RESOLVED FIXED81374
remove-body-during-body-replacement2.html is triggering crashes on all platforms 
https://bugs.webkit.org/show_bug.cgi?id=81374
Summary remove-body-during-body-replacement2.html is triggering crashes on all platforms
Levi Weintraub
Reported 2012-03-16 11:05:51 PDT
The backtraces all seem pretty different to keep things interesting. I tried a run with cluster-fuzz but it announced it un-reproducible.
Attachments
needs changelog (788 bytes, patch)
2012-03-16 13:26 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch (1.64 KB, patch)
2012-03-16 13:54 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Abhishek Arya
Comment 1 2012-03-16 11:32:48 PDT
Tried with libgmalloc (MAC) with --repeat-each 100, the testcases does not crash. Sometimes, it is the case, that the previous test that run before it, is causing the crash. Also, tried with ClusterFuzz on Linux with DRT, it didnt reproduce. Here is the crash stack from the url above base::debug::StackTrace::StackTrace() [0x82ad2ac] base::(anonymous namespace)::StackDumpSignalHandler() [0x8293e1d] 0xb7799400 WebCore::Frame::addDestructionObserver() [0x8adc56c] WebCore::FrameDestructionObserver::observeFrame() [0x8ade946] WebCore::DOMWindow::DOMWindow() [0x8ac02f5] WebCore::Frame::domWindow() [0x8addc72] WebCore::DOMWindowProperty::~DOMWindowProperty() [0x8ac5fc9] WebCore::DOMWindowNotifications::~DOMWindowNotifications() [0x960d994] WebCore::DOMWindow::~DOMWindow() [0x8ac3913] WebCore::V8DOMWindow::derefObject() [0x8e44465] WebCore::DOMData::derefObject() [0x8b52cb2] WebCore::DOMData::handleWeakObject<>() [0x8b52f99] WebCore::DOMDataStore::weakDOMObjectCallback() [0x8b53020] v8::internal::GlobalHandles::PostGarbageCollectionProcessing() [0x842815b] None
Levi Weintraub
Comment 2 2012-03-16 12:14:03 PDT
Here's a few of the tests leading up to one of the crashes. I should note that fast/dom/prototype-inheritance-2.html crashes on my machine (Mac 10.6 Debug) every other run when ran independently. It doesn't have a problem on cluster-fuzz though... even with location.reload() fast/dom/null-document-location-assign-crash.html passed fast/dom/null-document-location-href-put-crash.html passed fast/dom/null-document-location-put-crash.html passed fast/dom/null-document-location-replace-crash.html passed fast/dom/null-document-window-open-crash.html passed fast/dom/null-page-show-modal-dialog-crash.html passed fast/dom/objc-big-method-name.html passed fast/dom/object-plugin-hides-properties.html passed fast/dom/offset-parent-positioned-and-inline.html passed fast/dom/offset-position-writing-modes.html passed fast/dom/onerror-img.html passed fast/dom/onload-open.html passed fast/dom/option-properties.html passed fast/dom/option-text-mutation-crash.html passed fast/dom/outerText-no-element.html passed fast/dom/outerText.html passed fast/dom/ping-attribute-dom-binding.html passed fast/dom/plugin-attributes-enumeration.html passed fast/dom/prefixed-image-tag.xhtml passed fast/dom/processing-instruction-appendChild-exceptions.xhtml passed fast/dom/prototype-chain.html passed fast/dom/prototype-inheritance-2.html failed: Text diff mismatch fast/dom/prototype-inheritance.html passed fast/dom/prototype-property.html passed fast/dom/prototypes.html passed fast/dom/register-protocol-handler.html passed fast/dom/remove-body-during-body-replacement2.html crashed
Adam Barth
Comment 3 2012-03-16 13:07:12 PDT
+haraken, who worked on DOMWindowNotifications recently.
Adam Barth
Comment 4 2012-03-16 13:11:35 PDT
I see the problem. My fault.
Levi Weintraub
Comment 5 2012-03-16 13:14:29 PDT
(In reply to comment #4) > I see the problem. My fault. That first sentence is music to my ears :)
Abhishek Arya
Comment 6 2012-03-16 13:15:43 PDT
(In reply to comment #5) > (In reply to comment #4) > > I see the problem. My fault. > > That first sentence is music to my ears :) (In reply to comment #4) > I see the problem. My fault. Does the bug need security flags ? is it a use after free ?
Adam Barth
Comment 7 2012-03-16 13:16:24 PDT
> Does the bug need security flags ? is it a use after free ? I'm not sure yet.
Adam Barth
Comment 8 2012-03-16 13:26:57 PDT
Created attachment 132358 [details] needs changelog
Adam Barth
Comment 9 2012-03-16 13:27:39 PDT
Yes. It's a use-after-free, but the bug was introduced only 8 hours ago.
Adam Barth
Comment 10 2012-03-16 13:54:26 PDT
Created attachment 132370 [details] Patch
WebKit Review Bot
Comment 11 2012-03-16 16:41:38 PDT
Comment on attachment 132370 [details] Patch Clearing flags on attachment: 132370 Committed r111086: <http://trac.webkit.org/changeset/111086>
WebKit Review Bot
Comment 12 2012-03-16 16:41:43 PDT
All reviewed patches have been landed. Closing bug.
Kentaro Hara
Comment 13 2012-03-18 16:40:20 PDT
Reverted r111086 for reason: Chromium crash Committed r111140: <http://trac.webkit.org/changeset/111140>
Adam Barth
Comment 14 2012-03-19 00:34:04 PDT
> Chromium crash What crashes?
Adam Barth
Comment 15 2012-03-19 00:34:38 PDT
BTW, this patch is "correct" in the sense that we need to call the base class here. There might be other things we need to change if this causes other crashes.
Kentaro Hara
Comment 16 2012-03-19 00:36:35 PDT
(In reply to comment #15) > BTW, this patch is "correct" in the sense that we need to call the base class here. There might be other things we need to change if this causes other crashes. Adam: This one https://mail.google.com/mail/u/0/?ui=2&shva=1#inbox/1362401bf41e9c9e I could not fix the crash in hours, and since it is marked as a release-block bug, I rolled out suspicious patches.
Levi Weintraub
Comment 17 2012-03-19 00:37:56 PDT
(In reply to comment #16) > (In reply to comment #15) > > BTW, this patch is "correct" in the sense that we need to call the base class here. There might be other things we need to change if this causes other crashes. > > Adam: This one https://mail.google.com/mail/u/0/?ui=2&shva=1#inbox/1362401bf41e9c9e > > I could not fix the crash in hours, and since it is marked as a release-block bug, I rolled out suspicious patches. Can you provide a link that isn't to an email in your gmail ;)
Kentaro Hara
Comment 18 2012-03-19 00:39:48 PDT
(In reply to comment #17) > Can you provide a link that isn't to an email in your gmail ;) Oops, this one:) http://code.google.com/p/chromium/issues/detail?id=118796
Adam Barth
Comment 19 2012-03-19 21:25:00 PDT
This should be fixed now since we rolled out the cause of the problem. Please re-open if that's not correct.
Radar WebKit Bug Importer
Comment 20 2012-03-21 10:34:40 PDT
<rdar://problem/11091337>
Note You need to log in before you can comment on or make changes to this bug.