53837 – Crash in WebCore::TextEncoding::decode below XSSFilter::init

Bug 53837 - Crash in WebCore::TextEncoding::decode below XSSFilter::init

Summary: Crash in WebCore::TextEncoding::decode below XSSFilter::init

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC OS X 10.6

Importance:	P1 Normal
Assignee:	Adam Barth

URL:	http://www.amazon.com/gp/product/0441...
Keywords:	InRadar, Regression

Depends on:
Blocks:

Reported:	2011-02-04 19:57 PST by Stephanie Lewis
Modified:	2011-02-04 21:38 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Patch (4.03 KB, patch) 2011-02-04 20:52 PST, Adam Barth	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stephanie Lewis 2011-02-04 19:57:29 PST

Crashing on most pages on Amazon.com.  If the above doesn't work click a few more product pages.

Testing on 10.6.6 with WebKit 2 from r77713

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000010
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000102085317 WebCore::TextEncoding::decode(char const*, unsigned long, bool, bool&) const + 39 (TextEncoding.cpp:68)
1   com.apple.WebCore             	0x000000010178d6a5 WebCore::TextEncoding::decode(char const*, unsigned long) const + 57 (TextEncoding.h:70)
2   com.apple.WebCore             	0x0000000102159ff2 WebCore::(anonymous namespace)::decodeURL(WTF::String const&, WebCore::TextEncoding const&) + 146 (XSSFilter.cpp:119)
3   com.apple.WebCore             	0x000000010215a17a WebCore::XSSFilter::init() + 312 (XSSFilter.cpp:165)
4   com.apple.WebCore             	0x000000010215a4ac WebCore::XSSFilter::filterToken(WebCore::HTMLToken&) + 40 (XSSFilter.cpp:191)
5   com.apple.WebCore             	0x0000000101877706 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 702 (HTMLDocumentParser.cpp:239)
6   com.apple.WebCore             	0x0000000101877a4d WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 161 (HTMLDocumentParser.cpp:172)
7   com.apple.WebCore             	0x0000000101877f16 WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 176 (HTMLDocumentParser.cpp:327)
8   com.apple.WebCore             	0x000000010164be9e WebCore::DocumentWriter::replaceDocument(WTF::String const&) + 292 (DocumentWriter.cpp:81)
9   com.apple.WebCore             	0x0000000101f09b72 WebCore::ScriptController::executeIfJavaScriptURL(WebCore::KURL const&, WebCore::ShouldReplaceDocumentIfJavaScriptURL) + 566 (ScriptControllerBase.cpp:117)
10  com.apple.WebCore             	0x0000000101fa10a2 WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement*, WTF::String const&, WTF::AtomicString const&, bool, bool) + 342 (SubframeLoader.cpp:89)
11  com.apple.WebCore             	0x000000010189d847 WebCore::HTMLFrameElementBase::openURL(bool, bool) + 237 (HTMLFrameElementBase.cpp:106)
12  com.apple.WebCore             	0x000000010189d9b0 WebCore::HTMLFrameElementBase::setNameAndOpenURL() + 114 (HTMLFrameElementBase.cpp:157)
13  com.apple.WebCore             	0x000000010189da6a WebCore::HTMLFrameElementBase::insertedIntoDocument() + 184 (HTMLFrameElementBase.cpp:191)
14  com.apple.WebCore             	0x00000001018a0fec WebCore::HTMLIFrameElement::insertedIntoDocument() + 74 (HTMLIFrameElement.cpp:150)
15  com.apple.WebCore             	0x00000001014d02f5 WebCore::ContainerNode::parserAddChild(WTF::PassRefPtr<WebCore::Node>) + 305 (ContainerNode.cpp:647)
16  com.apple.WebCore             	0x0000000101870e52 WTF::PassRefPtr<WebCore::Element> WebCore::HTMLConstructionSite::attach<WebCore::Element>(WebCore::ContainerNode*, WTF::PassRefPtr<WebCore::Element>) + 272 (HTMLConstructionSite.cpp:98)
17  com.apple.WebCore             	0x000000010186f384 WebCore::HTMLConstructionSite::attachToCurrent(WTF::PassRefPtr<WebCore::Element>) + 66 (HTMLConstructionSite.cpp:237)
18  com.apple.WebCore             	0x000000010186f6a6 WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&) + 50 (HTMLConstructionSite.cpp:267)
19  com.apple.WebCore             	0x00000001018e5e4e WebCore::HTMLTreeBuilder::processGenericRawTextStartTag(WebCore::AtomicHTMLToken&) + 106 (HTMLTreeBuilder.cpp:2777)
20  com.apple.WebCore             	0x00000001018eab2d WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&) + 5221 (HTMLTreeBuilder.cpp:947)
21  com.apple.WebCore             	0x00000001018ebd84 WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&) + 1876 (HTMLTreeBuilder.cpp:1221)
22  com.apple.WebCore             	0x00000001018ede5e WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&) + 188 (HTMLTreeBuilder.cpp:473)
23  com.apple.WebCore             	0x00000001018f2a24 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) + 30 (HTMLTreeBuilder.cpp:458)
24  com.apple.WebCore             	0x00000001018f2e16 WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) + 42 (HTMLTreeBuilder.cpp:448)
25  com.apple.WebCore             	0x000000010187772c WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 740 (HTMLDocumentParser.cpp:240)
26  com.apple.WebCore             	0x0000000101877a4d WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 161 (HTMLDocumentParser.cpp:172)
