81488 – Empty beforeload event listener makes web process crash when visting this web page

Bug 81488 - Empty beforeload event listener makes web process crash when visting this web page

Summary: Empty beforeload event listener makes web process crash when visting this web...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac (Intel) OS X 10.7

Importance:	P2 Normal
Assignee:	Nobody

URL:	http://www.zennioptical.com/
Keywords:

Depends on:
Blocks:

Reported:	2012-03-18 21:12 PDT by Marc Hoyois
Modified:	2012-07-23 10:39 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Minimal extension that causes the crash (5.00 KB, application/octet-stream) 2012-03-18 21:12 PDT, Marc Hoyois	no flags	Details
Crash log (54.06 KB, text/plain) 2012-03-19 11:08 PDT, Marc Hoyois	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc Hoyois 2012-03-18 21:12:08 PDT

Created attachment 132538 [details]
Minimal extension that causes the crash

Overview:

The presence of any beforeload event listener makes Safari's web process crash when visting http://www.zennioptical.com/.

Steps to reproduce:
!! WEB PROCESS WILL CRASH AND ALL TABS WILL RELOAD WHEN YOU DO THIS !!

1. Install the attached minimal extension, which has the following injected script:

function handleBeforeLoadEvent(event) {}
document.addEventListener("beforeload", handleBeforeLoadEvent, true);

(This will also work with any of the standard extensions that use beforeload, obviously.)

2. Visit http://www.zennioptical.com/.
3. Wait a few seconds and observe the crash!

Build date & platform: tested with Safari 5.2 and nightly build 7535.18.5, 536+. Happens in Safari 5.1.4 as well.

Comment 1 Alexey Proskuryakov 2012-03-19 10:52:52 PDT

Could you please attach a crash log?

Comment 2 Marc Hoyois 2012-03-19 11:08:44 PDT

Created attachment 132611 [details]
Crash log

Comment 3 Alexey Proskuryakov 2012-03-19 11:15:28 PDT

0   com.apple.JavaScriptCore      	0x00007fff924620e8 JSC::Weak<JSC::JSCell>::Weak(JSC::JSGlobalData&, JSC::JSCell*, JSC::WeakHandleOwner*, void*) + 56
1   com.apple.JavaScriptCore      	0x00007fff92462001 JSC::Heap::addFinalizer(JSC::JSCell*, void (*)(JSC::JSCell*)) + 33
2   com.apple.JavaScriptCore      	0x00007fff923f07b4 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 148

Comment 4 Marc Hoyois 2012-07-23 10:39:26 PDT

It doesn't crash anymore, so I assume the bug was fixed.