[chromium-bugs] Re: Issue 27068 in chromium: Crash - WebCore::QualifiedName::matches(WebCore::QualifiedName const &)

Tue, 24 Nov 2009 21:58:54 -0800 

Updates:
        Cc: [email protected] [email protected]

Comment #17 on issue 27068 by [email protected]: Crash -  
WebCore::QualifiedName::matches(WebCore::QualifiedName const &)
http://code.google.com/p/chromium/issues/detail?id=27068

Another update (mostly for myself to keep sanity). I wasn't able to find a  
repro or a cause. Found that:

* The code paths where I thought I could sneak in NULL Attribute::m_impl  
(like default constructor or HashSet
failure) are checked and cause access violation much earlier in the game. I  
am pretty sure this confirms that the
cause of the crash is not due to mishandling of m_impl.
* So far, the only way that I was able to repro the crash was by breaking,  
zeroing out the m_impl, and resuming. Is
this a memory corruption case? I dunno.

Spent some of the time looking at distinct clients and similarities. Here's  
what I was able to discover:

* The crash is concentrated. Only 669 clients report it (around 0.3%), but  
most have multiple crash reports.
* Some of the reports for the crash also have a very interesting stack  
trace that contains document.evaluate(...) call
(http://crash/search?
query=+product:%22Chrome%22+version:%224.0.249.0%22+crashed_thread_function_name:%22WebCore::V8Custo
m::v8DocumentEvaluateCallback(v8::Arguments+const+%26)%22). Given that  
Youtube doesn't use XPath queries in
their JS or AS, it's safe to assume that's an extension at work.
* Another "extensioney" stack trace -- insertion of a stylesheet:  
http://crash/search?
query=+product:%22Chrome%22+version:%224.0.249.4%22+crashed_thread_function_name:%22WebCore::HTMLSty
leElement::insertedIntoDocument()%22


And the final plea for help:

+abarth

Is there _any_ chance isolated worlds could cause something like this? I  
can't see how, but I am totally grasping for
straws :)

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

-- 
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs

Reply via email to