Bug 12045 - Crash under gmalloc at WTF::RefPtr<WebCore::HTMLSliderThumbElement>::operator->
Summary: Crash under gmalloc at WTF::RefPtr<WebCore::HTMLSliderThumbElement>::operator->
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P2 Major
Assignee: Nobody
URL:
Keywords: HasReduction, InRadar
: 12051 12167 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-12-31 00:25 PST by Mark Rowe (bdash)
Modified: 2007-06-27 20:20 PDT (History)
4 users (show)

See Also:

Attachments
Crashing test case (40.50 KB, text/html)
2006-12-31 00:26 PST, Mark Rowe (bdash) 		no flags Details
Test case demonstrating bug without guard malloc (35.56 KB, text/html)
2007-06-26 20:01 PDT, Mark Rowe (bdash) 		no flags Details
pseudo-patch to demonstrate assertion (1.53 KB, patch)
2007-06-26 22:41 PDT, Sam Weinig 		no flags Details | Formatted Diff | Diff
patch (37.38 KB, patch)
2007-06-26 23:28 PDT, Sam Weinig 		mitz: review-
Details | Formatted Diff | Diff
updated patch (38.12 KB, patch)
2007-06-27 00:31 PDT, Sam Weinig 		aroben: review-
Details | Formatted Diff | Diff
updated patch (38.12 KB, patch)
2007-06-27 00:32 PDT, Sam Weinig 		no flags Details | Formatted Diff | Diff
alternate patch (37.53 KB, patch)
2007-06-27 09:36 PDT, Sam Weinig 		aroben: review+
Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2006-12-31 00:25:28 PST 
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x49b45000
0x015c9cdd in WTF::RefPtr<WebCore::HTMLSliderThumbElement>::operator-> (this=0x49b45000) at RefPtr.h:50
50              T *operator->() const { return m_ptr; }
(gdb) bt
#0  0x015c9cdd in WTF::RefPtr<WebCore::HTMLSliderThumbElement>::operator-> (this=0x49b45000) at RefPtr.h:50
#1  0x013a428a in WebCore::RenderSlider::inDragMode (this=0x49b44f60) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderSlider.cpp:385
#2  0x0119a0c2 in WebCore::RenderThemeMac::paintSliderThumb (this=0x1640fe0, o=0x4a32bf60, paintInfo=@0xbfffcb80, r=@0xbfffca40) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderThemeMac.mm:1028
#3  0x0119c61b in WebCore::RenderTheme::paint (this=0x1640fe0, o=0x4a32bf60, paintInfo=@0xbfffcb80, r=@0xbfffca40) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTheme.cpp:125
#4  0x0115f141 in WebCore::RenderBox::paintBoxDecorations (this=0x4a32bf60, paintInfo=@0xbfffcb80, tx=8, ty=154) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBox.cpp:365
#5  0x011591df in WebCore::RenderBlock::paintObject (this=0x4a32bf60, paintInfo=@0xbfffcb80, tx=8, ty=154) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1351
#6  0x01151e89 in WebCore::RenderBlock::paint (this=0x4a32bf60, paintInfo=@0xbfffcb80, tx=8, ty=154) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1285
#7  0x011521bf in WebCore::RenderBlock::paintChildren (this=0x49b44f60, paintInfo=@0xbfffccb0, tx=8, ty=8) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1315
#8  0x01159280 in WebCore::RenderBlock::paintObject (this=0x49b44f60, paintInfo=@0xbfffccb0, tx=8, ty=8) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1369
#9  0x01151e89 in WebCore::RenderBlock::paint (this=0x49b44f60, paintInfo=@0xbfffccb0, tx=8, ty=8) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1285
#10 0x011521bf in WebCore::RenderBlock::paintChildren (this=0xf1c82f60, paintInfo=@0xbfffce04, tx=0, ty=0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1315
#11 0x01159280 in WebCore::RenderBlock::paintObject (this=0xf1c82f60, paintInfo=@0xbfffce04, tx=0, ty=0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1369
#12 0x01151e89 in WebCore::RenderBlock::paint (this=0xf1c82f60, paintInfo=@0xbfffce04, tx=0, ty=0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1285
#13 0x011809b6 in WebCore::RenderLayer::paintLayer (this=0xf1c86f68, rootLayer=0xf0fe3f68, p=0xbfffd034, paintDirtyRect=@0xbfffd03c, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderLayer.cpp:1433
#14 0x01180bfc in WebCore::RenderLayer::paintLayer (this=0xf0fe3f68, rootLayer=0xf0fe3f68, p=0xbfffd034, paintDirtyRect=@0xbfffd03c, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderLayer.cpp:1463
#15 0x01180cc4 in WebCore::RenderLayer::paint (this=0xf0fe3f68, p=0xbfffd034, damageRect=@0xbfffd03c, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderLayer.cpp:1330
#16 0x010dfc7b in WebCore::Frame::paint (this=0xbf365fd0, p=0xbfffd034, rect=@0xbfffd03c) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/Frame.cpp:1041
#17 0x01100429 in -[WebCoreFrameBridge drawRect:] (self=0xbf337fe4, _cmd=0x90aa2b6c, rect={origin = {x = 0, y = 0}, size = {width = 1400, height = 761}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/mac/WebCoreFrameBridge.mm:480
#18 0x00341fbf in -[WebHTMLView drawSingleRect:] (self=0xc89d2fa0, _cmd=0x3c3308, rect={origin = {x = 0, y = 0}, size = {width = 1400, height = 761}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLView.m:2678
#19 0x00342395 in -[WebHTMLView drawRect:] (self=0xc89d2fa0, _cmd=0x90aa2b6c, rect={origin = {x = 0, y = 0}, size = {width = 1400, height = 761}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLView.m:2729
#20 0x932ee3b1 in -[NSView _drawRect:clip:] ()
#21 0x932ed40b in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] ()
#22 0x0033bd2f in -[WebHTMLView(WebPrivate) _recursiveDisplayAllDirtyWithLockFocus:visRect:] (self=0xc89d2fa0, _cmd=0x90a83574, needsLockFocus=1 '\001', visRect={origin = {x = 0, y = 0}, size = {width = 1400, height = 761}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLView.m:893
#23 0x932ff36f in _recursiveDisplayInRect2 ()
#24 0x9083af26 in CFArrayApplyFunction ()
#25 0x932ed613 in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] ()
#26 0x932ff36f in _recursiveDisplayInRect2 ()
#27 0x9083af26 in CFArrayApplyFunction ()
#28 0x932ed613 in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] ()
#29 0x932ec473 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#30 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#31 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#32 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#33 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#34 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#35 0x932ebb78 in -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#36 0x932eb362 in -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] ()
#37 0x932eac8e in -[NSView displayIfNeeded] ()
#38 0x932eaa32 in -[NSWindow displayIfNeeded] ()
#39 0x0001c394 in ?? ()
#40 0x9333ad6c in _handleWindowNeedsDisplay ()
#41 0x9082a155 in __CFRunLoopDoObservers ()
#42 0x908291f7 in CFRunLoopRunSpecific ()
#43 0x90828eb5 in CFRunLoopRunInMode ()
#44 0x92dcdb90 in RunCurrentEventLoopInMode ()
#45 0x92dcd297 in ReceiveNextEventCommon ()
#46 0x92dcd0ee in BlockUntilNextEventMatchingListInMode ()
#47 0x9326f465 in _DPSNextEvent ()
#48 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#49 0x00006f96 in ?? ()
#50 0x93268ddb in -[NSApplication run] ()
#51 0x9325cd2f in NSApplicationMain ()
#52 0x0005f7de in ?? ()
#53 0x0005f6f9 in ?? ()
Comment 1 Mark Rowe (bdash) 2006-12-31 00:26:26 PST 
Created attachment 12129 [details]
Crashing test case
Comment 2 Mark Rowe (bdash) 2007-01-01 15:58:05 PST 
*** Bug 12051 has been marked as a duplicate of this bug. ***
Comment 3 Mark Rowe (bdash) 2007-01-01 15:58:36 PST 
<html>
<head>
    <title>Test HTML Page</title>
    <meta http-equiv="refresh" content="1">
    <style type="text/css">
    body { font: -webkit-small-control; }
    font { -webkit-appearance: sliderthumb-horizontal; }
    </style>
</head>
<body>
    <font>font</font>
</body>
</html>
Comment 4 Mark Rowe (bdash) 2007-01-09 00:05:11 PST 
*** Bug 12167 has been marked as a duplicate of this bug. ***
Comment 5 Mark Rowe (bdash) 2007-06-22 01:17:09 PDT 
This is in radar: <rdar://problem/5286670>.
Comment 6 Mark Rowe (bdash) 2007-06-26 20:01:31 PDT 
Created attachment 15262 [details]
Test case demonstrating bug without guard malloc

