patch for oft-seen crash in HTMLTokenizer::notifyFinished

John Sullivan sullivan at apple.com
Wed Dec 17 03:30:12 CET 2003 

>> Doesn't look reproducible to me. I'm more worried about how you were  
>> able to
>> trigger it.
>>
>> As far as I can interpret the patch, it seems that notifyFinished() is
>> recursing into itself during script execution, or that in your  
>> codebase there
>> is another place that dequeues external scripts. The second case  
>> would be
>> wrong, the first one very weird. It looks to me like scripts would be
>> executed out of order then, which is a bug.
>
> It could be that there is some fundamental ordering issue remaining.  
> The almost-reproducible case was elusive in that trying to debug it  
> with breakpoints or to a lesser extent printfs would prevent the bug  
> from occurring, so there does seem to be a timing-related component.  
> No other code was calling dequeue() when the bug was occurring, but  
> it's possible that the cachedScript linked list was being  
> deconstructed in some more manual fashion.

I debugged this a little more. It is the case that notifyFinished() is  
recursing into itself during script execution. What's happening is that  
the top-level notifyFinished() is calling executeScript(), which is  
calling document.write() to write out a script tag. The script tag  
being written out has notifyFinished() called on it synchronously,  
apparently because that script is already cached. This is the nested  
notifyFinished() that dequeues cachedScript a 2nd time. I've pasted the  
backtrace from the nested dequeue call below. Note that  
notifyFinished() is at stack frame 0 as well as stack frame 34; when it  
gets back to frame 34 "finished" is still false but cachedScript is now  
empty, which causes the nil dereference in the line "while (!finished  
&& cachedScript.head()->isLoaded())". The fix I made to move the line  
that sets "finished" to after the scriptExecution() call still seems  
like a correct one to me. Do you agree?

