Bug 12518

Summary:

Betsson.com crashes browser

Product:

WebKit

Reporter:

Yael <yael>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Major

CC:

mitz, yael

Priority:

Keywords:

InRadar

Version:

420+

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Change ->element()->document() to ->document() to work with anonymous objects	darin: review+

Yael

Reported 2007-01-31 17:36:02 PST

[S60] Bug ID MLIO-6XWP2K BrowserNG: Betsson.com crashes browser 1) Open Browser, browse to http://www.betsson.com 2) Select the web pages in Finnish and then open link Urheilupeli (or in english and then link Sportsbook) The same callstack was visible in ToT version of Safari on my MAC Book.

Attachments
Change ->element()->document() to ->document() to work with anonymous objects (3.77 KB, patch) 2007-02-06 10:07 PST, mitz	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Yael

Comment 1 2007-01-31 18:24:52 PST

Callstack in Safari: #0 0x02cfaa8b in WebCore::Node::document at Node.h:268 #1 0x02a3a76e in WebCore::RenderLayer::createScrollbar at RenderLayer.cpp:985 #2 0x02a3a950 in WebCore::RenderLayer::setHasHorizontalScrollbar at RenderLayer.cpp:1011 #3 0x02a18892 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:486 #4 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #5 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #6 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #7 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #8 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #9 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #10 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #11 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #12 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #13 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #14 0x02a061da in WebCore::RenderBlock::layoutInlineChildren at bidi.cpp:1532 #15 0x02a18908 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:493 #16 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #17 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #18 0x02a16f94 in WebCore::RenderBlock::insertFloatingObject at RenderBlock.cpp:1854 #19 0x02a17b7d in WebCore::RenderBlock::handleFloatingChild at RenderBlock.cpp:666 #20 0x02a17c0a in WebCore::RenderBlock::handleSpecialChild at RenderBlock.cpp:638 #21 0x02a17eac in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1070 #22 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #23 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #24 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #25 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #26 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #27 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #28 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #29 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #30 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #31 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #32 0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509 #33 0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1103 #34 0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495 #35 0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421 #36 0x02a23943 in WebCore::RenderView::layout at RenderView.cpp:119 #37 0x029a8393 in WebCore::FrameView::layout at FrameView.cpp:509 #38 0x029a86af in WebCore::FrameView::layoutTimerFired at FrameView.cpp:1311 #39 0x02d523c5 in WebCore::Timer<WebCore::FrameView>::fired at Timer.h:96 #40 0x02ac0ab2 in WebCore::TimerBase::fireTimers at Timer.cpp:336 #41 0x02ac0b4f in WebCore::TimerBase::sharedTimerFired at Timer.cpp:353 #42 0x02ac0206 in WebCore::timerFired at SharedTimerMac.cpp:46 #43 0x9082b822 in CFRunLoopRunSpecific #44 0x9082ab0e in CFRunLoopRunInMode #45 0x92ddabef in RunCurrentEventLoopInMode #46 0x92dda2fd in ReceiveNextEventCommon #47 0x92dda154 in BlockUntilNextEventMatchingListInMode #48 0x9327f465 in _DPSNextEvent #49 0x9327f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] #50 0x00006cea in ?? #51 0x93278ddb in -[NSApplication run] #52 0x9326cd2f in NSApplicationMain

Yael

Comment 2 2007-02-01 08:47:33 PST

This bug was reported originally against S60 Browser, but can be reproduced also on latest Safari code. The problem is that we make extensive use on m_object->document(), or m_object->element()->getDocument() . We don't check the return value and use the document. When dealing with anonymous boxes, like in this case, the return value of document is NULL, thus there is a crash.

mitz

Comment 3 2007-02-01 15:10:07 PST

Confirmed. Reproducible crashers are P1.

Maciej Stachowiak

Comment 4 2007-02-04 11:48:32 PST

<rdar://problem/4975123>

mitz

Comment 5 2007-02-06 10:07:06 PST

Created attachment 12976 [details] Change ->element()->document() to ->document() to work with anonymous objects Includes layout test and change log

Darin Adler

Comment 6 2007-02-06 10:21:50 PST

Comment on attachment 12976 [details] Change ->element()->document() to ->document() to work with anonymous objects r=me

Alexey Proskuryakov

Comment 7 2007-02-06 12:36:25 PST

Committed revision 19435.

Note You need to log in before you can comment on or make changes to this bug.