12518 2007-01-31 17:36:02 -0800 Betsson.com crashes browser 2007-02-06 12:36:25 -0800 1 1 1 Unclassified WebKit New Bugs 420+ Mac OS X 10.4 RESOLVED FIXED InRadar P1 Major --- 1 yael webkit-unassigned mitz yael oldest_to_newest 29618 0 yael 2007-01-31 17:36:02 -0800 [S60] Bug ID MLIO-6XWP2K BrowserNG: Betsson.com crashes browser 1) Open Browser, browse to http://www.betsson.com 2) Select the web pages in Finnish and then open link Urheilupeli (or in english and then link Sportsbook) The same callstack was visible in ToT version of Safari on my MAC Book. 29621 1 yael 2007-01-31 18:24:52 -0800 Callstack in Safari: #0 0x02cfaa8b in WebCore::Node::document at Node.h:268 #1 0x02a3a76e in WebCore::RenderLayer::createScrollbar at RenderLayer.cpp:985 #2 0x02a3a950 in WebCore::RenderLayer::setHasHorizontalScrollbar at RenderLayer.cpp:1011 #3 0x02a18892 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:486 #4 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #5 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #6 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #7 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #8 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #9 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #10 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #11 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #12 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #13 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #14 0x02a061da in WebCore::RenderBlock::layoutInlineChildren at bidi.cpp:1532 #15 0x02a18908 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:493 #16 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #17 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #18 0x02a16f94 in WebCore::RenderBlock::insertFloatingObject at RenderBlock.cpp:1854 #19 0x02a17b7d in WebCore::RenderBlock::handleFloatingChild at RenderBlock.cpp:666 #20 0x02a17c0a in WebCore::RenderBlock::handleSpecialChild at RenderBlock.cpp:638 #21 0x02a17eac in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1070 #22 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #23 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #24 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #25 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #26 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #27 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #28 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #29 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #30 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #31 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #32 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #33 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #34 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #35 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #36 0x02a23943 in WebCore::RenderView::layout at RenderView.cpp:119 #37 0x029a8393 in WebCore::FrameView::layout at FrameView.cpp:509 #38 0x029a86af in WebCore::FrameView::layoutTimerFired at FrameView.cpp:1311 #39 0x02d523c5 in WebCore::Timer<WebCore::FrameView>::fired at Timer.h:96 #40 0x02ac0ab2 in WebCore::TimerBase::fireTimers at Timer.cpp:336 #41 0x02ac0b4f in WebCore::TimerBase::sharedTimerFired at Timer.cpp:353 #42 0x02ac0206 in WebCore::timerFired at