Bug 12061

Summary:

Crash in WebCore::Shared<WebCore::StringImpl>::deref

Product:

WebKit

Reporter:

Mark Rowe (bdash) <mrowe>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Major

Keywords:

HasReduction

Priority:

Version:

420+

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Patch	eric: review+

Mark Rowe (bdash)

Reported 2007-01-01 16:25:00 PST

<html> <head> <title>Test HTML Page</title> <style type="text/css"> dfn { content: "text"; content: initial; } </style> </head> <body> <dfn>dfn</dfn> </body> </html> Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000004 0x01485ef7 in WebCore::Shared<WebCore::StringImpl>::deref (this=0x0) at Shared.h:47 47 ASSERT(!m_inDestructor); (gdb) bt #0 0x01485ef7 in WebCore::Shared<WebCore::StringImpl>::deref (this=0x0) at Shared.h:47 #1 0x01192e27 in WebCore::ContentData::clearContent (this=0x1700f410) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderStyle.cpp:1183 #2 0x01192e75 in WebCore::ContentData::~ContentData (this=0x1700f410) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderStyle.cpp:1169 #3 0x011953b5 in WebCore::RenderStyle::arenaDelete (this=0x170aeffc, arena=0x170ada50) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderStyle.cpp:589 #4 0x014ad21f in WebCore::RenderStyle::deref (this=0x170aeffc, arena=0x170ada50) at RenderStyle.h:980 #5 0x012422c2 in WebCore::Element::recalcStyle (this=0x170cbc30, change=WebCore::Node::Force) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Element.cpp:609 #6 0x01242367 in WebCore::Element::recalcStyle (this=0x170a2850, change=WebCore::Node::Force) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Element.cpp:621 #7 0x01242367 in WebCore::Element::recalcStyle (this=0x170b1490, change=WebCore::Node::Force) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Element.cpp:621 #8 0x010f35f4 in WebCore::Document::recalcStyle (this=0x20e1800, change=WebCore::Node::Force) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Document.cpp:978 #9 0x010f9226 in WebCore::Document::updateStyleSelector (this=0x20e1800) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Document.cpp:1854 #10 0x010f9712 in WebCore::Document::setUserStyleSheet (this=0x20e1800, sheet=@0x1703ce10) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Document.cpp:1495 #11 0x010de3e6 in WebCore::Frame::setUserStyleSheet (this=0x29651f0, styleSheet=@0x1703ce10) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/Frame.cpp:303 #12 0x014dc59f in WebCore::UserStyleSheetLoader::setCSSStyleSheet (this=0x1700f410, sheet=@0x1703ce10) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/Frame.cpp:140 #13 0x011092a2 in WebCore::CachedCSSStyleSheet::checkNotify (this=0x1703cd20) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/CachedCSSStyleSheet.cpp:90 #14 0x01109403 in WebCore::CachedCSSStyleSheet::data (this=0x1703cd20, data=@0x1703eb90, allDataReceived=true) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/CachedCSSStyleSheet.cpp:80 #15 0x0110cd58 in WebCore::Loader::receivedAllData (this=0x1640bb8, loader=0x170dcf30, allData=0x170a7a50) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/loader.cpp:108 #16 0x0137c65c in WebCore::SubresourceLoader::didFinishLoading (this=0x170dcf30) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/mac/SubresourceLoaderMac.mm:195 #17 0x0137859c in WebCore::ResourceLoader::didFinishLoading (this=0x170dcf30) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/mac/ResourceLoaderMac.mm:446 #18 0x013878e3 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x170b4720, _cmd=0x90a9d160, con=0x2926a50) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/platform/network/mac/ResourceHandleMac.mm:295 #19 0x9265be00 in -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] () #20 0x92659ea5 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] () #21 0x92659b41 in _sendCallbacks () #22 0x90829379 in CFRunLoopRunSpecific () #23 0x90828eb5 in CFRunLoopRunInMode () #24 0x92dcdb90 in RunCurrentEventLoopInMode () #25 0x92dcd297 in ReceiveNextEventCommon () #26 0x92dcd0ee in BlockUntilNextEventMatchingListInMode () #27 0x9326f465 in _DPSNextEvent () #28 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #29 0x00006f96 in ?? () #30 0x93268ddb in -[NSApplication run] () #31 0x9325cd2f in NSApplicationMain () #32 0x0005f7de in ?? () #33 0x0005f6f9 in ?? () (gdb)

Attachments
Patch (2.78 KB, patch) 2007-01-01 17:38 PST, Mark Rowe (bdash)	eric: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2007-01-01 17:38:51 PST

Created attachment 12151 [details] Patch

Eric Seidel (no email)

Comment 2 2007-01-01 17:41:57 PST

Comment on attachment 12151 [details] Patch personally I prefer test cases to start with PASS: for easy reading. But the change and test look great. r=me

Mark Rowe (bdash)

Comment 3 2007-01-01 17:59:04 PST

Landed in r18510.

Note You need to log in before you can comment on or make changes to this bug.