Bug 12518 - Betsson.com crashes browser
Summary: Betsson.com crashes browser
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2007-01-31 17:36 PST by Yael
Modified: 2007-02-06 12:36 PST (History)
2 users (show)

See Also:


Attachments
Change ->element()->document() to ->document() to work with anonymous objects (3.77 KB, patch)
2007-02-06 10:07 PST, mitz
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yael 2007-01-31 17:36:02 PST
[S60] Bug ID MLIO-6XWP2K BrowserNG: Betsson.com crashes browser
1) Open Browser, browse to http://www.betsson.com
2) Select the web pages in Finnish  and then open link Urheilupeli (or in english and then link Sportsbook)

The same callstack was visible in ToT version of Safari on my MAC Book.
Comment 1 Yael 2007-01-31 18:24:52 PST
Callstack in Safari:
#0	0x02cfaa8b in WebCore::Node::document at Node.h:268
#1	0x02a3a76e in WebCore::RenderLayer::createScrollbar at 
RenderLayer.cpp:985
#2	0x02a3a950 in WebCore::RenderLayer::setHasHorizontalScrollbar at 
RenderLayer.cpp:1011
#3	0x02a18892 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:486
#4	0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421
#5	0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509
#6	0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at 
RenderBlock.cpp:1103
#7	0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495
#8	0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421
#9	0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509
#10	0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at 
RenderBlock.cpp:1103
#11	0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495
#12	0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421
#13	0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509
#14	0x02a061da in WebCore::RenderBlock::layoutInlineChildren at 
bidi.cpp:1532
#15	0x02a18908 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:493
#16	0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421
#17	0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509
#18	0x02a16f94 in WebCore::RenderBlock::insertFloatingObject at 
RenderBlock.cpp:1854
#19	0x02a17b7d in WebCore::RenderBlock::handleFloatingChild at 
RenderBlock.cpp:666
#20	0x02a17c0a in WebCore::RenderBlock::handleSpecialChild at 
RenderBlock.cpp:638
#21	0x02a17eac in WebCore::RenderBlock::layoutBlockChildren at 
RenderBlock.cpp:1070
#22	0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495
#23	0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421
#24	0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509
#25	0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at 
RenderBlock.cpp:1103
#26	0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495
#27	0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421
#28	0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509
#29	0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at 
RenderBlock.cpp:1103
#30	0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495
#31	0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421
#32	0x02d78edf in WebCore::RenderObject::layoutIfNeeded at bidi.h:509
#33	0x02a1807e in WebCore::RenderBlock::layoutBlockChildren at 
RenderBlock.cpp:1103
#34	0x02a18947 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:495
#35	0x02a0d066 in WebCore::RenderBlock::layout at RenderBlock.cpp:421
#36	0x02a23943 in WebCore::RenderView::layout at RenderView.cpp:119
#37	0x029a8393 in WebCore::FrameView::layout at FrameView.cpp:509
#38	0x029a86af in WebCore::FrameView::layoutTimerFired at FrameView.cpp:1311
#39	0x02d523c5 in WebCore::Timer<WebCore::FrameView>::fired at Timer.h:96
#40	0x02ac0ab2 in WebCore::TimerBase::fireTimers at Timer.cpp:336
#41	0x02ac0b4f in WebCore::TimerBase::sharedTimerFired at Timer.cpp:353
#42	0x02ac0206 in WebCore::timerFired at SharedTimerMac.cpp:46
#43	0x9082b822 in CFRunLoopRunSpecific
#44	0x9082ab0e in CFRunLoopRunInMode
#45	0x92ddabef in RunCurrentEventLoopInMode
#46	0x92dda2fd in ReceiveNextEventCommon
#47	0x92dda154 in BlockUntilNextEventMatchingListInMode
#48	0x9327f465 in _DPSNextEvent
#49	0x9327f056 in -[NSApplication 
nextEventMatchingMask:untilDate:inMode:dequeue:]
#50	0x00006cea in ??
#51	0x93278ddb in -[NSApplication run]
#52	0x9326cd2f in NSApplicationMain

Comment 2 Yael 2007-02-01 08:47:33 PST
This bug was reported originally against S60 Browser, but can be reproduced also on latest Safari code. 
The problem is that we make extensive use on m_object->document(), 
or m_object->element()->getDocument() . We don't check the return value and use the document. When dealing with anonymous boxes, like in this case, the return value of document is NULL, thus there is a crash. 
Comment 3 mitz 2007-02-01 15:10:07 PST
Confirmed. Reproducible crashers are P1.
Comment 4 Maciej Stachowiak 2007-02-04 11:48:32 PST
<rdar://problem/4975123>
Comment 5 mitz 2007-02-06 10:07:06 PST
Created attachment 12976 [details]
Change ->element()->document() to ->document() to work with anonymous objects

Includes layout test and change log
Comment 6 Darin Adler 2007-02-06 10:21:50 PST
Comment on attachment 12976 [details]
Change ->element()->document() to ->document() to work with anonymous objects

r=me
Comment 7 Alexey Proskuryakov 2007-02-06 12:36:25 PST
Committed revision 19435.