Summary: | Betsson.com crashes browser | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Yael <yael> | ||||
Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Major | CC: | mitz, yael | ||||
Priority: | P1 | Keywords: | InRadar | ||||
Version: | 420+ | ||||||
Hardware: | Mac | ||||||
OS: | OS X 10.4 | ||||||
Attachments: |
|
Description
Yael
2007-01-31 17:36:02 PST
Callstack in Safari: #0 0x02cfaa8b in WebCore::Node::document at Node.h:268 #1 0x02a3a76e in WebCore::RenderLayer::createScrollbar at RenderLayer.cpp:985 #2 0x02a3a950 in WebCore::RenderLayer::setHasHorizontalScrollbar at RenderLayer.cpp:1011 #3 0x02a18892 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:486 #4 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #5 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #6 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #7 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #8 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #9 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #10 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #11 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #12 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #13 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #14 0x02a061da in WebCore::RenderBlock::layoutInlineChildren at bidi.cpp:1532 #15 0x02a18908 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:493 #16 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #17 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #18 0x02a16f94 in WebCore::RenderBlock::insertFloatingObject at RenderBlock.cpp:1854 #19 0x02a17b7d in WebCore::RenderBlock::handleFloatingChild at RenderBlock.cpp:666 #20 0x02a17c0a in WebCore::RenderBlock::handleSpecialChild at RenderBlock.cpp:638 #21 0x02a17eac in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1070 #22 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #23 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #24 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #25 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #26 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #27 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #28 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #29 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #30 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #31 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #32 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #33 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #34 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #35 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #36 0x02a23943 in WebCore::RenderView::layout at RenderView.cpp:119 #37 0x029a8393 in WebCore::FrameView::layout at FrameView.cpp:509 #38 0x029a86af in WebCore::FrameView::layoutTimerFired at FrameView.cpp:1311 #39 0x02d523c5 in WebCore::Timer<WebCore::FrameView>::fired at Timer.h:96 #40 0x02ac0ab2 in WebCore::TimerBase::fireTimers at Timer.cpp:336 #41 0x02ac0b4f in WebCore::TimerBase::sharedTimerFired at Timer.cpp:353 #42 0x02ac0206 in WebCore::timerFired at SharedTimerMac.cpp:46 #43 0x9082b822 in CFRunLoopRunSpecific #44 0x9082ab0e in CFRunLoopRunInMode #45 0x92ddabef in RunCurrentEventLoopInMode #46 0x92dda2fd in ReceiveNextEventCommon #47 0x92dda154 in BlockUntilNextEventMatchingListInMode #48 0x9327f465 in _DPSNextEvent #49 0x9327f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] #50 0x00006cea in ?? #51 0x93278ddb in -[NSApplication run] #52 0x9326cd2f in NSApplicationMain This bug was reported originally against S60 Browser, but can be reproduced also on latest Safari code. The problem is that we make extensive use on m_object->document(), or m_object->element()->getDocument() . We don't check the return value and use the document. When dealing with anonymous boxes, like in this case, the return value of document is NULL, thus there is a crash. Confirmed. Reproducible crashers are P1. Created attachment 12976 [details]
Change ->element()->document() to ->document() to work with anonymous objects
Includes layout test and change log
Comment on attachment 12976 [details]
Change ->element()->document() to ->document() to work with anonymous objects
r=me
Committed revision 19435. |