12045 – Crash under gmalloc at WTF::RefPtr<WebCore::HTMLSliderThumbElement>::operator->

RESOLVED FIXED 12045

Crash under gmalloc at WTF::RefPtr<WebCore::HTMLSliderThumbElement>::operator->

https://bugs.webkit.org/show_bug.cgi?id=12045

Summary Crash under gmalloc at WTF::RefPtr<WebCore::HTMLSliderThumbElement>::operator->

Mark Rowe (bdash)

Reported 2006-12-31 00:25:28 PST

Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x49b45000 0x015c9cdd in WTF::RefPtr<WebCore::HTMLSliderThumbElement>::operator-> (this=0x49b45000) at RefPtr.h:50 50 T *operator->() const { return m_ptr; } (gdb) bt #0 0x015c9cdd in WTF::RefPtr<WebCore::HTMLSliderThumbElement>::operator-> (this=0x49b45000) at RefPtr.h:50 #1 0x013a428a in WebCore::RenderSlider::inDragMode (this=0x49b44f60) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderSlider.cpp:385 #2 0x0119a0c2 in WebCore::RenderThemeMac::paintSliderThumb (this=0x1640fe0, o=0x4a32bf60, paintInfo=@0xbfffcb80, r=@0xbfffca40) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderThemeMac.mm:1028 #3 0x0119c61b in WebCore::RenderTheme::paint (this=0x1640fe0, o=0x4a32bf60, paintInfo=@0xbfffcb80, r=@0xbfffca40) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTheme.cpp:125 #4 0x0115f141 in WebCore::RenderBox::paintBoxDecorations (this=0x4a32bf60, paintInfo=@0xbfffcb80, tx=8, ty=154) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBox.cpp:365 #5 0x011591df in WebCore::RenderBlock::paintObject (this=0x4a32bf60, paintInfo=@0xbfffcb80, tx=8, ty=154) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1351 #6 0x01151e89 in WebCore::RenderBlock::paint (this=0x4a32bf60, paintInfo=@0xbfffcb80, tx=8, ty=154) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1285 #7 0x011521bf in WebCore::RenderBlock::paintChildren (this=0x49b44f60, paintInfo=@0xbfffccb0, tx=8, ty=8) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1315 #8 0x01159280 in WebCore::RenderBlock::paintObject (this=0x49b44f60, paintInfo=@0xbfffccb0, tx=8, ty=8) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1369 #9 0x01151e89 in WebCore::RenderBlock::paint (this=0x49b44f60, paintInfo=@0xbfffccb0, tx=8, ty=8) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1285 #10 0x011521bf in WebCore::RenderBlock::paintChildren (this=0xf1c82f60, paintInfo=@0xbfffce04, tx=0, ty=0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1315 #11 0x01159280 in WebCore::RenderBlock::paintObject (this=0xf1c82f60, paintInfo=@0xbfffce04, tx=0, ty=0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1369 #12 0x01151e89 in WebCore::RenderBlock::paint (this=0xf1c82f60, paintInfo=@0xbfffce04, tx=0, ty=0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1285 #13 0x011809b6 in WebCore::RenderLayer::paintLayer (this=0xf1c86f68, rootLayer=0xf0fe3f68, p=0xbfffd034, paintDirtyRect=@0xbfffd03c, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderLayer.cpp:1433 #14 0x01180bfc in WebCore::RenderLayer::paintLayer (this=0xf0fe3f68, rootLayer=0xf0fe3f68, p=0xbfffd034, paintDirtyRect=@0xbfffd03c, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderLayer.cpp:1463 #15 0x01180cc4 in WebCore::RenderLayer::paint (this=0xf0fe3f68, p=0xbfffd034, damageRect=@0xbfffd03c, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderLayer.cpp:1330 #16 0x010dfc7b in WebCore::Frame::paint (this=0xbf365fd0, p=0xbfffd034, rect=@0xbfffd03c) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/Frame.cpp:1041 #17 0x01100429 in -[WebCoreFrameBridge drawRect:] (self=0xbf337fe4, _cmd=0x90aa2b6c, rect={origin = {x = 0, y = 0}, size = {width = 1400, height = 761}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/mac/WebCoreFrameBridge.mm:480 #18 0x00341fbf in -[WebHTMLView drawSingleRect:] (self=0xc89d2fa0, _cmd=0x3c3308, rect={origin = {x = 0, y = 0}, size = {width = 1400, height = 761}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLView.m:2678 #19 0x00342395 in -[WebHTMLView drawRect:] (self=0xc89d2fa0, _cmd=0x90aa2b6c, rect={origin = {x = 0, y = 0}, size = {width = 1400, height = 761}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLView.m:2729 #20 0x932ee3b1 in -[NSView _drawRect:clip:] () #21 0x932ed40b in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] () #22 0x0033bd2f in -[WebHTMLView(WebPrivate) _recursiveDisplayAllDirtyWithLockFocus:visRect:] (self=0xc89d2fa0, _cmd=0x90a83574, needsLockFocus=1 '\001', visRect={origin = {x = 0, y = 0}, size = {width = 1400, height = 761}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLView.m:893 #23 0x932ff36f in _recursiveDisplayInRect2 () #24 0x9083af26 in CFArrayApplyFunction () #25 0x932ed613 in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] () #26 0x932ff36f in _recursiveDisplayInRect2 () #27 0x9083af26 in CFArrayApplyFunction () #28 0x932ed613 in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] () #29 0x932ec473 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #30 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #31 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #32 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #33 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #34 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #35 0x932ebb78 in -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #36 0x932eb362 in -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] () #37 0x932eac8e in -[NSView displayIfNeeded] () #38 0x932eaa32 in -[NSWindow displayIfNeeded] () #39 0x0001c394 in ?? () #40 0x9333ad6c in _handleWindowNeedsDisplay () #41 0x9082a155 in __CFRunLoopDoObservers () #42 0x908291f7 in CFRunLoopRunSpecific () #43 0x90828eb5 in CFRunLoopRunInMode () #44 0x92dcdb90 in RunCurrentEventLoopInMode () #45 0x92dcd297 in ReceiveNextEventCommon () #46 0x92dcd0ee in BlockUntilNextEventMatchingListInMode () #47 0x9326f465 in _DPSNextEvent () #48 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #49 0x00006f96 in ?? () #50 0x93268ddb in -[NSApplication run] () #51 0x9325cd2f in NSApplicationMain () #52 0x0005f7de in ?? () #53 0x0005f6f9 in ?? ()