SharedTimerMac.cpp:46 #43 0x9082b822 in CFRunLoopRunSpecific #44 0x9082ab0e in CFRunLoopRunInMode #45 0x92ddabef in RunCurrentEventLoopInMode #46 0x92dda2fd in ReceiveNextEventCommon #47 0x92dda154 in BlockUntilNextEventMatchingListInMode #48 0x9327f465 in _DPSNextEvent #49 0x9327f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] #50 0x00006cea in ?? #51 0x93278ddb in -[NSApplication run] #52 0x9326cd2f in NSApplicationMain 29091 2 yael 2007-02-01 08:47:33 -0800 This bug was reported originally against S60 Browser, but can be reproduced also on latest Safari code. The problem is that we make extensive use on m_object->document(), or m_object->element()->getDocument() . We don't check the return value and use the document. When dealing with anonymous boxes, like in this case, the return value of document is NULL, thus there is a crash. 29130 3 mitz 2007-02-01 15:10:07 -0800 Confirmed. Reproducible crashers are P1. 27661 4 mjs 2007-02-04 11:48:32 -0800 <rdar://problem/4975123> 26649 5 12976 mitz 2007-02-06 10:07:06 -0800 Created attachment 12976 Change ->element()->document() to ->document() to work with anonymous objects Includes layout test and change log 26627 6 12976 darin 2007-02-06 10:21:50 -0800 Comment on attachment 12976 Change ->element()->document() to ->document() to work with anonymous objects r=me 26560 7 ap 2007-02-06 12:36:25 -0800 Committed revision 19435. 12976 2007-02-06 10:07:06 -0800 2007-02-06 10:21:50 -0800 Change ->element()->document() to ->document() to work with anonymous objects 12518_r1.patch text/plain 3863 mitz SW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9D aGFuZ2VMb2cJKHJldmlzaW9uIDE5NDMzKQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3Jr aW5nIGNvcHkpCkBAIC0xLDMgKzEsMTMgQEAKKzIwMDctMDItMDYgIE1pdHogUGV0dGVsICA8bWl0 ekB3ZWJraXQub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisg ICAgICAgIC0gdGVzdCBmb3IgaHR0cDovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 MTI1MTgKKyAgICAgICAgICBCZXRzc29uLmNvbSBjcmFzaGVzIGJyb3dzZXIKKworICAgICAgICAq IGZhc3QvbGF5ZXJzL2dlbmVyYXRlZC1sYXllci1zY3JvbGxiYXItY3Jhc2gtZXhwZWN0ZWQudHh0 OiBBZGRlZC4KKyAgICAgICAgKiBmYXN0L2xheWVycy9nZW5lcmF0ZWQtbGF5ZXItc2Nyb2xsYmFy LWNyYXNoLmh0bWw6IEFkZGVkLgorCiAyMDA3LTAyLTA2ICBFcmljIFNlaWRlbCAgPGVyaWNAd2Vi a2l0Lm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBieSBtaXR6LgpJbmRleDogTGF5b3V0VGVzdHMv ZmFzdC9sYXllcnMvZ2VuZXJhdGVkLWxheWVyLXNjcm9sbGJhci1jcmFzaC1leHBlY3RlZC50eHQK PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9sYXllcnMvZ2VuZXJhdGVkLWxheWVyLXNj cm9sbGJhci1jcmFzaC1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9m YXN0L2xheWVycy9nZW5lcmF0ZWQtbGF5ZXItc2Nyb2xsYmFyLWNyYXNoLWV4cGVjdGVkLnR4dAko cmV2aXNpb24gMCkKQEAgLTAsMCArMSw1IEBACitUZXN0IGZvciBodHRwOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0xMjUxOCBCZXRzc29uLmNvbSBjcmFzaGVzIGJyb3dzZXIuCisK K05vIGNyYXNoIG1lYW5zIFBBU1MuCisKKwpJbmRleDogTGF5b3V0VGVzdHMvZmFzdC9sYXllcnMv Z2VuZXJhdGVkLWxheWVyLXNjcm9sbGJhci1jcmFzaC5odG1sCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91 dFRlc3RzL2Zhc3QvbGF5ZXJzL2dlbmVyYXRlZC1sYXllci1zY3JvbGxiYXItY3Jhc2guaHRtbAko cmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2Zhc3QvbGF5ZXJzL2dlbmVyYXRlZC1sYXllci1z Y3JvbGxiYXItY3Jhc2guaHRtbAkocmV2aXNpb24gMCkKQEAgLTAsMCArMSwyNiBAQAorPGh0bWw+ Cis8aGVhZD4KKyAgICA8dGl0bGU+PC90aXRsZT4KKyAgICA8c3R5bGUgdHlwZT0idGV4dC9jc3Mi