| Summary: | chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (7079875ef32458c5c891a311715b683f) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Berend-Jan Wever <skylined> | ||||||
| Component: | DOM | Assignee: | Julien Chaffraix <jchaffraix> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | CC: | ap, eric.carlson, eric, jchaffraix, webkit.review.bot, zimmermann | ||||||
| Priority: | P1 | ||||||||
| Version: | 528+ (Nightly build) | ||||||||
| Hardware: | PC | ||||||||
| OS: | Windows Vista | ||||||||
| URL: | http://code.google.com/p/chromium/issues/detail?id=62659 | ||||||||
| Attachments: |
|
||||||||
Guessing from the stack trace, HTMLMediaElement::attach is probably not handling a null pointer like it should. Node::createRendererIfNeeded asserts in a debug build because parentNode() return NULL. And HTMLMediaElement::attach isn't called: WebCore::Node::createRendererIfNeeded at Node.cpp:1327 WebCore::Element::attach at Element.cpp:882 WebCore::SVGStyledElement::attach at SVGStyledElement.cpp:266 WebCore::Element::recalcStyle at Element.cpp:973 WebCore::RenderSVGShadowTreeRootContainer::updateStyle at RenderSVGShadowTreeRootContainer.cpp:46 WebCore::SVGUseElement::recalcStyle at SVGUseElement.cpp:346 WebCore::Element::recalcStyle at Element.cpp:1036 WebCore::Element::recalcStyle at Element.cpp:1036 WebCore::Element::recalcStyle at Element.cpp:1036 WebCore::Document::recalcStyle at Document.cpp:1511 WebCore::Document::styleSelectorChanged at Document.cpp:2841 WebCore::Document::removePendingSheet at Document.cpp:2799 WebCore::StyleElement::sheetLoaded at StyleElement.cpp:168 WebCore::HTMLStyleElement::sheetLoaded at HTMLStyleElement.h:53 WebCore::CSSStyleSheet::checkLoaded at CSSStyleSheet.cpp:214 WebCore::StyleElement::createSheet at StyleElement.cpp:152 WebCore::StyleElement::process at StyleElement.cpp:121 WebCore::StyleElement::finishParsingChildren at StyleElement.cpp:90 WebCore::HTMLStyleElement::finishParsingChildren at HTMLStyleElement.cpp:61 WebCore::HTMLElementStack::popCommon at HTMLElementStack.cpp:538 WebCore::HTMLElementStack::pop at HTMLElementStack.cpp:209 WebCore::HTMLTreeBuilder::processEndOfFile at HTMLTreeBuilder.cpp:2627 WebCore::HTMLTreeBuilder::processToken at HTMLTreeBuilder.cpp:477 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken at HTMLTreeBuilder.cpp:446 WebCore::HTMLTreeBuilder::constructTreeFromToken at HTMLTreeBuilder.cpp:441 WebCore::HTMLDocumentParser::pumpTokenizer at HTMLDocumentParser.cpp:223 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible at HTMLDocumentParser.cpp:169 WebCore::HTMLDocumentParser::prepareToStopParsing at HTMLDocumentParser.cpp:139 WebCore::HTMLDocumentParser::attemptToEnd at HTMLDocumentParser.cpp:344 WebCore::HTMLDocumentParser::finish at HTMLDocumentParser.cpp:372 WebCore::Document::finishParsing at Document.cpp:2191 WebCore::DocumentWriter::endIfNotLoadingMainResource at DocumentWriter.cpp:221 WebCore::DocumentWriter::end at DocumentWriter.cpp:206 WebCore::DocumentLoader::finishedLoading at DocumentLoader.cpp:276 WebCore::FrameLoader::finishedLoading at FrameLoader.cpp:2165 WebCore::MainResourceLoader::didFinishLoading at MainResourceLoader.cpp:456 WebCore::ResourceLoader::didFinishLoading at ResourceLoader.cpp:421 It would be very interesting if HTMLMediaElement::attach() were actually called, given that there are no media elements in the test case. SkyLined, can you double-check in Chrome? (In reply to comment #4) > It would be very interesting if HTMLMediaElement::attach() were actually called, given that there are no media elements in the test case. SkyLined, can you double-check in Chrome? I checked and I am now seeing the same stack trace as Eric and a different id with