RESOLVED FIXED6835
REGRESSION: WebKit crashes when loading a script on Wikipedia 
https://bugs.webkit.org/show_bug.cgi?id=6835
Summary REGRESSION: WebKit crashes when loading a script on Wikipedia
Daniele Metilli
Reported 2006-01-26 04:22:46 PST
WebKit version: latest nightly (SVN-r12391 Jan 26 12:10 GMT) Follow these steps: 1 - Load the page 2 - Click on the "hide" (or "show") button in the table of contents on the left 3 - WebKit crashes
Attachments
check for nil list marker (3.39 KB, patch)
2006-01-26 06:37 PST, David Harrison 		timothy: review+
DetailsFormatted DiffDiff
test case (629 bytes, text/html)
2006-01-26 07:02 PST, David Harrison 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2006-01-26 04:59:00 PST
Thread 0 Crashed: 0 com.apple.WebCore 0x01a382f0 WebCore::RenderListItem::resetMarkerValue() + 36 (render_list.cpp:238) 1 com.apple.WebCore 0x01a07f54 WebCore::updateListMarkerNumbers(WebCore::RenderObject*) + 48 (RenderContainer.cpp:84) 2 com.apple.WebCore 0x01a086ac WebCore::RenderContainer::removeChildNode(WebCore::RenderObject*) + 420 (RenderContainer.cpp:193) 3 com.apple.WebCore 0x01a08850 WebCore::RenderContainer::removeChild(WebCore::RenderObject*) + 64 (RenderContainer.cpp:218) 4 com.apple.WebCore 0x019e4f00 WebCore::RenderBlock::removeChild(WebCore::RenderObject*) + 640 (RenderBlock.cpp:318) 5 com.apple.WebCore 0x01a42d88 WebCore::RenderObject::remove() + 156 (render_object.cpp:2093) 6 com.apple.WebCore 0x01a42f74 WebCore::RenderObject::destroy() + 32 (render_object.cpp:2109) 7 com.apple.WebCore 0x019f81c8 WebCore::RenderBox::destroy() + 88 (render_box.cpp:152) 8 com.apple.WebCore 0x01a07eec WebCore::RenderContainer::destroy() + 44 (RenderContainer.cpp:61) 9 com.apple.WebCore 0x01a10b84 WebCore::RenderFlow::destroy() + 576 (render_flow.cpp:227) 10 com.apple.WebCore 0x01a37d0c WebCore::RenderListItem::destroy() + 108 (render_list.cpp:177) 11 com.apple.WebCore 0x01935388 WebCore::NodeImpl::detach() + 364 (NodeImpl.cpp:1201) 12 com.apple.WebCore 0x0193db40 WebCore::ContainerNodeImpl::detach() + 112 (ContainerNodeImpl.cpp:567) 13 com.apple.WebCore 0x0193db18 WebCore::ContainerNodeImpl::detach() + 72 (ContainerNodeImpl.cpp:564) 14 com.apple.WebCore 0x0193db18 WebCore::ContainerNodeImpl::detach() + 72 (ContainerNodeImpl.cpp:564) 15 com.apple.WebCore 0x0193db18 WebCore::ContainerNodeImpl::detach() + 72 (ContainerNodeImpl.cpp:564) 16 com.apple.WebCore 0x017bc344 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 440 (dom_elementimpl.cpp:568) 17 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 18 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 19 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 20 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 21 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 22 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 23 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 24 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 25 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 26 com.apple.WebCore 0x017bc624 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1176 (dom_elementimpl.cpp:597) 27 com.apple.WebCore 0x0192da04 WebCore::DocumentImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1316 (DocumentImpl.cpp:860) 28 com.apple.WebCore 0x019213c4 WebCore::DocumentImpl::updateRendering() + 88 (DocumentImpl.cpp:885) 29 com.apple.WebCore 0x0192415c WebCore::DocumentImpl::updateDocumentsRendering() + 132 (DocumentImpl.cpp:892) 30 com.apple.WebCore 0x01902490 Frame::executeScript(WebCore::NodeImpl*, QString const&, bool) + 456 (Frame.cpp:499) 31 com.apple.WebCore 0x0190260c Frame::executeScript(QString const&, bool) + 64 (Frame.cpp:481) 32 com.apple.WebCore 0x01903c38 Frame::urlSelected(QString const&, int, int, QString const&, WebCore::URLArgs) + 420 (Frame.cpp:1543) 33 com.apple.WebCore 0x01797e04 WebCore::HTMLAnchorElementImpl::defaultEventHandler(WebCore::EventImpl*) + 2044 (html_inlineimpl.cpp:205) 34 com.apple.WebCore 0x01938bdc WebCore::NodeImpl::dispatchGenericEvent(KXMLCore::PassRefPtr<WebCore::EventImpl>, int&) + 1392 (NodeImpl.cpp:595) 35 com.apple.WebCore 0x01938ecc WebCore::NodeImpl::dispatchEvent(KXMLCore::PassRefPtr<WebCore::EventImpl>, int&, bool) + 396 (NodeImpl.cpp:510) 36 com.apple.WebCore 0x01939740 WebCore::NodeImpl::dispatchMouseEvent(WebCore::AtomicString const&, int, int, int, int, int, int, bool, bool, bool, bool, bool) + 492 (NodeImpl.cpp:745) 37 com.apple.WebCore 0x0193d394 WebCore::NodeImpl::dispatchMouseEvent(QMouseEvent*, WebCore::AtomicString const&, int) + 780 (NodeImpl.cpp:708) 38 com.apple.WebCore 0x0191dfc4 FrameView::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::NodeImpl*, bool, int, QMouseEvent*, bool, int) + 1096 (FrameView.cpp:1081) 39 com.apple.WebCore 0x0191f678 FrameView::viewportMouseReleaseEvent(QMouseEvent*) + 680 (FrameView.cpp:728) 40 com.apple.WebCore 0x01910598 MacFrame::mouseUp(NSEvent*) + 584 (MacFrame.mm:2139) <...>
