RESOLVED FIXED 85095
Crash in WebCore::TextTrackList::remove 
https://bugs.webkit.org/show_bug.cgi?id=85095
Summary Crash in WebCore::TextTrackList::remove
Dimitris Apostolou
Reported 2012-04-27 13:29:32 PDT
Created attachment 139259 [details] Crash log. 5.2 (8536.6.1) Reproducibility: always Steps: Go to http://windows.microsoft.com/en-US/skydrive/home What happened: Crash. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff8cf141ef WebCore::TextTrackList::remove(WebCore::TextTrack*) + 47 1 com.apple.WebCore 0x00007fff8cb3e3c9 WebCore::HTMLMediaElement::willRemoveTrack(WebCore::HTMLTrackElement*) + 73 2 com.apple.WebCore 0x00007fff8cb53ec6 WebCore::HTMLTrackElement::willRemove() + 70 3 com.apple.WebCore 0x00007fff8c412425 WebCore::ContainerNode::willRemove() + 277 4 com.apple.WebCore 0x00007fff8c4125a3 WebCore::Element::willRemove() + 163 5 com.apple.WebCore 0x00007fff8c3aea08 WebCore::ContainerNode::removeChildren() + 344 6 com.apple.WebCore 0x00007fff8c45917f WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&, bool) + 143 7 com.apple.WebCore 0x00007fff8cd731a6 WebCore::replaceChildrenWithFragment(WebCore::ContainerNode*, WTF::PassRefPtr<WebCore::DocumentFragment>, int&) + 310 8 com.apple.WebCore 0x00007fff8c457ef4 WebCore::HTMLElement::setInnerHTML(WTF::String const&, int&) + 68 9 com.apple.WebCore 0x00007fff8c457e69 WebCore::setJSHTMLElementInnerHTML(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) + 57 10 com.apple.WebCore 0x00007fff8cc682be bool JSC::lookupPut<WebCore::JSHTMLElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLElement*, bool) + 254 11 com.apple.WebCore 0x00007fff8cc67a9e WebCore::JSHTMLElement::put(JSC::JSCell*, JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 62 12 com.apple.JavaScriptCore 0x00007fff899bb938 llint_slow_path_put_by_id + 328 13 com.apple.JavaScriptCore 0x00007fff899c21a9 llint_op_put_by_id + 138 14 com.apple.JavaScriptCore 0x00007fff897c000a JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 3098 15 com.apple.JavaScriptCore 0x00007fff89877204 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 340 16 com.apple.WebCore 0x00007fff8c3f8fe6 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 422 17 com.apple.WebCore 0x00007fff8c3f8c39 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 18 com.apple.WebCore 0x00007fff8c41cdfb WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 155 19 com.apple.WebCore 0x00007fff8ce4b686 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1078 20 com.apple.WebCore 0x00007fff8cb48d66 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 294 21 com.apple.WebCore 0x00007fff8cb48bf0 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 22 com.apple.WebCore 0x00007fff8c41c364 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 84 23 com.apple.WebCore 0x00007fff8c3b18e8 WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 88 24 com.apple.WebCore 0x00007fff8c3b170c WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 268 25 com.apple.WebCore 0x00007fff8c55785b WebCore::HTMLDocumentParser::resumeParsingAfterYield() + 27 26 com.apple.WebCore 0x00007fff8c390834 WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 27 com.apple.WebCore 0x00007fff8ce6da93 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51 28 com.apple.CoreFoundation 0x00007fff885a8a24 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 29 com.apple.CoreFoundation 0x00007fff885a853d __CFRunLoopDoTimer + 557 30 com.apple.CoreFoundation 0x00007fff8858dd39 __CFRunLoopRun + 1513 31 com.apple.CoreFoundation 0x00007fff8858d352 CFRunLoopRunSpecific + 290 32 com.apple.HIToolbox 0x00007fff8a788d14 RunCurrentEventLoopInMode + 209 33 com.apple.HIToolbox 0x00007fff8a79055e ReceiveNextEventCommon + 356 34 com.apple.HIToolbox 0x00007fff8a7903ef BlockUntilNextEventMatchingListInMode + 62 35 com.apple.AppKit 0x00007fff8676c39b _DPSNextEvent + 685 36 com.apple.AppKit 0x00007fff8676bc59 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 37 com.apple.AppKit 0x00007fff86768283 -[NSApplication run] + 517 38 com.apple.WebCore 0x00007fff8ce42eaf WebCore::RunLoop::run() + 63 39 com.apple.WebKit2 0x00007fff8bfca38f WebKit::WebProcessMain(WebKit::CommandLine const&) + 2597 40 com.apple.WebKit2 0x00007fff8bf94e05 WebKitMain + 285 41 com.apple.WebProcess 0x000000010a677e7b 0x10a677000 + 3707 42 libdyld.dylib 0x00007fff903287e1 start + 1 Expected result: WebKit does not crash.
Attachments
Crash log. (56.82 KB, text/plain)
2012-04-27 13:29 PDT, Dimitris Apostolou 		no flags
Details
Proposed patch (3.48 KB, patch)
2012-05-02 13:50 PDT, Eric Carlson 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-04-27 16:06:59 PDT
<rdar://problem/11267597>
Eric Carlson
Comment 2 2012-05-02 13:50:08 PDT
Created attachment 139876 [details] Proposed patch
Maciej Stachowiak
Comment 3 2012-05-02 14:48:56 PDT
Comment on attachment 139876 [details] Proposed patch r=me
Eric Carlson
Comment 4 2012-05-02 15:01:09 PDT
http://trac.webkit.org/changeset/115896
Note You need to log in before you can comment on or make changes to this bug.