the same repro...? Maybe I screwed up somewhere... very odd. I'll let it run a zillion times overnight to see if it can happen again. id: chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (e3c5b4a57108b2b92aca035978f4519f) description: Attempt to read from unallocated NULL pointer+0x20 in chrome.dll!WebCore::Node::createRendererIfNeeded application: Chromium 9.0.579.0 stack: chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::SVGStyledElement::attach chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::SVGUseElement::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Document::recalcStyle chrome.dll!WebCore::Document::styleSelectorChanged chrome.dll!WebCore::Document::removePendingSheet chrome.dll!WebCore::StyleElement::sheetLoaded chrome.dll!WebCore::SVGStyleElement::sheetLoaded chrome.dll!WebCore::CSSStyleSheet::checkLoaded chrome.dll!WebCore::StyleElement::createSheet chrome.dll!WebCore::StyleElement::process chrome.dll!WebCore::StyleElement::finishParsingChildren chrome.dll!WebCore::HTMLStyleElement::finishParsingChildren chrome.dll!WebCore::HTMLElementStack::popCommon chrome.dll!WebCore::HTMLTreeBuilder::processEndOfFile chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest chrome.dll!ResourceDispatcher::OnRequestComplete chrome.dll!IPC::MessageWithTuple<...> chrome.dll!ResourceDispatcher::DispatchMessageW chrome.dll!ResourceDispatcher::OnMessageReceived chrome.dll!ChildThread::OnMessageReceived chrome.dll!RunnableMethod<...>::Run chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run chrome.dll!RendererMain chrome.dll!ChromeMain (In reply to comment #5) Just noticed I updated my Chrome, so it may be there was a bad build or a bug that was fixed that changed this. Anyway, I will try to see if I can get the "HTMLMediaElement::attach" crash again. Please assume that that was a fluke unless I report back that it can really happen. (In reply to comment #6) > Anyway, I will try to see if I can get the "HTMLMediaElement::attach" crash again. I ran it 146 times overnight and got only crashes without "HTMLMediaElement::attach" on the stack. Another repro for the same issue:
<script>
document.write('<svg><use style="float:right;"><style>');
</script>
Created attachment 96972 [details]
Trivial fix: land the test case for the solved bug
Comment on attachment 96972 [details] Trivial fix: land the test case for the solved bug Clearing flags on attachment: 96972 Committed r88678: <http://trac.webkit.org/changeset/88678> All reviewed patches have been landed. Closing bug. |
Created attachment 73485 [details] Repro Repro.html: <svg><use><style>:first-letter{margin-right:auto}<i><style> id: chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (7079875ef32458c5c891a311715b683f) description: Attempt to read from unallocated NULL pointer+0x20 in chrome.dll!WebCore::Node::createRendererIfNeeded application: Chromium 9.0.571.0 stack: chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::HTMLMediaElement::attach chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::SVGUseElement::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Document::recalcStyle chrome.dll!WebCore::Document::styleSelectorChanged chrome.dll!WebCore::Document::removePendingSheet chrome.dll!WebCore::StyleElement::sheetLoaded chrome.dll!WebCore::HTMLStyleElement::sheetLoaded chrome.dll!WebCore::CSSStyleSheet::checkLoaded chrome.dll!WebCore::StyleElement::createSheet chrome.dll!WebCore::StyleElement::process chrome.dll!WebCore::StyleElement::finishParsingChildren chrome.dll!WebCore::HTMLStyleElement::finishParsingChildren chrome.dll!WebCore::HTMLElementStack::popCommon chrome.dll!WebCore::HTMLTreeBuilder::processEndOfFile chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading ...