Bug 31642
| Summary: | Crash in RenderObject::destroy() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | James Robinson <jamesr> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | rolandsteiner |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://journal.mycom.co.jp/news/2009/11/18/015/index.html | ||
James Robinson
The URL above consistently crashes WebKit nightlies during page load (be sure to click through the ad if one shows). It looks like a virtual function is being called on a destroyed/corrupt object.
This looks like a regression from Safari 4.0.3's version of WebKit.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
James Robinson
Here's what the top of the stack looks like (from a Chromium build):
> chrome.dll!WebCore::RenderObject::destroy() Line 1862 + 0xa bytes C++
chrome.dll!WebCore::RenderBoxModelObject::destroy() Line 76 C++
chrome.dll!WebCore::RenderBox::destroy() Line 96 C++
chrome.dll!WebCore::RenderBlock::destroy() Line 197 C++
chrome.dll!WebCore::RenderObjectChildList::destroyLeftoverChildren() Line 59 + 0x1d bytes C++
chrome.dll!WebCore::RenderInline::destroy() Line 62 C++
chrome.dll!WebCore::Node::detach() Line 1256 + 0x1d bytes C++
chrome.dll!WebCore::ContainerNode::detach() Line 591 C++
chrome.dll!WebCore::Element::detach() Line 759 C++
chrome.dll!WebCore::ContainerNode::removeChild(WebCore::Node * oldChild=0x0ade8b00, int & ec=0) Line 344 + 0x1d bytes C++
chrome.dll!WebCore::HTMLParser::handleResidualStyleCloseTagAcrossBlocks(WebCore::HTMLStackElem * elem=0x09e05ec0) Line 1225 + 0x2b bytes C++
chrome.dll!WebCore::HTMLParser::popBlock(const WebCore::AtomicString & tagName={...}, bool reportErrors=true) Line 1408 + 0xc bytes C++
chrome.dll!WebCore::HTMLParser::processCloseTag(WebCore::Token * t=0x0676b420) Line 994 C++
chrome.dll!WebCore::HTMLParser::parseToken(WebCore::Token * t=0x0676b420) Line 228 C++
chrome.dll!WebCore::HTMLTokenizer::processToken() Line 1934 + 0x20 bytes C++
chrome.dll!WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...}) Line 1506 + 0xf bytes C++
chrome.dll!WebCore::HTMLTokenizer::write(const WebCore::SegmentedString & str={...}, bool appendData=false) Line 1757 + 0x1d bytes C++
chrome.dll!WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource * __formal=0x06deec80) Line 2078 + 0x1c bytes C++
chrome.dll!WebCore::CachedScript::checkNotify() Line 105 + 0x13 bytes C++
chrome.dll!WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer> data={...}, bool allDataReceived=true) Line 96 C++
chrome.dll!WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader * loader=0x0536c400) Line 368 C++
chrome.dll!WebCore::SubresourceLoader::didFinishLoading() Line 184 + 0x21 bytes C++
I kind of suspect that ruby's to blame here - the element on which ContainerNode::removeChild() is called on has a tag name "ruby" and its children appear to be somehow corrupt.
Roland Steiner
(In reply to comment #1)
Yes, this is in all likelihood the same issue reported in https://bugs.webkit.org/show_bug.cgi?id=31574.
Roland Steiner
(In reply to comment #2)
> Yes, this is in all likelihood the same issue reported in
> https://bugs.webkit.org/show_bug.cgi?id=31574.
Patch for 31574 has been landed in r51169.