Status: Untriaged Owner: ---- Labels: Type-Bug Pri-2 OS-Linux Area-Misc Size-Medium valgrind
New issue 9552 by [email protected]: Invalid read in WebCore::ScheduledAction::execute() in LayoutTests/fast/dom/javascript-url-crash-function.html http://code.google.com/p/chromium/issues/detail?id=9552 Valgrinding LayoutTests/fast/dom/javascript-url-crash-function.html showed an error in both release and debug: 18:13:46 valgrind_analyze.py [ERROR] InvalidRead Invalid read of size 4 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*) (third_party/WebKit/WebCore/bindings/v8/ScheduledAction.cpp:108) WebCore::DOMTimer::fired() (third_party/WebKit/WebCore/page/DOMTimer.cpp:125) WebCore::ThreadTimers::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0u> const&) (third_party/WebKit/WebCore/platform/ThreadTimers.cpp:111) WebCore::ThreadTimers::sharedTimerFiredInternal() (third_party/WebKit/WebCore/platform/ThreadTimers.cpp:141) WebCore::ThreadTimers::sharedTimerFired() (third_party/WebKit/WebCore/platform/ThreadTimers.cpp:122) webkit_glue::WebKitClientImpl::DoTimeout() (webkit/glue/webkitclient_impl.h:40) void DispatchToMethod<webkit_glue::WebKitClientImpl, void (webkit_glue::WebKitClientImpl::*)()>(webkit_glue::WebKitClientImpl*, void (webkit_glue::WebKitClientImpl::*)(), Tuple0 const&) (base/tuple.h:383) base::BaseTimer<webkit_glue::WebKitClientImpl, false>::TimerTask::Run() (base/timer.h:160) MessageLoop::RunTask(Task*) (base/message_loop.cc:308) MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (base/message_loop.cc:316) MessageLoop::DoWork() (base/message_loop.cc:416) base::MessagePumpForUI::HandleDispatch() (base/message_pump_glib.cc:190) (anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) (base/message_pump_glib.cc:75) g_main_context_dispatch (/usr/lib32/libglib-2.0.so.0.1600.3.bak) 0x112A5E5D (/usr/lib32/libglib-2.0.so.0.1600.3.bak) g_main_context_iteration (/usr/lib32/libglib-2.0.so.0.1600.3.bak) base::MessagePumpForUI::Run(base::MessagePump::Delegate*) (base/message_pump_glib.cc:149) MessageLoop::RunInternal() (base/message_loop.cc:197) MessageLoop::RunHandler() (base/message_loop.cc:180) MessageLoop::Run() (base/message_loop.cc:154) TestShell::WaitTestFinished() (webkit/tools/test_shell/test_shell_gtk.cc:428) TestShell::RunFileTest(TestShell::TestParams const&) (webkit/tools/test_shell/test_shell_gtk.cc:543) main (webkit/tools/test_shell/test_shell_main.cc:276) Address 0x1239af80 is 48 bytes inside a block of size 3,088 free'd operator delete(void*) (valgrind/trunk/coregrind/m_replacemalloc/vg_replace_malloc.c:362) WebCore::HTMLDocument::~HTMLDocument() (third_party/WebKit/WebCore/html/HTMLDocument.cpp:91) WebCore::Document::selfOnlyDeref() (third_party/WebKit/WebCore/dom/Document.h:208) WebCore::DocPtr<WebCore::Document>::~DocPtr() (third_party/WebKit/WebCore/dom/DocPtr.h:32) WebCore::Document::removedLastRef() (third_party/WebKit/WebCore/dom/Document.cpp:427) WebCore::TreeShared<WebCore::Node>::deref() (third_party/WebKit/WebCore/platform/TreeShared.h:69) WTF::RefPtr<WebCore::Document>::operator=(WTF::PassRefPtr<WebCore::Document> const&) (third_party/WebKit/JavaScriptCore/wtf/RefPtr.h:131) WebCore::Frame::setDocument(WTF::PassRefPtr<WebCore::Document>) (third_party/WebKit/WebCore/page/Frame.cpp:264) WebCore::FrameLoader::clear(bool, bool) (third_party/WebKit/WebCore/loader/FrameLoader.cpp:853) WebCore::FrameLoader::begin(WebCore::KURL const&, bool, WebCore::SecurityOrigin*) (third_party/WebKit/WebCore/loader/FrameLoader.cpp:933) WebCore::FrameLoader::executeIfJavaScriptURL(WebCore::KURL const&, bool, bool) (third_party/WebKit/WebCore/loader/FrameLoader.cpp:776) WebCore::FrameLoader::requestFrame(WebCore::HTMLFrameOwnerElement*, WebCore::String const&, WebCore::AtomicString const&) (third_party/WebKit/WebCore/loader/FrameLoader.cpp:470) WebCore::HTMLFrameElementBase::openURL() (third_party/WebKit/WebCore/html/HTMLFrameElementBase.cpp:104) WebCore::HTMLFrameElementBase::setLocation(WebCore::String const&) (third_party/WebKit/WebCore/html/HTMLFrameElementBase.cpp:213) WebCore::HTMLFrameElementBase::parseMappedAttribute(WebCore::MappedAttribute*) (third_party/WebKit/WebCore/html/HTMLFrameElementBase.cpp:112) WebCore::HTMLIFrameElement::parseMappedAttribute(WebCore::MappedAttribute*) (third_party/WebKit/WebCore/html/HTMLIFrameElement.cpp:86) WebCore::StyledElement::attributeChanged(WebCore::Attribute*, bool) (third_party/WebKit/WebCore/dom/StyledElement.cpp:189) WebCore::Element::setAttribute(WebCore::QualifiedName const&, WebCore::AtomicString const&, int&) (third_party/WebKit/WebCore/dom/Element.cpp:545) WebCore::Element::setAttribute(WebCore::QualifiedName const&, WebCore::AtomicString const&) (third_party/WebKit/WebCore/dom/Element.cpp:129) WebCore::HTMLFrameElementBase::setSrc(WebCore::String const&) (third_party/WebKit/WebCore/html/HTMLFrameElementBase.cpp:305) WebCore::V8Custom::v8HTMLIFrameElementSrcAccessorSetter(v8::Local<v8::String>, v8::Local<v8::Value>, v8::AccessorInfo const&) (webkit/port/bindings/v8/v8_custom.cpp:834) v8::internal::JSObject::SetPropertyWithCallback(v8::internal::Object*, v8::internal::String*, v8::internal::Object*, v8::internal::JSObject*) (v8/src/objects.cc:1496) v8::internal::JSObject::SetProperty(v8::internal::LookupResult*, v8::internal::String*, v8::internal::Object*, PropertyAttributes) (v8/src/objects.cc:1762) v8::internal::JSObject::SetProperty(v8::internal::String*, v8::internal::Object*, PropertyAttributes) (v8/src/objects.cc:1450) v8::internal::StoreIC::Store(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::String>, v8::internal::Handle<v8::internal::Object>) (v8/src/ic.cc:850) v8::internal::StoreIC_Miss(v8::internal::Arguments) (v8/src/ic.cc:1136) -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
