Bug 133500

Summary: Regression(r169547): Crash in WebCore::styleForFirstLetter() while loading http://thenextweb.com/apple/2014/02/21/apple-confirms-acquired-testflight-creator-burstly/
Product: WebKit Reporter: zalan <zalan>
Component: CSSAssignee: Benjamin Poulain <benjamin>
Status: RESOLVED FIXED    
Severity: Normal CC: allan.jensen, commit-queue, esprehn+autocc, georgij.michaliutin, glenn, gyuyoung.kim, macpherson, menard, ysuzuki
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://thenextweb.com/apple/2014/02/21/apple-confirms-acquired-testflight-creator-burstly/
Attachments:
Description Flags
Patch none

zalan
Reported 2014-06-03 20:54:06 PDT
WebKit crashes while loading http://thenextweb.com/apple/2014/02/21/apple-confirms-acquired-testflight-creator-burstly/ Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000058 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001074e24b1 WebCore::styleForFirstLetter(WebCore::RenderObject*, WebCore::RenderObject*) + 113 1 com.apple.WebCore 0x00000001074e24f6 WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderObject*, WebCore::RenderText*) + 38 2 com.apple.WebCore 0x0000000106a6ecb6 WebCore::RenderBlock::updateFirstLetter() + 150 3 com.apple.WebCore 0x0000000106a6e9c6 WebCore::RenderBlock::layout() + 38 4 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 5 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 6 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 7 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 8 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 9 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 10 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 11 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 12 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 13 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 14 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 15 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 16 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 17 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 18 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 19 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 20 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 21 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 22 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 23 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 24 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 25 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 26 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 27 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 28 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 29 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 30 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 31 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 32 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 33 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 34 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 35 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 36 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 37 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 38 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 39 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 40 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 41 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 42 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 43 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 44 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 45 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 46 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 47 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 48 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 49 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 50 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 51 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 52 com.apple.WebCore 0x0000000106a6e835 WebCore::RenderView::layout() + 725 53 com.apple.WebCore 0x0000000106a69e1c WebCore::FrameView::layout(bool) + 1996 54 com.apple.WebCore 0x0000000106b071ff WebCore::Document::updateLayout() + 175 55 com.apple.WebCore 0x0000000106e785d6 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 262 56 com.apple.WebCore 0x0000000106ba884d WebCore::Element::clientHeight() + 29 57 com.apple.WebCore 0x00000001071797c6 WebCore::jsElementClientHeight(JSC::ExecState*, JSC::JSObject*, long long, JSC::PropertyName) + 166 58 com.apple.JavaScriptCore 0x0000000108345f34 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 532 59 com.apple.JavaScriptCore 0x00000001084c38f1 llint_slow_path_get_by_id + 273 60 com.apple.JavaScriptCore 0x00000001086a2fb1 llint_entry + 10037 61 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 62 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 63 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 64 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 65 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 66 com.apple.JavaScriptCore 0x00000001086a064d callToJavaScript + 321 67 com.apple.JavaScriptCore 0x0000000108635563 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 35 68 com.apple.JavaScriptCore 0x000000010830942b JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4747 69 com.apple.JavaScriptCore 0x0000000108307fc8 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 488 70 com.apple.WebCore 0x00000001075cfa00 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 304 71 com.apple.WebCore 0x0000000106aba3d9 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 72 com.apple.WebCore 0x0000000106aba26f WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 447 73 com.apple.WebCore 0x0000000106b0e2ea WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 234 74 com.apple.WebCore 0x0000000106b0e1db WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 267 75 com.apple.WebCore 0x0000000106ad0a0f WebCore::HTMLScriptRunner::executeParsingBlockingScripts() + 95 76 com.apple.WebCore 0x0000000106ab8994 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 84 77 com.apple.WebCore 0x0000000106a2a8f8 WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 88 78 com.apple.WebCore 0x0000000106a299c1 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 465 79 com.apple.WebCore 0x0000000106b0ed79 WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() + 121 80 com.apple.WebCore 0x0000000106b92572 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 82 81 com.apple.WebCore 0x0000000106ad1bb6 WebCore::CachedResource::checkNotify() + 166 82 com.apple.WebCore 0x0000000106ad18fc WebCore::SubresourceLoader::didFinishLoading(double) + 92 83 com.apple.WebKit 0x000000010668235d WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection*, IPC::MessageDecoder&) + 549 84 com.apple.WebKit 0x00000001065986dc WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 138 85 com.apple.WebKit 0x0000000106548aaa IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 94 86 com.apple.WebKit 0x000000010654ac24 IPC::Connection::dispatchOneMessage() + 106 87 com.apple.JavaScriptCore 0x000000010873c3a5 WTF::RunLoop::performWork() + 421 88 com.apple.JavaScriptCore 0x000000010873ca82 WTF::RunLoop::performWork(void*) + 34 89 com.apple.CoreFoundation 0x00007fff81de6731 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 90 com.apple.CoreFoundation 0x00007fff81dd7ea2 __CFRunLoopDoSources0 + 242 91 com.apple.CoreFoundation 0x00007fff81dd762f __CFRunLoopRun + 831 92 com.apple.CoreFoundation 0x00007fff81dd70b5 CFRunLoopRunSpecific + 309 93 com.apple.HIToolbox 0x00007fff8cadea0d RunCurrentEventLoopInMode + 226 94 com.apple.HIToolbox 0x00007fff8cade7b7 ReceiveNextEventCommon + 479 95 com.apple.HIToolbox 0x00007fff8cade5bc _BlockUntilNextEventMatchingListInModeWithFilter + 65 96 com.apple.AppKit 0x00007fff81ffa3de _DPSNextEvent + 1434 97 com.apple.AppKit 0x00007fff81ff9a2b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 98 com.apple.AppKit 0x00007fff81fedb2c -[NSApplication run] + 553 99 com.apple.AppKit 0x00007fff81fd8913 NSApplicationMain + 940 100 com.apple.XPCService 0x00007fff8e282c0f _xpc_main + 385 101 libxpc.dylib 0x00007fff85720bde xpc_main + 399 102 com.apple.WebKit.WebContent.Development 0x00000001021fe630 0x1021fd000 + 5680 103 libdyld.dylib 0x00007fff87d1d5fd start + 1
Attachments
Patch (7.50 KB, patch)
2014-06-04 14:37 PDT, Benjamin Poulain 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Benjamin Poulain
Comment 1 2014-06-03 21:46:43 PDT
Ok, I have an idea of what is going on. Some selector must have ::first-letter, but does not actually match. When matching the rightmost fragment, we set the FIRST_LETTER flag on the style. When generating the blocks for layout, RenderBlock find that one block has FIRST_LETTER, and try to get its style. Since the selector does not actually match, the style never resolve and the code continue with a null style.
Benjamin Poulain
Comment 2 2014-06-04 14:37:12 PDT
Created attachment 232501 [details] Patch
Benjamin Poulain
Comment 3 2014-06-04 14:37:49 PDT
<rdar://problem/17154371>
Benjamin Poulain
Comment 4 2014-06-04 15:09:11 PDT
Comment on attachment 232501 [details] Patch Clearing flags on attachment: 232501 Committed r169599: <http://trac.webkit.org/changeset/169599>
Benjamin Poulain
Comment 5 2014-06-04 15:09:17 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.