To reproduce this crash, load the attachment and hold down the space bar to scroll the page.  You will crash within several seconds of doing this.
Comment 7 Sam Weinig 2007-06-26 22:41:08 PDT 
Created attachment 15264 [details]
pseudo-patch to demonstrate assertion

After a little analysis of the situation, it seems this crash is happening due to a bad cast that sometimes works.  The issue is that the sliderthumb's RenderObject expects it's parent renderer to be a RenderSlider and makes the cast without checking.  Adding a simple assert (see attached pseudo-patch) will crash with even the simplest use of -webkit-appearance: sliderthumb-horizontal or -webkit-appearance: sliderthumb-vertical without a Slider parent.
Comment 8 Sam Weinig 2007-06-26 23:28:19 PDT 
Created attachment 15265 [details]
patch

This patch makes it so that we only paint the thumbslider if the parent renderer is a RenderSlider.
Comment 9 mitz 2007-06-27 00:12:34 PDT 
Comment on attachment 15265 [details]
patch

Need to patch RenderThemeSafari too. Not sure that just not painting is the best thing to do, but it's probably okay.
Comment 10 Sam Weinig 2007-06-27 00:31:55 PDT 
Created attachment 15266 [details]
updated patch
Comment 11 Sam Weinig 2007-06-27 00:32:07 PDT 
Created attachment 15267 [details]
updated patch
Comment 12 Sam Weinig 2007-06-27 09:36:24 PDT 
Created attachment 15272 [details]
alternate patch

This is an alternate patch to the above one.  It moves the check into RenderTheme.cpp so that each RenderTheme* doesn't have to do it.
Comment 13 Adam Roben (:aroben) 2007-06-27 20:03:26 PDT 
Comment on attachment 15272 [details]
alternate patch

This one looks good to me, though I'd like to see an ASSERT(o->parent()->isSlider()) in each implementation of paintSliderThumb().

r=me
Comment 14 Sam Weinig 2007-06-27 20:20:48 PDT 
Landed in r23840.