Bug 44449

Summary:	treebuilder null ptr crash
Product:	WebKit	Reporter:	Abhishek Arya <inferno>
Component:	WebCore Misc.	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	abarth, ap, eric, jamesr, mitz, simon.fraser
Priority:	P1	Keywords:	InRadar
Version:	528+ (Nightly build)
Hardware:	All
OS:	All

Description Abhishek Arya 2010-08-23 12:25:20 PDT

credit:kuzzcc

Treebuilder issue, null ptr crash, first goes through couple of asserts

<nobr>
<audio>
<p>
<button autofocus="1"/>
<button autofocus="1"/>
<iframe>
</iframe>
</p>
</audio>
</nobr>

Stacktrace:: hits this assert first
 ASSERT(!widgetHierarchyUpdateSuspendCount);

>	chrome.dll!WebCore::RenderWidget::setWidgetGeometry(const WebCore::IntRect & frame=((40,15),(300,150)))  Line 162 + 0x25 bytes	C++
 	chrome.dll!WebCore::RenderWidget::updateWidgetPosition()  Line 346 + 0x35 bytes	C++
 	chrome.dll!WebCore::RenderView::updateWidgetPositions()  Line 588 + 0x13 bytes	C++
 	chrome.dll!WebCore::FrameView::performPostLayoutTasks()  Line 1611	C++
 	chrome.dll!WebCore::FrameView::layout(bool allowSubtree=true)  Line 833	C++
 	chrome.dll!WebCore::Document::updateLayout()  Line 1524	C++
 	chrome.dll!WebCore::Document::updateLayoutIgnorePendingStylesheets()  Line 1556	C++
 	chrome.dll!WebCore::Element::focus(bool restorePreviousSelection=true)  Line 1301	C++
 	chrome.dll!WebCore::HTMLFormControlElement::attach()  Line 144 + 0x14 bytes	C++
 	chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange)  Line 906 + 0x12 bytes	C++
 	chrome.dll!WebCore::HTMLFormControlElement::recalcStyle(WebCore::Node::StyleChange change=NoChange)  Line 234	C++
 	chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange)  Line 969 + 0x16 bytes	C++
 	chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange)  Line 969 + 0x16 bytes	C++
 	chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange)  Line 969 + 0x16 bytes	C++
 	chrome.dll!WebCore::Document::recalcStyle(WebCore::Node::StyleChange change=NoChange)  Line 1448 + 0x16 bytes	C++
 	chrome.dll!WebCore::Document::updateStyleIfNeeded()  Line 1492 + 0x14 bytes	C++
 	chrome.dll!WebCore::Document::setFocusedNode(WTF::PassRefPtr<WebCore::Node> newFocusedNode={m_document=0x07e1b000 m_previous=0x0814cd00 m_next=0x07bff240 ...})  Line 3099 + 0x12 bytes	C++
 	chrome.dll!WebCore::FocusController::setFocusedNode(WebCore::Node * node=0x07bf5d20, WTF::PassRefPtr<WebCore::Frame> newFocusedFrame=NULL)  Line 629	C++
 	chrome.dll!WebCore::Element::focus(bool restorePreviousSelection=true)  Line 1316	C++
 	chrome.dll!WebCore::HTMLFormControlElement::attach()  Line 144 + 0x14 bytes	C++
 	chrome.dll!WebCore::ContainerNode::attach()  Line 690 + 0x12 bytes	C++
 	chrome.dll!WebCore::Element::attach()  Line 817	C++
 	chrome.dll!WebCore::Node::lazyAttach()  Line 783 + 0x12 bytes	C++
 	chrome.dll!WebCore::HTMLTreeBuilder::callTheAdoptionAgency(WebCore::AtomicHTMLToken & token={...})  Line 1844	C++
 	chrome.dll!WebCore::HTMLTreeBuilder::processEndTagForInBody(WebCore::AtomicHTMLToken & token={...})  Line 2164	C++
 	chrome.dll!WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken & token={...})  Line 2298	C++
 	chrome.dll!WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken & token={...})  Line 628	C++
 	chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken & rawToken={...})  Line 611	C++
 	chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield)  Line 214	C++
 	chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield)  Line 162	C++
 	chrome.dll!WebCore::HTMLDocumentParser::append(const WebCore::SegmentedString & source={...})  Line 321	C++
 	chrome.dll!WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter * writer=0x07c9398c, const char * data=0x00000000, int length=0, bool shouldFlush=true)  Line 55 + 0x1f bytes	C++
 	chrome.dll!WebCore::DocumentWriter::addData(const char * str=0x00000000, int len=0, bool flush=true)  Line 200 + 0x20 bytes	C++
 	chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource()  Line 221	C++
 	chrome.dll!WebCore::DocumentWriter::end()  Line 207	C++
 	chrome.dll!WebCore::DocumentLoader::finishedLoading()  Line 271	C++
 	chrome.dll!WebCore::FrameLoader::finishedLoading()  Line 2160	C++
 	chrome.dll!WebCore::MainResourceLoader::didFinishLoading()  Line 442	C++
 	chrome.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x07bfe740)  Line 443 + 0xf bytes	C++
 	chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading(WebKit::WebURLLoader * __formal=0x04f4ae58)  Line 191 + 0x25 bytes	C++
 	chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(const URLRequestStatus & status={...}, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & security_info="")  l!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate * delegate=0x04f3fda8, base::MessagePumpWin::Dispatcher * dispatcher=0x00000000)  Line 51 + 0xf bytes	C++
 	chrome.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate=0x04f3fda8)  Line 80 + 0x1c bytes	C++
 	chrome.dll!MessageLoop::RunInternal()  Line 256 + 0x2a bytes	C++
 	chrome.dll!MessageLoop::RunHandler()  Line 229	C++
 	chrome.dll!MessageLoop::Run()  Line 207	C++
 	chrome.dll!base::Thread::Run(MessageLoop * message_loop=0x04f3fda8)  Line 141	C++
 	chrome.dll!base::Thread::ThreadMain()  Line 164 + 0x16 bytes	C++
 	chrome.dll!`anonymous namespace'::ThreadFunc(void * closure=0x010f6a80)  Line 26 + 0xf bytes	C++
 	kernel32.dll!@BaseThreadInitThunk@12()  + 0xe bytes	
 	ntdll.dll!___RtlUserThreadStart@8()  + 0x23 bytes	
 	ntdll.dll!__RtlUserThreadStart@8()  + 0x1b bytes

Comment 1 Simon Fraser (smfr) 2010-08-24 13:11:39 PDT

Element::focus() should not be updating layout when called from recalcStyle().

Comment 2 Eric Seidel (no email) 2010-08-27 15:02:28 PDT

So maybe Element::focus() needs to check if we're still parsing?

http://trac.webkit.org/browser/trunk/WebCore/dom/Element.cpp#L1295

Although it seems we should be able to trigger this crash outside of parsing too.

Comment 3 Alexey Proskuryakov 2011-01-20 17:03:23 PST

<rdar://problem/8896012>

Comment 4 Alexey Proskuryakov 2011-01-20 17:05:01 PST

Actually, does this still happen? I tried to reproduce with ToT, and couldn't.

Comment 5 Alexey Proskuryakov 2011-03-06 01:18:42 PST

Abhishek, can this bug be closed?

Comment 6 Abhishek Arya 2011-03-06 14:36:06 PST

Yes, it does not reproduce for me too. Closing.