7048 – Reproducible crash when onscroll handler deletes the layer or its object

RESOLVED FIXED 7048

Reproducible crash when onscroll handler deletes the layer or its object

https://bugs.webkit.org/show_bug.cgi?id=7048

Summary Reproducible crash when onscroll handler deletes the layer or its object

Rosyna

Reported 2006-02-03 04:11:08 PST

Visit the page above and it'll crash. The line in the log seems to be off from the line in the source. Date/Time: 2006-02-03 05:04:48.121 -0700 OS Version: 10.4.4 (Build 8G32) Report Version: 3 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: tcsh [425] Version: 2.0.3 (417.8) Build Version: 1 Project Name: WebBrowser Source Version: 4170800 PID: 21114 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 <<00000000>> 0x00000000 0 + 0 1 com.apple.WebCore 0x01a75a98 WebCore::RenderLayer::scrollToOffset(int, int, bool, bool) + 316 (render_layer.cpp:573) 2 com.apple.WebCore 0x01836098 KJS::DOMNode::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) + 1800 (render_layer.h:244) 3 com.apple.WebCore 0x01857774 KJS::HTMLElement::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 488 (lookup.h:238) 4 com.apple.JavaScriptCore 0x01029200 KJS::AssignDotNode::evaluate(KJS::ExecState*) + 1260 (nodes.cpp:1372) 5 com.apple.JavaScriptCore 0x0102ddfc KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 (nodes.cpp:1629) 6 com.apple.JavaScriptCore 0x01030f64 KJS::SourceElementsNode::execute(KJS::ExecState*) + 480 (completion.h:53) 7 com.apple.JavaScriptCore 0x0102dd38 KJS::BlockNode::execute(KJS::ExecState*) + 156 (nodes.cpp:1605) 8 com.apple.JavaScriptCore 0x0101f464 KJS::InterpreterImp::evaluate(KJS::UChar const*, int, KJS::JSValue*, KJS::UString const&, int) + 820 (completion.h:48) 9 com.apple.JavaScriptCore 0x01022630 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 68 (interpreter.cpp:121) 10 com.apple.WebCore 0x01860cfc WebCore::KJSProxyImpl::evaluate(WebCore::DOMString const&, int, WebCore::DOMString const&, WebCore::NodeImpl*) + 272 (RefPtr.h:41) 11 com.apple.WebCore 0x01993390 WebCore::Frame::executeScript(QString const&, int, WebCore::NodeImpl*, QString const&) + 100 (RefPtr.h:41) 12 com.apple.WebCore 0x0189b960 WebCore::HTMLTokenizer::scriptExecution(QString const&, WebCore::HTMLTokenizer::State, QString, int) + 324 (htmltokenizer.cpp:490) 13 com.apple.WebCore 0x0189c360 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1384 (htmltokenizer.cpp:420) 14 com.apple.WebCore 0x0189c69c WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 564 (htmltokenizer.cpp:286) 15 com.apple.WebCore 0x0189e474 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6432 (htmltokenizer.cpp:1257) 16 com.apple.WebCore 0x0189eb0c WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 908 (htmltokenizer.cpp:1460) 17 com.apple.WebCore 0x0189bd10 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedObject*) + 644 (KWQValueList.h:88) 18 com.apple.WebCore 0x019d9c04 WebCore::CachedScript::checkNotify() + 80 (CachedScript.cpp:111) 19 com.apple.WebCore 0x019d9d30 WebCore::CachedScript::data(QBuffer&, bool) + 232 (CachedScript.cpp:103) 20 com.apple.WebCore 0x019dc2f8 WebCore::Loader::slotFinished(KIO::Job*, NSData*) + 432 (loader.cpp:151) 21 com.apple.WebCore 0x018bbe2c KWQSignal::callWithData(KIO::Job*, NSData*) const + 140 (KWQValueListImpl.h:150) 22 com.apple.WebCore 0x018be5c4 -[KWQResourceLoader finishJobAndHandle:] + 80 (KWQResourceLoader.mm:95) 23 com.apple.WebKit 0x00323bc4 -[WebSubresourceLoader didFinishLoading] + 80 (WebSubresourceLoader.m:218) 24 com.apple.WebKit 0x0032b290 -[WebLoader connectionDidFinishLoading:] + 44 (WebLoader.m:663) 25 com.apple.Foundation 0x92918cdc -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 26 com.apple.Foundation 0x92916f48 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 27 com.apple.Foundation 0x92916ca0 _sendCallbacks + 156 28 com.apple.CoreFoundation 0x9075da68 __CFRunLoopDoSources0 + 384 29 com.apple.CoreFoundation 0x9075cf98 __CFRunLoopRun + 452 30 com.apple.CoreFoundation 0x9075ca18 CFRunLoopRunSpecific + 268 31 com.apple.HIToolbox 0x9318e1e0 RunCurrentEventLoopInMode + 264 32 com.apple.HIToolbox 0x9318d874 ReceiveNextEventCommon + 380 33 com.apple.HIToolbox 0x9318d6e0 BlockUntilNextEventMatchingListInMode + 96 34 com.apple.AppKit 0x9368c104 _DPSNextEvent + 384 35 com.apple.AppKit 0x9368bdc8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 36 com.apple.Safari 0x000072d4 0x1000 + 25300 37 com.apple.AppKit 0x9368830c -[NSApplication run] + 472 38 com.apple.AppKit 0x93778e68 NSApplicationMain + 452 39 com.apple.Safari 0x0005cfdc 0x1000 + 376796 40 com.apple.Safari 0x0005ce80 0x1000 + 376448

Attachments
Testcase (scroll to crash) (121 bytes, text/html) 2006-02-03 07:28 PST, mitz	no flags	Details
first cut at a patch: needs test cases (2.42 KB, patch) 2006-02-04 09:26 PST, Darin Adler	no flags	Details Formatted Diff Diff
patch to fix the problem, including change log and test (5.45 KB, patch) 2006-02-05 00:05 PST, Darin Adler	mjs: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

mitz

Comment 1 2006-02-03 05:15:14 PST

Confirmed in WebKit-417.9 and in TOT. Reproducible crashes are P1.

mitz

Comment 2 2006-02-03 07:28:23 PST

Created attachment 6219 [details] Testcase (scroll to crash) The problem is that RenderLayer::scrollToOffset calls the onscroll handler, which may delete the renderer (and the layer!).

Darin Adler

Comment 3 2006-02-03 21:12:07 PST

I've got a fix in the works.

Darin Adler

Comment 4 2006-02-04 09:26:47 PST

Created attachment 6247 [details] first cut at a patch: needs test cases Here's a patch that fixes the problem. Unfortunately while fixing this one I noticed many other similar problems that are not as easy to fix. Also, I did not come up with automated layout test for this, but I think it's possible to make one and we should do that before reviewing and landing the fix.

Darin Adler

Comment 5 2006-02-05 00:05:58 PST

Created attachment 6260 [details] patch to fix the problem, including change log and test

mitz

Comment 6 2006-04-13 01:13:27 PDT

(In reply to comment #4) > Unfortunately while fixing this one I > noticed many other similar problems that are not as easy to fix. Opened bug 8360 to track the remaining problems.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 420+

Hardware Mac

OS OS X 10.4

Product WebKit

Component Layout and Rendering

Assignee

Darin Adler

Reported

2006-02-03 04:11 PST

Modified

2006-04-13 01:13 PDT History

CC List

1 user Show

URL

http://www.telephone.ru/mobile/?g_g=1&tree=2,7805

Keywords HasReduction

Depends on

Blocks