PgorICAgICAgICBkaXY6YWZ0ZXIgeworICAgICAgICAgICAgY29udGVudDogIi4iOworICAgICAg ICAgICAgZGlzcGxheTogYmxvY2s7IAorICAgICAgICAgICAgb3ZlcmZsb3c6IHNjcm9sbDsKKyAg ICAgICAgfQorICAgIDwvc3R5bGU+CisgICAgPHNjcmlwdD4KKyAgICAgICAgaWYgKHdpbmRvdy5s YXlvdXRUZXN0Q29udHJvbGxlcikKKyAgICAgICAgICAgIGxheW91dFRlc3RDb250cm9sbGVyLmR1 bXBBc1RleHQoKTsKKyAgICA8L3NjcmlwdD4KKzwvaGVhZD4KKzxib2R5PgorICAgIDxwPgorICAg ICAgICBUZXN0IGZvciA8aT48YSBocmVmPSJodHRwOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xMjUxOCI+aHR0cDovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTI1 MTg8L2E+CisgICAgICAgIEJldHNzb24uY29tIGNyYXNoZXMgYnJvd3NlcjwvaT4uCisgICAgPC9w PgorICAgIDxwPgorICAgICAgICBObyBjcmFzaCBtZWFucyBQQVNTLgorICAgIDwvcD4KKyAgICA8 ZGl2PjwvZGl2PgorPC9ib2R5PgorPC9odG1sPgpJbmRleDogV2ViQ29yZS9DaGFuZ2VMb2cKPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PQotLS0gV2ViQ29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE5NDMzKQorKysgV2ViQ29y ZS9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAgLTEsMyArMSwxNyBAQAorMjAwNy0wMi0wNiAg TWl0eiBQZXR0ZWwgIDxtaXR6QHdlYmtpdC5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9C T0RZIChPT1BTISkuCisKKyAgICAgICAgLSBmaXggaHR0cDovL2J1Z3Mud2Via2l0Lm9yZy9zaG93 X2J1Zy5jZ2k/aWQ9MTI1MTgKKyAgICAgICAgICBCZXRzc29uLmNvbSBjcmFzaGVzIGJyb3dzZXIK KworICAgICAgICBUZXN0OiBmYXN0L2xheWVycy9nZW5lcmF0ZWQtbGF5ZXItc2Nyb2xsYmFyLWNy YXNoLmh0bWwKKworICAgICAgICAqIHJlbmRlcmluZy9SZW5kZXJMYXllci5jcHA6CisgICAgICAg IChXZWJDb3JlOjpSZW5kZXJMYXllcjo6Y3JlYXRlU2Nyb2xsYmFyKTogQ2hhbmdlZCBlbGVtZW50 KCktPmRvY3VtZW50KCkgdG8KKyAgICAgICAgZG9jdW1lbnQoKSB0byB3b3JrIHdpdGggYW5vbnlt b3VzIG9iamVjdHMuCisgICAgICAgIChXZWJDb3JlOjpSZW5kZXJMYXllcjo6dXBkYXRlT3ZlcmZs b3dTdGF0dXMpOiBEaXR0by4KKwogMjAwNy0wMi0wNiAgRXJpYyBTZWlkZWwgIDxlcmljQHdlYmtp dC5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgbWl0ei4KSW5kZXg6IFdlYkNvcmUvcmVuZGVy aW5nL1JlbmRlckxheWVyLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL3JlbmRlcmluZy9SZW5k ZXJMYXllci5jcHAJKHJldmlzaW9uIDE5NDI1KQorKysgV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVy TGF5ZXIuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC05ODcsNyArOTg3LDcgQEAgUGFzc1JlZlB0cjxT Y3JvbGxiYXI+IFJlbmRlckxheWVyOjpjcmVhdAogewogICAgIGlmIChTY3JvbGxiYXI6Omhhc1Bs YXRmb3JtU2Nyb2xsYmFycygpKSB7CiAgICAgICAgIFJlZlB0cjxQbGF0Zm9ybVNjcm9sbGJhcj4g d2lkZ2V0ID0gbmV3IFBsYXRmb3JtU2Nyb2xsYmFyKHRoaXMsIG9yaWVudGF0aW9uLCBSZWd1bGFy U2Nyb2xsYmFyKTsKLSAgICAgICAgbV9vYmplY3QtPmVsZW1lbnQoKS0+ZG9jdW1lbnQoKS0+dmll dygpLT5hZGRDaGlsZCh3aWRnZXQuZ2V0KCkpOworICAgICAgICBtX29iamVjdC0+ZG9jdW1lbnQo KS0+dmlldygpLT5hZGRDaGlsZCh3aWRnZXQuZ2V0KCkpOwogICAgICAgICByZXR1cm4gd2lkZ2V0 LnJlbGVhc2UoKTsKICAgICB9CiAgICAgCkBAIC0xMTYxLDcgKzExNjEsNyBAQCB2b2lkIFJlbmRl ckxheWVyOjp1cGRhdGVPdmVyZmxvd1N0YXR1cyhiCiAgICAgICAgIG1faG9yaXpvbnRhbE92ZXJm bG93ID0gaG9yaXpvbnRhbE92ZXJmbG93OwogICAgICAgICBtX3ZlcnRpY2FsT3ZlcmZsb3cgPSB2 ZXJ0aWNhbE92ZXJmbG93OwogICAgICAgICAKLSAgICAgICAgaWYgKEZyYW1lVmlldyogZnJhbWVW aWV3ID0gbV9vYmplY3QtPmVsZW1lbnQoKS0+ZG9jdW1lbnQoKS0+dmlldygpKQorICAgICAgICBp ZiAoRnJhbWVWaWV3KiBmcmFtZVZpZXcgPSBtX29iamVjdC0+ZG9jdW1lbnQoKS0+dmlldygpKQog ICAgICAgICAgICAgZnJhbWVWaWV3LT5zY2hlZHVsZUV2ZW50KG5ldyBPdmVyZmxvd0V2ZW50KGhv cml6b250YWxPdmVyZmxvd0NoYW5nZWQsIGhvcml6b250YWxPdmVyZmxvdywgdmVydGljYWxPdmVy Zmxvd0NoYW5nZWQsIHZlcnRpY2FsT3ZlcmZsb3cpLAogICAgICAgICAgICAgRXZlbnRUYXJnZXRO b2RlQ2FzdChtX29iamVjdC0+ZWxlbWVudCgpKSwgdHJ1ZSk7CiAgICAgfQo=