Bug 49316

Summary: chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (7079875ef32458c5c891a311715b683f)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Julien Chaffraix <jchaffraix>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, eric.carlson, eric, jchaffraix, webkit.review.bot, zimmermann
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://code.google.com/p/chromium/issues/detail?id=62659
Attachments:
Description Flags
Repro
none
Trivial fix: land the test case for the solved bug none

Berend-Jan Wever
Reported 2010-11-10 04:10:36 PST
Created attachment 73485 [details] Repro Repro.html: <svg><use><style>:first-letter{margin-right:auto}<i><style> id: chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (7079875ef32458c5c891a311715b683f) description: Attempt to read from unallocated NULL pointer+0x20 in chrome.dll!WebCore::Node::createRendererIfNeeded application: Chromium 9.0.571.0 stack: chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::HTMLMediaElement::attach chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::SVGUseElement::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Document::recalcStyle chrome.dll!WebCore::Document::styleSelectorChanged chrome.dll!WebCore::Document::removePendingSheet chrome.dll!WebCore::StyleElement::sheetLoaded chrome.dll!WebCore::HTMLStyleElement::sheetLoaded chrome.dll!WebCore::CSSStyleSheet::checkLoaded chrome.dll!WebCore::StyleElement::createSheet chrome.dll!WebCore::StyleElement::process chrome.dll!WebCore::StyleElement::finishParsingChildren chrome.dll!WebCore::HTMLStyleElement::finishParsingChildren chrome.dll!WebCore::HTMLElementStack::popCommon chrome.dll!WebCore::HTMLTreeBuilder::processEndOfFile chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading ...
Attachments
Repro (59 bytes, text/html)
2010-11-10 04:10 PST, Berend-Jan Wever 		no flags
Details
Trivial fix: land the test case for the solved bug (3.04 KB, patch)
2011-06-13 10:47 PDT, Julien Chaffraix 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2010-11-10 09:27:41 PST
Guessing from the stack trace, HTMLMediaElement::attach is probably not handling a null pointer like it should.
Eric Carlson
Comment 2 2010-11-10 11:25:03 PST
Node::createRendererIfNeeded asserts in a debug build because parentNode() return NULL.
Eric Carlson
Comment 3 2010-11-10 11:33:05 PST
And HTMLMediaElement::attach isn't called: WebCore::Node::createRendererIfNeeded at Node.cpp:1327 WebCore::Element::attach at Element.cpp:882 WebCore::SVGStyledElement::attach at SVGStyledElement.cpp:266 WebCore::Element::recalcStyle at Element.cpp:973 WebCore::RenderSVGShadowTreeRootContainer::updateStyle at RenderSVGShadowTreeRootContainer.cpp:46 WebCore::SVGUseElement::recalcStyle at SVGUseElement.cpp:346 WebCore::Element::recalcStyle at Element.cpp:1036 WebCore::Element::recalcStyle at Element.cpp:1036 WebCore::Element::recalcStyle at Element.cpp:1036 WebCore::Document::recalcStyle at Document.cpp:1511 WebCore::Document::styleSelectorChanged at Document.cpp:2841 WebCore::Document::removePendingSheet at Document.cpp:2799 WebCore::StyleElement::sheetLoaded at StyleElement.cpp:168 WebCore::HTMLStyleElement::sheetLoaded at HTMLStyleElement.h:53 WebCore::CSSStyleSheet::checkLoaded at CSSStyleSheet.cpp:214 WebCore::StyleElement::createSheet at StyleElement.cpp:152 WebCore::StyleElement::process at StyleElement.cpp:121 WebCore::StyleElement::finishParsingChildren at StyleElement.cpp:90 WebCore::HTMLStyleElement::finishParsingChildren at HTMLStyleElement.cpp:61 WebCore::HTMLElementStack::popCommon at HTMLElementStack.cpp:538 WebCore::HTMLElementStack::pop at HTMLElementStack.cpp:209 WebCore::HTMLTreeBuilder::processEndOfFile at HTMLTreeBuilder.cpp:2627 WebCore::HTMLTreeBuilder::processToken at HTMLTreeBuilder.cpp:477 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken at HTMLTreeBuilder.cpp:446 WebCore::HTMLTreeBuilder::constructTreeFromToken at HTMLTreeBuilder.cpp:441 WebCore::HTMLDocumentParser::pumpTokenizer at HTMLDocumentParser.cpp:223 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible at HTMLDocumentParser.cpp:169 WebCore::HTMLDocumentParser::prepareToStopParsing at HTMLDocumentParser.cpp:139 WebCore::HTMLDocumentParser::attemptToEnd at HTMLDocumentParser.cpp:344 WebCore::HTMLDocumentParser::finish at HTMLDocumentParser.cpp:372 WebCore::Document::finishParsing at Document.cpp:2191 WebCore::DocumentWriter::endIfNotLoadingMainResource at DocumentWriter.cpp:221 WebCore::DocumentWriter::end at DocumentWriter.cpp:206 WebCore::DocumentLoader::finishedLoading at DocumentLoader.cpp:276 WebCore::FrameLoader::finishedLoading at FrameLoader.cpp:2165 WebCore::MainResourceLoader::didFinishLoading at MainResourceLoader.cpp:456 WebCore::ResourceLoader::didFinishLoading at ResourceLoader.cpp:421
Alexey Proskuryakov
Comment 4 2010-11-10 14:28:14 PST
It would be very interesting if HTMLMediaElement::attach() were actually called, given that there are no media elements in the test case. SkyLined, can you double-check in Chrome?
