 	!WebCore::Node::dispatchWindowEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false)  Line 2530	C++
 	!WebCore::EventHandler::sendResizeEvent()  Line 2364	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1115	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::RenderWidget::updateWidgetPosition()  Line 262	C++
 	!WebCore::RenderView::updateWidgetPositions()  Line 530 + 0xf bytes	C++
 	!WebCore::FrameView::performPostLayoutTasks()  Line 1099	C++
 	!WebCore::FrameView::layout(bool allowSubtree=true)  Line 626	C++
 	!WebCore::Document::updateLayout()  Line 1238	C++
 	!WebCore::Document::updateLayoutIgnorePendingStylesheets()  Line 1270	C++
 	!WebCore::HTMLBodyElement::scrollHeight()  Line 286	C++
 	!WebCore::ElementInternal::scrollHeightAttrGetter(v8::Local<v8::String> name={...}, const v8::AccessorInfo & info={...})  Line 182 + 0x12 bytes	C++
 	!v8::internal::LoadCallbackProperty(v8::internal::Arguments args={...})  Line 687 + 0x1e bytes	C++
 	055b018b()	
......

Comment 1 Mark Rowe (bdash) 2009-06-29 22:17:03 PDT

The backtrace from the hang in Safari suggests that the web page has an event listener for the "resize" event which executes some JavaScript code that causes the "resize" event to be dispatched.  This leads to very heavy recursion by way of event dispatch.  Safari remained unresponsive for at least a few minutes in my test.  It reproduces with the latest WebKit nightly build on Mac OS X.

Note: it looks like some of the Chinese characters in the Bugzilla comment have been mangled.  I clicked on the link below the top left of the twelve videos and was able to reproduce the hang.  It is titled 烧肉粽.

Comment 2 Mark Rowe (bdash) 2009-06-29 22:17:37 PDT

<rdar://problem/7019014>

Comment 3 mitz 2009-06-29 23:32:04 PDT

The page appears to defeat the guards against infinite recursion into FrameView::layout(). The current guards prevent unlimited recursion after a post-layout task (such as widget update or resize event dispatch) has caused layout to be needed again; however, it does not prevent recursion from within a post-layout task, which seems to happen in this case: the resize event handler forces layout by getting scrollHeight.