RESOLVED FIXED 17286
REGRESSION: Crash in RenderStyle on news.com.au 
https://bugs.webkit.org/show_bug.cgi?id=17286
Summary REGRESSION: Crash in RenderStyle on news.com.au
Tim Pham
Reported 2008-02-10 09:23:32 PST
Loads upper half of the page and then crashes. Relaunched program with message saying plug in caused the problem and to disable it.
Attachments
Test case (333 bytes, text/html)
2008-02-11 01:16 PST, Chasen Le Hara 		no flags
Details
Simple null check. All other selectors were null-checking properly. (672 bytes, patch)
2008-02-11 12:25 PST, Dave Hyatt 		aroben: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Matt Lilek
Comment 1 2008-02-10 09:30:50 PST
r30117: Thread 0 Crashed: 0 com.apple.WebCore 0x01b9e66b WebCore::RenderStyle::setEmptyState(bool) + 15 (RenderStyle.h:2128) 1 com.apple.WebCore 0x01b89f12 WebCore::CSSStyleSelector::checkOneSelector(WebCore::CSSSelector*, WebCore::Element*, bool, bool) + 2318 (CSSStyleSelector.cpp:1664) 2 com.apple.WebCore 0x01b8c07f WebCore::CSSStyleSelector::checkSelector(WebCore::CSSSelector*, WebCore::Element*, bool, bool) + 151 (CSSStyleSelector.cpp:1411) 3 com.apple.WebCore 0x01b8c518 WebCore::CSSStyleSelector::checkSelector(WebCore::CSSSelector*, WebCore::Element*, bool, bool) + 1328 (CSSStyleSelector.cpp:1484) 4 com.apple.WebCore 0x01b8c572 WebCore::CSSStyleSelector::checkSelector(WebCore::CSSSelector*) + 66 (CSSStyleSelector.cpp:1386) 5 com.apple.WebCore 0x01b8c67a WebCore::CSSStyleSelector::matchRulesForList(WebCore::CSSRuleDataList*, int&, int&) + 190 (CSSStyleSelector.cpp:431) 6 com.apple.WebCore 0x01b8c830 WebCore::CSSStyleSelector::matchRules(WebCore::CSSRuleSet*, int&, int&) + 142 (CSSStyleSelector.cpp:393) 7 com.apple.WebCore 0x01b9abfc WebCore::CSSStyleSelector::pseudoStyleForElement(WebCore::RenderStyle::PseudoId, WebCore::Element*, WebCore::RenderStyle*) + 236 (CSSStyleSelector.cpp:1104) 8 com.apple.WebCore 0x01f4312c WebCore::RenderObject::getPseudoStyle(WebCore::RenderStyle::PseudoId, WebCore::RenderStyle*) const + 378 (RenderObject.cpp:2818) 9 com.apple.WebCore 0x01f07417 WebCore::RenderContainer::updateBeforeAfterContentForContainer(WebCore::RenderStyle::PseudoId, WebCore::RenderContainer*) + 121 (RenderContainer.cpp:253) 10 com.apple.WebCore 0x01f07b8c WebCore::RenderContainer::updateBeforeAfterContent(WebCore::RenderStyle::PseudoId) + 96 (RenderContainer.cpp:245) 11 com.apple.WebCore 0x01ee53a2 WebCore::RenderBlock::setStyle(WebCore::RenderStyle*) + 390 (RenderBlock.cpp:146) 12 com.apple.WebCore 0x01f456f3 WebCore::RenderObject::setAnimatableStyle(WebCore::RenderStyle*) + 179 (RenderObject.cpp:2163) 13 com.apple.WebCore 0x01ebb081 WebCore::Node::createRendererIfNeeded() + 529 (Node.cpp:1012) 14 com.apple.WebCore 0x01c9200f WebCore::Element::attach() + 17 (Element.cpp:684) 15 com.apple.WebCore 0x01d497a9 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 745 (HTMLParser.cpp:327) 16 com.apple.WebCore 0x01d4a0c8 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1416 (HTMLParser.cpp:252) 17 com.apple.WebCore 0x01d5f9ba WebCore::HTMLTokenizer::processToken() + 506 (HTMLTokenizer.cpp:1654) 18 com.apple.WebCore 0x01d62922 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 5846 (HTMLTokenizer.cpp:1227) 19 com.apple.WebCore 0x01d632ed WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1221 (HTMLTokenizer.cpp:1456) 20 com.apple.WebCore 0x01d5f74b WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 909 (HTMLTokenizer.cpp:1763) 21 com.apple.WebCore 0x01bb6fc2 WebCore::CachedScript::checkNotify() + 68 (CachedScript.cpp:97) 22 com.apple.WebCore 0x01bb7123 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 279 (CachedScript.cpp:89) 23 com.apple.WebCore 0x02121744 WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 308 (loader.cpp:116) 24 com.apple.WebCore 0x02099773 WebCore::SubresourceLoader::didFinishLoading() + 169 (SubresourceLoader.cpp:195) 25 com.apple.WebCore 0x01fa141c WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:373) 26 com.apple.WebCore 0x01f9ede1 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 101 (ResourceHandleMac.mm:469) 27 com.apple.Foundation 0x90b01357 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87 28 com.apple.Foundation 0x90b012e4 _NSURLConnectionDidFinishLoading + 68 29 com.apple.CFNetwork 0x96559897 sendDidFinishLoadingCallback + 148 30 com.apple.CFNetwork 0x965569ca _CFURLConnectionSendCallbacks + 1908 31 com.apple.CFNetwork 0x965561db muxerSourcePerform + 283 32 com.apple.CoreFoundation 0x9042864e CFRunLoopRunSpecific + 3166 33 com.apple.CoreFoundation 0x90428d38 CFRunLoopRunInMode + 88 34 com.apple.HIToolbox 0x916158a4 RunCurrentEventLoopInMode + 283 35 com.apple.HIToolbox 0x916156bd ReceiveNextEventCommon + 374 36 com.apple.HIToolbox 0x91615531 BlockUntilNextEventMatchingListInMode + 106 37 com.apple.AppKit 0x9287ed5b _DPSNextEvent + 657 38 com.apple.AppKit 0x9287e6a0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 39 com.apple.Safari 0x00009d4e 0x1000 + 36174 40 com.apple.AppKit 0x928776d1 -[NSApplication run] + 795 41 com.apple.AppKit 0x928449ba NSApplicationMain + 574 42 com.apple.Safari 0x00002876 0x1000 + 6262
Dave Hyatt
Comment 2 2008-02-10 10:42:00 PST
Mixing generated content with some of these new CSS3 selectors is exposing the need for some m_style null checks. (The page uses :empty in conjunction with ::after.)
Chasen Le Hara
Comment 3 2008-02-11 01:16:58 PST
Created attachment 19061 [details] Test case This test case consistently reproduces the crash in nightly r30123. :after {content: ""} with :empty {} creates the crash.
Dave Hyatt
Comment 4 2008-02-11 12:25:51 PST
Created attachment 19075 [details] Simple null check. All other selectors were null-checking properly.
Dave Hyatt
Comment 5 2008-02-11 12:28:53 PST
<rdar://problem/5735576>
Adam Roben (:aroben)
Comment 6 2008-02-11 12:30:59 PST
Comment on attachment 19075 [details] Simple null check. All other selectors were null-checking properly. r=me, assuming the test case becomes a regression test.
Dave Hyatt
Comment 7 2008-02-11 13:19:26 PST
Fixed in r30153.
Note You need to log in before you can comment on or make changes to this bug.