27  com.apple.WebCore             	0x0000000101877b0f WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() + 191 (HTMLDocumentParser.cpp:442)
28  com.apple.WebCore             	0x0000000101877cb3 WebCore::HTMLDocumentParser::executeScriptsWaitingForStylesheets() + 409 (HTMLDocumentParser.cpp:512)
29  com.apple.WebCore             	0x000000010160f484 WebCore::Document::removePendingSheet() + 178 (Document.cpp:2855)
30  com.apple.WebCore             	0x00000001018ac5fa WebCore::HTMLLinkElement::removePendingSheet() + 92 (HTMLLinkElement.cpp:478)
31  com.apple.WebCore             	0x00000001018ac621 WebCore::HTMLLinkElement::sheetLoaded() + 37 (HTMLLinkElement.cpp:405)
32  com.apple.WebCore             	0x00000001015bb95a WebCore::CSSStyleSheet::checkLoaded() + 138 (CSSStyleSheet.cpp:230)
33  com.apple.WebCore             	0x00000001018ae182 WebCore::HTMLLinkElement::setCSSStyleSheet(WTF::String const&, WebCore::KURL const&, WTF::String const&, WebCore::CachedCSSStyleSheet const*) + 1422 (HTMLLinkElement.cpp:372)
34  com.apple.WebCore             	0x000000010146d199 WebCore::CachedCSSStyleSheet::checkNotify() + 169 (CachedCSSStyleSheet.cpp:116)
35  com.apple.WebCore             	0x000000010146d42c WebCore::CachedCSSStyleSheet::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 354 (CachedCSSStyleSheet.cpp:106)
36  com.apple.WebCore             	0x00000001014869b3 WebCore::CachedResourceRequest::didFinishLoading(WebCore::SubresourceLoader*) + 423 (CachedResourceRequest.cpp:160)
37  com.apple.WebCore             	0x0000000101fa1b11 WebCore::SubresourceLoader::didFinishLoading(double) + 169 (SubresourceLoader.cpp:183)
38  com.apple.WebCore             	0x0000000101ede3dc WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 48 (ResourceLoader.cpp:435)
39  com.apple.WebCore             	0x0000000101ed98d1 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 274 (ResourceHandleMac.mm:920)
40  com.apple.Foundation          	0x00007fff8436a728 _NSURLConnectionDidFinishLoading + 113
41  com.apple.CFNetwork           	0x00007fff81f672a0 URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 174
42  com.apple.CFNetwork           	0x00007fff81fcc9c6 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 254
43  com.apple.CFNetwork           	0x00007fff81fccc32 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 874
44  com.apple.CFNetwork           	0x00007fff81fccc32 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 874
45  com.apple.CFNetwork           	0x00007fff81fccc32 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 874
46  com.apple.CFNetwork           	0x00007fff81f5396d URLConnectionClient::processEvents() + 121
47  com.apple.CFNetwork           	0x00007fff81f53748 MultiplexerSource::perform() + 160
48  com.apple.CoreFoundation      	0x00007fff80cc5401 __CFRunLoopDoSources0 + 1361
49  com.apple.CoreFoundation      	0x00007fff80cc35f9 __CFRunLoopRun + 873
50  com.apple.CoreFoundation      	0x00007fff80cc2dbf CFRunLoopRunSpecific + 575
51  com.apple.HIToolbox           	0x00007fff8637993a RunCurrentEventLoopInMode + 333
52  com.apple.HIToolbox           	0x00007fff8637973f ReceiveNextEventCommon + 310
53  com.apple.HIToolbox           	0x00007fff863795f8 BlockUntilNextEventMatchingListInMode + 59
54  com.apple.AppKit              	0x00007fff80205e64 _DPSNextEvent + 718
55  com.apple.AppKit              	0x00007fff802057a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
56  com.apple.AppKit              	0x00007fff801cb48b -[NSApplication run] + 395
57  com.apple.WebKit2             	0x0000000100243a54 RunLoop::run() + 54 (RunLoopMac.mm:56)
58  com.apple.WebKit2             	0x00000001002c861c WebKit::WebProcessMain(WebKit::CommandLine const&) + 448 (WebProcessMainMac.mm:108)
59  com.apple.WebKit2             	0x000000010027450f WebKitMain(WebKit::CommandLine const&) + 159 (WebKitMain.cpp:48)
60  com.apple.WebKit2             	0x00000001002745ce WebKitMain + 155 (WebKitMain.cpp:72)
61  com.apple.WebProcess          	0x0000000100000e33 main + 233
62  com.apple.WebProcess          	0x0000000100000d14 start + 52

Comment 1 Mark Rowe (bdash) 2011-02-04 20:10:01 PST

This crash occurs reproducibly for me when loading <http://www.answers.com/topic/lorn>.

Comment 2 Mark Rowe (bdash) 2011-02-04 20:11:54 PST

<rdar://problem/8963096>

Comment 3 Adam Barth 2011-02-04 20:19:07 PST

Looking.

Comment 4 Adam Barth 2011-02-04 20:52:16 PST

Created attachment 81347 [details]
Patch

Comment 5 Maciej Stachowiak 2011-02-04 20:55:24 PST

Comment on attachment 81347 [details]
Patch

r=me

Comment 6 Adam Barth 2011-02-04 20:58:40 PST

Thanks.

Comment 7 WebKit Commit Bot 2011-02-04 21:17:44 PST

Comment on attachment 81347 [details]
Patch

Clearing flags on attachment: 81347

Committed r77730: <http://trac.webkit.org/changeset/77730>

Comment 8 WebKit Commit Bot 2011-02-04 21:17:49 PST

All reviewed patches have been landed.  Closing bug.