Attachments
Crashing test case (40.50 KB, text/html) 2006-12-31 00:26 PST, Mark Rowe (bdash)	no flags	Details
Test case demonstrating bug without guard malloc (35.56 KB, text/html) 2007-06-26 20:01 PDT, Mark Rowe (bdash)	no flags	Details
pseudo-patch to demonstrate assertion (1.53 KB, patch) 2007-06-26 22:41 PDT, Sam Weinig	no flags	Details Formatted Diff Diff
patch (37.38 KB, patch) 2007-06-26 23:28 PDT, Sam Weinig	mitz: review-	Details Formatted Diff Diff
updated patch (38.12 KB, patch) 2007-06-27 00:31 PDT, Sam Weinig	aroben: review-	Details Formatted Diff Diff
updated patch (38.12 KB, patch) 2007-06-27 00:32 PDT, Sam Weinig	no flags	Details Formatted Diff Diff
alternate patch (37.53 KB, patch) 2007-06-27 09:36 PDT, Sam Weinig	aroben: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2006-12-31 00:26:26 PST

Created attachment 12129 [details] Crashing test case

Mark Rowe (bdash)

Comment 2 2007-01-01 15:58:05 PST

*** Bug 12051 has been marked as a duplicate of this bug. ***

Mark Rowe (bdash)

Comment 3 2007-01-01 15:58:36 PST

<html> <head> <title>Test HTML Page</title> <meta http-equiv="refresh" content="1"> <style type="text/css"> body { font: -webkit-small-control; } font { -webkit-appearance: sliderthumb-horizontal; } </style> </head> <body> <font>font</font> </body> </html>

Mark Rowe (bdash)

Comment 4 2007-01-09 00:05:11 PST

*** Bug 12167 has been marked as a duplicate of this bug. ***

Mark Rowe (bdash)

Comment 5 2007-06-22 01:17:09 PDT

This is in radar: <rdar://problem/5286670>.

Mark Rowe (bdash)

Comment 6 2007-06-26 20:01:31 PDT

Created attachment 15262 [details] Test case demonstrating bug without guard malloc To reproduce this crash, load the attachment and hold down the space bar to scroll the page. You will crash within several seconds of doing this.

Sam Weinig

Comment 7 2007-06-26 22:41:08 PDT

Created attachment 15264 [details] pseudo-patch to demonstrate assertion After a little analysis of the situation, it seems this crash is happening due to a bad cast that sometimes works. The issue is that the sliderthumb's RenderObject expects it's parent renderer to be a RenderSlider and makes the cast without checking. Adding a simple assert (see attached pseudo-patch) will crash with even the simplest use of -webkit-appearance: sliderthumb-horizontal or -webkit-appearance: sliderthumb-vertical without a Slider parent.

Sam Weinig

Comment 8 2007-06-26 23:28:19 PDT

Created attachment 15265 [details] patch This patch makes it so that we only paint the thumbslider if the parent renderer is a RenderSlider.

mitz

Comment 9 2007-06-27 00:12:34 PDT

Comment on attachment 15265 [details] patch Need to patch RenderThemeSafari too. Not sure that just not painting is the best thing to do, but it's probably okay.

Sam Weinig

Comment 10 2007-06-27 00:31:55 PDT

Created attachment 15266 [details] updated patch

Sam Weinig

Comment 11 2007-06-27 00:32:07 PDT

Created attachment 15267 [details] updated patch

Sam Weinig

Comment 12 2007-06-27 09:36:24 PDT

Created attachment 15272 [details] alternate patch This is an alternate patch to the above one. It moves the check into RenderTheme.cpp so that each RenderTheme* doesn't have to do it.

Adam Roben (:aroben)

Comment 13 2007-06-27 20:03:26 PDT

Comment on attachment 15272 [details] alternate patch This one looks good to me, though I'd like to see an ASSERT(o->parent()->isSlider()) in each implementation of paintSliderThumb(). r=me

Sam Weinig

Comment 14 2007-06-27 20:20:48 PDT

Landed in r23840.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Major

Classification Unclassified

Version 420+

Hardware Mac

OS OS X 10.4

Product WebKit

Component New Bugs

Assignee

Nobody

Reported

2006-12-31 00:25 PST

Modified

2007-06-27 20:20 PDT History

CC List

4 users Show

URL

Keywords HasReduction, InRadar

Duplicates (2)

12051 12167 View as bug list

Depends on

Blocks