Bug 33006

Summary:	Crashing with CSS hover and -webkit-box-shadow on Safari, Latest WebKit
Product:	WebKit	Reporter:	Taiyo Fujii <taiyoster>
Component:	CSS	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED DUPLICATE
Severity:	Critical	CC:	phiw2, tony, webkit9
Priority:	P1	Keywords:	HasReduction, InRadar
Version:	528+ (Nightly build)
Hardware:	Mac (Intel)
OS:	OS X 10.6
URL:	http://taiyolab.com/webkitreport/mouse_event_crash.html

Taiyo Fujii

Reported 2009-12-28 19:41:58 PST

Element which styled with "-webkit-box-shadow" and pseudo CSS class "hover" makes Safari 4 and WebKit.app to crash. Reproducing BUG http://taiyolab.com/webkitreport/mouse_event_crash.html 1. Place your pointer on "Upper container" 2. Safari 4, WebKit.app crashes. Related crashed thread on log Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff8287dde6 WebCore::RenderLayer::updateHoverActiveState(WebCore::HitTestRequest const&, WebCore::HitTestResult&) + 582 1 com.apple.WebCore 0x00007fff8287ca20 WebCore::RenderLayer::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestResult&) + 224 2 com.apple.WebCore 0x00007fff8287c89b WebCore::Document::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::IntPoint const&, WebCore::PlatformMouseEvent const&) + 91 3 com.apple.WebCore 0x00007fff8287c6e0 WebCore::EventHandler::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::PlatformMouseEvent const&) + 80 4 com.apple.WebCore 0x00007fff8287c2a5 WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*) + 389 5 com.apple.WebCore 0x00007fff8287c06a WebCore::EventHandler::mouseMoved(WebCore::PlatformMouseEvent const&) + 74 6 com.apple.WebCore 0x00007fff8287bcba WebCore::EventHandler::mouseMoved(NSEvent*) + 202 7 com.apple.WebKit 0x00007fff8231511f -[WebHTMLView(WebPrivate) _updateMouseoverWithEvent:] + 927 8 com.apple.Foundation 0x00007fff80c6c85a _nsnote_callback + 167 9 com.apple.CoreFoundation 0x00007fff855a0e3a __CFXNotificationPost + 954 10 com.apple.CoreFoundation 0x00007fff8558d3e8 _CFXNotificationPostNotification + 200 11 com.apple.Foundation 0x00007fff80c637c4 -[NSNotificationCenter postNotificationName:object:userInfo:] + 101 12 com.apple.AppKit 0x00007fff8808252a forwardMethod + 104 13 com.apple.AppKit 0x00007fff8808252a forwardMethod + 104 14 com.apple.AppKit 0x00007fff8808252a forwardMethod + 104 15 com.apple.AppKit 0x00007fff8808252a forwardMethod + 104 16 com.apple.AppKit 0x00007fff8808252a forwardMethod + 104 17 com.apple.AppKit 0x00007fff8808252a forwardMethod + 104 18 com.apple.AppKit 0x00007fff8808252a forwardMethod + 104 19 com.apple.AppKit 0x00007fff8808252a forwardMethod + 104 20 com.apple.AppKit 0x00007fff881503af -[NSWindow sendEvent:] + 8769 21 com.apple.Safari 0x0000000100049117 0x100000000 + 299287 22 com.apple.AppKit 0x00007fff88084c19 -[NSApplication sendEvent:] + 4198 23 com.apple.Safari 0x0000000100031c10 0x100000000 + 203792 24 com.apple.AppKit 0x00007fff8801b796 -[NSApplication run] + 474 25 com.apple.AppKit 0x00007fff88014468 NSApplicationMain + 364 26 com.apple.Safari 0x0000000100001a28 0x100000000 + 6696

Attachments
Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2009-12-28 22:02:12 PST

<rdar://problem/6979914>

Mike Moretti

Comment 2 2010-01-05 05:56:17 PST

Actually, this has nothing to do with -webkit-box-shadow, the bug occurs because the of the .upper:hover + .lower style. The problem is that when you hover over the upper div and then immediately move the mouse to the lower div, the upper div's style is not hover any more and so updateHoverActiveState gets confused and crashes. I'm still looking into this crash further but wanted to at least mention the cause. If anyone has any ideas how we can do an automated test case for this (for when it's fixed) please comment. I don't know how we can mimic this particular mouse movement in code.

Taiyo Fujii

Comment 3 2010-01-05 18:09:52 PST

How about considering Quartz Event Services. http://developer.apple.com/mac/library/documentation/Carbon/Reference/QuartzEventServicesRef/Reference/reference.html CGEventCreateMouseEvent send global events to application. I don't know about WebKit test process ( and not developer ) then Quartz Event Service helps your test. (In reply to comment #2) > Actually, this has nothing to do with -webkit-box-shadow, the bug occurs > because the of the .upper:hover + .lower style. The problem is that when you > hover over the upper div and then immediately move the mouse to the lower div, > the upper div's style is not hover any more and so updateHoverActiveState gets > confused and crashes. I'm still looking into this crash further but wanted to > at least mention the cause. If anyone has any ideas how we can do an automated > test case for this (for when it's fixed) please comment. I don't know how we > can mimic this particular mouse movement in code.

Tony Chang

Comment 4 2010-03-02 21:55:33 PST

*** This bug has been marked as a duplicate of bug 26515 ***

Note You need to log in before you can comment on or make changes to this bug.