Berend-Jan Wever
Comment 5 2010-11-10 14:50:14 PST
(In reply to comment #4) > It would be very interesting if HTMLMediaElement::attach() were actually called, given that there are no media elements in the test case. SkyLined, can you double-check in Chrome? I checked and I am now seeing the same stack trace as Eric and a different id with the same repro...? Maybe I screwed up somewhere... very odd. I'll let it run a zillion times overnight to see if it can happen again. id: chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (e3c5b4a57108b2b92aca035978f4519f) description: Attempt to read from unallocated NULL pointer+0x20 in chrome.dll!WebCore::Node::createRendererIfNeeded application: Chromium 9.0.579.0 stack: chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::SVGStyledElement::attach chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::SVGUseElement::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Document::recalcStyle chrome.dll!WebCore::Document::styleSelectorChanged chrome.dll!WebCore::Document::removePendingSheet chrome.dll!WebCore::StyleElement::sheetLoaded chrome.dll!WebCore::SVGStyleElement::sheetLoaded chrome.dll!WebCore::CSSStyleSheet::checkLoaded chrome.dll!WebCore::StyleElement::createSheet chrome.dll!WebCore::StyleElement::process chrome.dll!WebCore::StyleElement::finishParsingChildren chrome.dll!WebCore::HTMLStyleElement::finishParsingChildren chrome.dll!WebCore::HTMLElementStack::popCommon chrome.dll!WebCore::HTMLTreeBuilder::processEndOfFile chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest chrome.dll!ResourceDispatcher::OnRequestComplete chrome.dll!IPC::MessageWithTuple<...> chrome.dll!ResourceDispatcher::DispatchMessageW chrome.dll!ResourceDispatcher::OnMessageReceived chrome.dll!ChildThread::OnMessageReceived chrome.dll!RunnableMethod<...>::Run chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run chrome.dll!RendererMain chrome.dll!ChromeMain
Berend-Jan Wever
Comment 6 2010-11-10 14:52:20 PST
(In reply to comment #5) Just noticed I updated my Chrome, so it may be there was a bad build or a bug that was fixed that changed this. Anyway, I will try to see if I can get the "HTMLMediaElement::attach" crash again. Please assume that that was a fluke unless I report back that it can really happen.
Berend-Jan Wever
Comment 7 2010-11-11 00:12:00 PST
(In reply to comment #6) > Anyway, I will try to see if I can get the "HTMLMediaElement::attach" crash again. I ran it 146 times overnight and got only crashes without "HTMLMediaElement::attach" on the stack.
Berend-Jan Wever
Comment 8 2010-11-15 06:49:19 PST
Another repro for the same issue: <script> document.write('<svg><use style="float:right;"><style>'); </script>
Julien Chaffraix
Comment 9 2011-06-13 10:47:41 PDT
Created attachment 96972 [details] Trivial fix: land the test case for the solved bug
WebKit Review Bot
Comment 10 2011-06-13 13:16:32 PDT
Comment on attachment 96972 [details] Trivial fix: land the test case for the solved bug Clearing flags on attachment: 96972 Committed r88678: <http://trac.webkit.org/changeset/88678>
WebKit Review Bot
Comment 11 2011-06-13 13:16:36 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.