Alexey Proskuryakov
Comment 2 2006-01-26 05:01:37 PST
*** Bug 6829 has been marked as a duplicate of this bug. ***
Daniele Metilli
Comment 3 2006-01-26 05:41:22 PST
Another example of this bug: 1 - Go to http://www.macitynet.it/macity/ 2 - Move the mouse over one of the menus, like "MacProf" or "ilMioMac" 3 - Without clicking, move the mouse away from the menu 4 - WebKit crashes
Daniele Metilli
Comment 4 2006-01-26 05:46:31 PST
Another crash report, hope it helps. This is for the alternate example described above. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000009c Thread 0 Crashed: 0 com.apple.WebCore 0x012691d8 WebCore::RenderListItem::resetMarkerValue() + 8 1 com.apple.WebCore 0x0124a67c WebCore::updateListMarkerNumbers(WebCore::RenderObject*) + 68 2 com.apple.WebCore 0x0124b2a4 WebCore::RenderContainer::removeChildNode(WebCore::RenderObject*) + 200 3 com.apple.WebCore 0x0123a2cc WebCore::RenderBlock::removeChild(WebCore::RenderObject*) + 624 4 com.apple.WebCore 0x012707b0 WebCore::RenderObject::remove() + 84 5 com.apple.WebCore 0x01270808 WebCore::RenderObject::destroy() + 24 6 com.apple.WebCore 0x01240344 WebCore::RenderBox::destroy() + 64 7 com.apple.WebCore 0x011b654c WebCore::NodeImpl::detach() + 160 8 com.apple.WebCore 0x011ba828 WebCore::ContainerNodeImpl::detach() + 56 9 com.apple.WebCore 0x010b3684 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 200 10 com.apple.WebCore 0x010b3820 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 612 11 com.apple.WebCore 0x010b3820 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 612 12 com.apple.WebCore 0x010b3820 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 612 13 com.apple.WebCore 0x010b3820 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 612 14 com.apple.WebCore 0x010b3820 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 612 15 com.apple.WebCore 0x010b3820 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 612 16 com.apple.WebCore 0x010b3820 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 612 17 com.apple.WebCore 0x010b3820 WebCore::ElementImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 612 18 com.apple.WebCore 0x011ac358 WebCore::DocumentImpl::recalcStyle(WebCore::NodeImpl::StyleChange) + 1632 19 com.apple.WebCore 0x011acd44 WebCore::DocumentImpl::prepareMouseEvent(bool, bool, int, int, WebCore::NodeImpl::MouseEvent*) + 500 20 com.apple.WebCore 0x011a5410 FrameView::viewportMouseMoveEvent(QMouseEvent*) + 220 21 com.apple.WebCore 0x011a0c40 MacFrame::mouseMoved(NSEvent*) + 344 22 com.apple.WebKit 0x00347f60 -[WebHTMLView(WebPrivate) _updateMouseoverWithEvent:] + 740 23 com.apple.Foundation 0x928e6018 _nsnote_callback + 180 24 com.apple.CoreFoundation 0x907844c4 __CFXNotificationPost + 368 25 com.apple.CoreFoundation 0x9077c5a0 _CFXNotificationPostNotification + 684 26 com.apple.Foundation 0x928d0420 -[NSNotificationCenter postNotificationName:object:userInfo:] + 92 27 com.apple.AppKit 0x9375a584 forwardMethod + 92 28 com.apple.AppKit 0x9375a584 forwardMethod + 92 29 com.apple.AppKit 0x9375a584 forwardMethod + 92 30 com.apple.AppKit 0x9375a584 forwardMethod + 92 31 com.apple.AppKit 0x9375a584 forwardMethod + 92 32 com.apple.AppKit 0x9375a584 forwardMethod + 92 33 com.apple.AppKit 0x9375a584 forwardMethod + 92 34 com.apple.AppKit 0x936e85c0 -[NSWindow sendEvent:] + 6424 35 com.apple.Safari 0x00022160 0x1000 + 135520 36 com.apple.AppKit 0x93690ef4 -[NSApplication sendEvent:] + 4172 37 com.apple.Safari 0x00021c64 0x1000 + 134244 38 com.apple.AppKit 0x93688330 -[NSApplication run] + 508 39 com.apple.AppKit 0x93778e68 NSApplicationMain + 452 40 com.apple.Safari 0x0005cfdc 0x1000 + 376796 41 com.apple.Safari 0x0005ce80 0x1000 + 376448
David Harrison
Comment 5 2006-01-26 06:37:12 PST
Created attachment 5988 [details] check for nil list marker Add check for nil (i.e. non-existent) list marker in RenderListItem::resetMarkerValue().
David Harrison
Comment 6 2006-01-26 07:02:18 PST
Created attachment 5989 [details] test case
Eric Seidel (no email)
Comment 7 2006-01-31 21:20:46 PST
Removing Regression keyword from bugs already fixed.
Note You need to log in before you can comment on or make changes to this bug.