Bug 35044 - Crash in XML tokenizer reloading zoom-coords-viewattr-01-b.svg
Summary: Crash in XML tokenizer reloading zoom-coords-viewattr-01-b.svg
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2010-02-17 10:36 PST by Simon Fraser (smfr)
Modified: 2010-03-03 14:05 PST (History)
1 user (show)

See Also:


Attachments
proposed fix (1.34 KB, patch)
2010-03-03 13:44 PST, Alexey Proskuryakov
adele: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fraser (smfr) 2010-02-17 10:36:35 PST
While debugging some SVG entity issues, I've twice hit a crash in XMLTokenizer because m_currentNode is null here:

#0  0x03e31619 in WebCore::Node::isTextNode (this=0x0) at Node.h:166
#1  0x047dfa10 in WebCore::XMLTokenizer::characters (this=0x1f6d4320, s=0x2540a880 "\n    ", len=5) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:903
#2  0x047e2ed5 in WebCore::PendingCallbacks::PendingCharactersCallback::call (this=0x2540ad10, tokenizer=0x1f6d4320) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:246
#3  0x047e0d57 in WebCore::PendingCallbacks::callAndRemoveFirstCallback (this=0x1f6b33d0, tokenizer=0x1f6d4320) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:188
#4  0x047dc303 in WebCore::XMLTokenizer::resumeParsing (this=0x1f6d4320) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:1375
#5  0x047dbcfd in WebCore::XMLTokenizer::notifyFinished (this=0x1f6d4320, unusedResource=0x81ff800) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizer.cpp:334
#6  0x03d4217c in WebCore::CachedScript::checkNotify (this=0x81ff800) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/CachedScript.cpp:105
#7  0x03d42242 in WebCore::CachedScript::data (this=0x81ff800, data=@0xbfffe3d0, allDataReceived=true) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/CachedScript.cpp:95
#8  0x0440a46e in WebCore::Loader::Host::didFinishLoading (this=0xc94220, loader=0x8437200) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/loader.cpp:397
#9  0x0467c002 in WebCore::SubresourceLoader::didFinishLoading (this=0x8437200) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/SubresourceLoader.cpp:184
#10 0x045daf5a in WebCore::ResourceLoader::didFinishLoading (this=0x8437200) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/ResourceLoader.cpp:403
#11 0x045d7497 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x2055a3c0, _cmd=0x9344e564, connection=0x20559180) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:789
#12 0x906e9497 in -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] ()
#13 0x906e9403 in _NSURLConnectionDidFinishLoading ()
#14 0x91979ba4 in URLConnectionClient::_clientDidFinishLoading ()
#15 0x9197a8fa in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload ()
#16 0x9197abaa in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload ()
#17 0x91979370 in URLConnectionClient::processEvents ()
#18 0x91926d03 in MultiplexerSource::perform ()
#19 0x9183640f in CFRunLoopRunSpecific ()
#20 0x91836aa8 in CFRunLoopRunInMode ()
#21 0x93d542ac in RunCurrentEventLoopInMode ()
#22 0x93d53ffe in ReceiveNextEventCommon ()
#23 0x93d53f39 in BlockUntilNextEventMatchingListInMode ()
#24 0x959236d5 in _DPSNextEvent ()
#25 0x95922f88 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#26 0x0000c045 in ?? ()
#27 0x9591bf9f in -[NSApplication run] ()
#28 0x958e91d8 in NSApplicationMain ()
Comment 1 Simon Fraser (smfr) 2010-02-17 11:43:27 PST
I can get this crash by reloading LayoutTests/svg/zoom/page/zoom-coords-viewattr-01-b.svg a few times on Leopard.

clearCurrentNodeStack() has been called already.
Comment 2 Simon Fraser (smfr) 2010-02-17 11:54:12 PST
It seems like the XMLTokenizer is getting resurrected after an end() by CachedScript::checkNotify() calling notifyFinished() on the clients.
Comment 3 Alexey Proskuryakov 2010-02-17 13:27:20 PST
Surprising is that the tokenizer also thinks that it has been paused (otherwise, an assertion in resumeParsing would have failed).
Comment 4 Alexey Proskuryakov 2010-02-23 00:39:34 PST
<rdar://problem/7679143>
Comment 5 Alexey Proskuryakov 2010-03-03 12:32:17 PST
Sorry, now I'm getting the crash in 4.0.4, too.
Comment 6 Alexey Proskuryakov 2010-03-03 13:44:56 PST
Created attachment 49940 [details]
proposed fix
Comment 7 Alexey Proskuryakov 2010-03-03 14:05:44 PST
Committed in <http://trac.webkit.org/changeset/55475>.