While debugging some SVG entity issues, I've twice hit a crash in XMLTokenizer because m_currentNode is null here: #0 0x03e31619 in WebCore::Node::isTextNode (this=0x0) at Node.h:166 #1 0x047dfa10 in WebCore::XMLTokenizer::characters (this=0x1f6d4320, s=0x2540a880 "\n ", len=5) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:903 #2 0x047e2ed5 in WebCore::PendingCallbacks::PendingCharactersCallback::call (this=0x2540ad10, tokenizer=0x1f6d4320) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:246 #3 0x047e0d57 in WebCore::PendingCallbacks::callAndRemoveFirstCallback (this=0x1f6b33d0, tokenizer=0x1f6d4320) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:188 #4 0x047dc303 in WebCore::XMLTokenizer::resumeParsing (this=0x1f6d4320) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizerLibxml2.cpp:1375 #5 0x047dbcfd in WebCore::XMLTokenizer::notifyFinished (this=0x1f6d4320, unusedResource=0x81ff800) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/dom/XMLTokenizer.cpp:334 #6 0x03d4217c in WebCore::CachedScript::checkNotify (this=0x81ff800) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/CachedScript.cpp:105 #7 0x03d42242 in WebCore::CachedScript::data (this=0x81ff800, data=@0xbfffe3d0, allDataReceived=true) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/CachedScript.cpp:95 #8 0x0440a46e in WebCore::Loader::Host::didFinishLoading (this=0xc94220, loader=0x8437200) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/loader.cpp:397 #9 0x0467c002 in WebCore::SubresourceLoader::didFinishLoading (this=0x8437200) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/SubresourceLoader.cpp:184 #10 0x045daf5a in WebCore::ResourceLoader::didFinishLoading (this=0x8437200) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/loader/ResourceLoader.cpp:403 #11 0x045d7497 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x2055a3c0, _cmd=0x9344e564, connection=0x20559180) at /Volumes/InternalData/Development/WebKit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:789 #12 0x906e9497 in -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] () #13 0x906e9403 in _NSURLConnectionDidFinishLoading () #14 0x91979ba4 in URLConnectionClient::_clientDidFinishLoading () #15 0x9197a8fa in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload () #16 0x9197abaa in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload () #17 0x91979370 in URLConnectionClient::processEvents () #18 0x91926d03 in MultiplexerSource::perform () #19 0x9183640f in CFRunLoopRunSpecific () #20 0x91836aa8 in CFRunLoopRunInMode () #21 0x93d542ac in RunCurrentEventLoopInMode () #22 0x93d53ffe in ReceiveNextEventCommon () #23 0x93d53f39 in BlockUntilNextEventMatchingListInMode () #24 0x959236d5 in _DPSNextEvent () #25 0x95922f88 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #26 0x0000c045 in ?? () #27 0x9591bf9f in -[NSApplication run] () #28 0x958e91d8 in NSApplicationMain ()
I can get this crash by reloading LayoutTests/svg/zoom/page/zoom-coords-viewattr-01-b.svg a few times on Leopard. clearCurrentNodeStack() has been called already.
It seems like the XMLTokenizer is getting resurrected after an end() by CachedScript::checkNotify() calling notifyFinished() on the clients.
Surprising is that the tokenizer also thinks that it has been paused (otherwise, an assertion in resumeParsing would have failed).
<rdar://problem/7679143>
Sorry, now I'm getting the crash in 4.0.4, too.
Created attachment 49940 [details] proposed fix
Committed in <http://trac.webkit.org/changeset/55475>.