John

#0  HTMLTokenizer::notifyFinished(khtml::CachedObject*)  
(this=0x294c800) at khtml/html/htmltokenizer.cpp:1812
#1  0x0917b9f8 in khtml::CachedScript::ref(khtml::CachedObjectClient*)  
(this=0x76ae960, c=0x294c850) at khtml/misc/loader.cpp:298
#2  0x09171aac in HTMLTokenizer::scriptHandler() (this=0x294c800) at  
khtml/html/htmltokenizer.cpp:506
#3  0x091712e8 in HTMLTokenizer::parseSpecial(khtml::DOMStringIt&)  
(this=0x294c800, src=@0x294ce3c) at khtml/html/htmltokenizer.cpp:417
#4  0x09174e98 in HTMLTokenizer::parseTag(khtml::DOMStringIt&)  
(this=0x294c800, src=@0x294ce3c) at khtml/html/htmltokenizer.cpp:1295
#5  0x09175a0c in HTMLTokenizer::write(QString const&, bool)  
(this=0x294c800, str=@0xbfffcf50, appendData=false) at  
khtml/html/htmltokenizer.cpp:1544
#6  0x091d1534 in DOM::DocumentImpl::write(QString const&)  
(this=0x295a200, text=@0xbfffcf50) at khtml/xml/dom_docimpl.cpp:1309
#7  0x091d1448 in DOM::DocumentImpl::write(DOM::DOMString const&)  
(this=0x295a200, text=@0xbfffd040) at khtml/xml/dom_docimpl.cpp:1300
#8  0x090c1bb0 in DOM::HTMLDocument::write(DOM::DOMString const&)  
(this=0xbfffd050, text=@0xbfffd040) at khtml/dom/html_document.cpp:225
#9  0x090fd3c0 in KJS::HTMLDocFunction::tryCall(KJS::ExecState*,  
KJS::Object&, KJS::List const&) (this=0x736dc40, exec=0xbfffd8b0,  
thisObj=@0xbfffd340, args=@0xbfffd310) at khtml/ecma/kjs_html.cpp:108
#10 0x090dbc40 in KJS::DOMFunction::call(KJS::ExecState*, KJS::Object&,  
KJS::List const&) (this=0x736dc40, exec=0xbfffd8b0,  
thisObj=@0xbfffd340, args=@0xbfffd310) at  
khtml/ecma/kjs_binding.cpp:110
#11 0x0803acdc in KJS::Object::call(KJS::ExecState*, KJS::Object&,  
KJS::List const&) (this=0xbfffd320, exec=0xbfffd8b0,  
thisObj=@0xbfffd340, args=@0xbfffd310) at kjs/object.cpp:68
#12 0x08027a70 in KJS::FunctionCallNode::evaluate(KJS::ExecState*)  
(this=0x7c2b970, exec=0xbfffd8b0) at kjs/nodes.cpp:723
#13 0x0802f3b0 in KJS::ExprStatementNode::execute(KJS::ExecState*)  
(this=0x7c2b990, exec=0xbfffd8b0) at kjs/nodes.cpp:1762
#14 0x0803871c in KJS::SourceElementsNode::execute(KJS::ExecState*)  
(this=0x7c2b9c0, exec=0xbfffd8b0) at kjs/nodes.cpp:2833
#15 0x0802f0c8 in KJS::BlockNode::execute(KJS::ExecState*)  
(this=0x7c2b9f0, exec=0xbfffd8b0) at kjs/nodes.cpp:1724
#16 0x08032cd4 in KJS::ForInNode::execute(KJS::ExecState*)  
(this=0x7c2ba20, exec=0xbfffd8b0) at kjs/nodes.cpp:2090
#17 0x0803871c in KJS::SourceElementsNode::execute(KJS::ExecState*)  
(this=0x7c2ba90, exec=0xbfffd8b0) at kjs/nodes.cpp:2833
#18 0x0802f0c8 in KJS::BlockNode::execute(KJS::ExecState*)  
(this=0x7c2bac0, exec=0xbfffd8b0) at kjs/nodes.cpp:1724
#19 0x08012964 in KJS::DeclaredFunctionImp::execute(KJS::ExecState*)  
(this=0x7550360, exec=0xbfffd8b0) at kjs/function.cpp:299
#20 0x08011820 in KJS::FunctionImp::call(KJS::ExecState*, KJS::Object&,  
KJS::List const&) (this=0x7550360, exec=0xbfffde40,  
thisObj=@0xbfffda00, args=@0xbfffd9d0) at kjs/function.cpp:106
#21 0x0803acdc in KJS::Object::call(KJS::ExecState*, KJS::Object&,  
KJS::List const&) (this=0xbfffd9e0, exec=0xbfffde40,  
thisObj=@0xbfffda00, args=@0xbfffd9d0) at kjs/object.cpp:68
#22 0x08027a70 in KJS::FunctionCallNode::evaluate(KJS::ExecState*)  
(this=0x7c31b40, exec=0xbfffde40) at kjs/nodes.cpp:723
#23 0x0802f3b0 in KJS::ExprStatementNode::execute(KJS::ExecState*)  
(this=0x7c31b60, exec=0xbfffde40) at kjs/nodes.cpp:1762
#24 0x0803871c in KJS::SourceElementsNode::execute(KJS::ExecState*)  
(this=0x7c31b90, exec=0xbfffde40) at kjs/nodes.cpp:2833
#25 0x0802f0c8 in KJS::BlockNode::execute(KJS::ExecState*)  
(this=0x7c31bc0, exec=0xbfffde40) at kjs/nodes.cpp:1724
#26 0x0802f9b4 in KJS::IfNode::execute(KJS::ExecState*)  
(this=0x7c31bf0, exec=0xbfffde40) at kjs/nodes.cpp:1803
#27 0x0803888c in KJS::SourceElementsNode::execute(KJS::ExecState*)  
(this=0x7675380, exec=0xbfffde40) at kjs/nodes.cpp:2839
#28 0x0802f0c8 in KJS::BlockNode::execute(KJS::ExecState*)  
(this=0x7c33240, exec=0xbfffde40) at kjs/nodes.cpp:1724
#29 0x0801c4d0 in KJS::InterpreterImp::evaluate(KJS::UString const&,  
KJS::Value const&) (this=0x749b1f0, code=@0xbfffdfc0,  
thisV=@0xbfffdfb0) at kjs/internal.cpp:822
#30 0x0801e070 in KJS::Interpreter::evaluate(KJS::UString const&,  
KJS::Value const&, KJS::UString const&) (this=0x76c4120,  
code=@0xbfffdfc0, thisV=@0xbfffdfb0, filename=@0xbfffdfe0) at  
kjs/interpreter.cpp:120
#31 0x091233c4 in KJSProxyImpl::evaluate(QString, int, QString const&,  
DOM::Node const&) (this=0x76bfa40, filename={dataHandle = 0x7f5b30,  
internalData = {refCount = 0, _length = 0, _unicode = 0x0, _ascii =  
0xbfffe10c "", _maxUnicode = 10, _isUnicodeValid = 0, _isHeapAllocated  
= 0, _maxAscii = 19, _isAsciiValid = 1, _internalBuffer =  
"\000\377\341\220\277\377\341@\240\237\260\264\t\004c\000\000\000\000"}} 
, baseLine=0, str=@0xbfffe2f0, n=@0xbfffe1d0) at  
khtml/ecma/kjs_proxy.cpp:118
#32 0x09077564 in KHTMLPart::executeScript(QString, int, DOM::Node  
const&, QString const&) (this=0x74a2ba0, filename={dataHandle =  
0x7f5b30, internalData = {refCount = 0, _length = 0, _unicode = 0x0,  
_ascii = 0xbfffe21c "", _maxUnicode = 10, _isUnicodeValid = 0,  
_isHeapAllocated = 0, _maxAscii = 19, _isAsciiValid = 1,  
_internalBuffer =  
"\000\224\316\f\000\000\000\f\002\200\000\000\277\377\343  
\277\377\342\300"}}, baseLine=0, n=@0xbfffe1d0, script=@0xbfffe2f0) at  
khtml/khtml_part.cpp:5342
#33 0x09171fb8 in HTMLTokenizer::scriptExecution(QString const&,  
QString, int) (this=0x294c800, str=@0xbfffe2f0, scriptURL={dataHandle =  
0x7f5b30, internalData = {refCount = 0, _length = 0, _unicode = 0x0,  
_ascii = 0xbfffe33c "", _maxUnicode = 10, _isUnicodeValid = 0,  
_isHeapAllocated = 0, _maxAscii = 19, _isAsciiValid = 1,  
_internalBuffer =  
"\000g\226t\277\377\343\220\240\237\260\264\t\n\377\274\t\027\354d"}},  
baseLine=0) at khtml/html/htmltokenizer.cpp:566
#34 0x09176b94 in HTMLTokenizer::notifyFinished(khtml::CachedObject*)  
(this=0x294c800) at khtml/html/htmltokenizer.cpp:1825
#35 0x0917bcc0 in khtml::CachedScript::checkNotify() (this=0x7679670)  
at khtml/misc/loader.cpp:326
#36 0x0917bbf4 in khtml::CachedScript::data(QBuffer&, bool)  
(this=0x7679670, buffer=@0x7492814, eof=true) at  
khtml/misc/loader.cpp:317
#37 0x0917ee9c in khtml::Loader::slotFinished(KIO::Job*)  
(this=0x1367d10, job=0x7674350) at khtml/misc/loader.cpp:1265
<...>

More information about the Khtml-devel mailing list