WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
133500
Regression(
r169547
): Crash in WebCore::styleForFirstLetter() while loading
http://thenextweb.com/apple/2014/02/21/apple-confirms-acquired-testflight-creator-burstly/
https://bugs.webkit.org/show_bug.cgi?id=133500
Summary
Regression(r169547): Crash in WebCore::styleForFirstLetter() while loading ht...
zalan
Reported
2014-06-03 20:54:06 PDT
WebKit crashes while loading
http://thenextweb.com/apple/2014/02/21/apple-confirms-acquired-testflight-creator-burstly/
Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000058 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001074e24b1 WebCore::styleForFirstLetter(WebCore::RenderObject*, WebCore::RenderObject*) + 113 1 com.apple.WebCore 0x00000001074e24f6 WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderObject*, WebCore::RenderText*) + 38 2 com.apple.WebCore 0x0000000106a6ecb6 WebCore::RenderBlock::updateFirstLetter() + 150 3 com.apple.WebCore 0x0000000106a6e9c6 WebCore::RenderBlock::layout() + 38 4 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 5 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 6 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 7 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 8 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 9 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 10 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 11 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 12 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 13 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 14 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 15 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 16 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 17 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 18 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 19 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 20 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 21 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 22 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 23 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 24 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 25 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 26 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 27 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 28 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 29 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 30 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 31 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 32 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 33 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 34 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 35 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 36 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 37 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 38 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 39 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 40 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 41 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 42 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 43 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 44 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 45 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 46 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 47 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 48 com.apple.WebCore 0x00000001074eaa75 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 725 49 com.apple.WebCore 0x00000001074e9bda WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 442 50 com.apple.WebCore 0x00000001074e8fe8 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 728 51 com.apple.WebCore 0x0000000106a6e9d6 WebCore::RenderBlock::layout() + 54 52 com.apple.WebCore 0x0000000106a6e835 WebCore::RenderView::layout() + 725 53 com.apple.WebCore 0x0000000106a69e1c WebCore::FrameView::layout(bool) + 1996 54 com.apple.WebCore 0x0000000106b071ff WebCore::Document::updateLayout() + 175 55 com.apple.WebCore 0x0000000106e785d6 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 262 56 com.apple.WebCore 0x0000000106ba884d WebCore::Element::clientHeight() + 29 57 com.apple.WebCore 0x00000001071797c6 WebCore::jsElementClientHeight(JSC::ExecState*, JSC::JSObject*, long long, JSC::PropertyName) + 166 58 com.apple.JavaScriptCore 0x0000000108345f34 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 532 59 com.apple.JavaScriptCore 0x00000001084c38f1 llint_slow_path_get_by_id + 273 60 com.apple.JavaScriptCore 0x00000001086a2fb1 llint_entry + 10037 61 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 62 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 63 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 64 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 65 com.apple.JavaScriptCore 0x00000001086a614c llint_entry + 22736 66 com.apple.JavaScriptCore 0x00000001086a064d callToJavaScript + 321 67 com.apple.JavaScriptCore 0x0000000108635563 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 35 68 com.apple.JavaScriptCore 0x000000010830942b JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4747 69 com.apple.JavaScriptCore 0x0000000108307fc8 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 488 70 com.apple.WebCore 0x00000001075cfa00 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 304 71 com.apple.WebCore 0x0000000106aba3d9 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 72 com.apple.WebCore 0x0000000106aba26f WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 447 73 com.apple.WebCore 0x0000000106b0e2ea WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 234 74 com.apple.WebCore 0x0000000106b0e1db WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 267 75 com.apple.WebCore 0x0000000106ad0a0f WebCore::HTMLScriptRunner::executeParsingBlockingScripts() + 95 76 com.apple.WebCore 0x0000000106ab8994 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 84 77 com.apple.WebCore 0x0000000106a2a8f8 WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 88 78 com.apple.WebCore 0x0000000106a299c1 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 465 79 com.apple.WebCore 0x0000000106b0ed79 WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() + 121 80 com.apple.WebCore 0x0000000106b92572 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 82 81 com.apple.WebCore 0x0000000106ad1bb6 WebCore::CachedResource::checkNotify() + 166 82 com.apple.WebCore 0x0000000106ad18fc WebCore::SubresourceLoader::didFinishLoading(double) + 92 83 com.apple.WebKit 0x000000010668235d WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection*, IPC::MessageDecoder&) + 549 84 com.apple.WebKit 0x00000001065986dc WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 138 85 com.apple.WebKit 0x0000000106548aaa IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 94 86 com.apple.WebKit 0x000000010654ac24 IPC::Connection::dispatchOneMessage() + 106 87 com.apple.JavaScriptCore 0x000000010873c3a5 WTF::RunLoop::performWork() + 421 88 com.apple.JavaScriptCore 0x000000010873ca82 WTF::RunLoop::performWork(void*) + 34 89 com.apple.CoreFoundation 0x00007fff81de6731 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 90 com.apple.CoreFoundation 0x00007fff81dd7ea2 __CFRunLoopDoSources0 + 242 91 com.apple.CoreFoundation 0x00007fff81dd762f __CFRunLoopRun + 831 92 com.apple.CoreFoundation 0x00007fff81dd70b5 CFRunLoopRunSpecific + 309 93 com.apple.HIToolbox 0x00007fff8cadea0d RunCurrentEventLoopInMode + 226 94 com.apple.HIToolbox 0x00007fff8cade7b7 ReceiveNextEventCommon + 479 95 com.apple.HIToolbox 0x00007fff8cade5bc _BlockUntilNextEventMatchingListInModeWithFilter + 65 96 com.apple.AppKit 0x00007fff81ffa3de _DPSNextEvent + 1434 97 com.apple.AppKit 0x00007fff81ff9a2b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 98 com.apple.AppKit 0x00007fff81fedb2c -[NSApplication run] + 553 99 com.apple.AppKit 0x00007fff81fd8913 NSApplicationMain + 940 100 com.apple.XPCService 0x00007fff8e282c0f _xpc_main + 385 101 libxpc.dylib 0x00007fff85720bde xpc_main + 399 102 com.apple.WebKit.WebContent.Development 0x00000001021fe630 0x1021fd000 + 5680 103 libdyld.dylib 0x00007fff87d1d5fd start + 1
Attachments
Patch
(7.50 KB, patch)
2014-06-04 14:37 PDT
,
Benjamin Poulain
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Benjamin Poulain
Comment 1
2014-06-03 21:46:43 PDT
Ok, I have an idea of what is going on. Some selector must have ::first-letter, but does not actually match. When matching the rightmost fragment, we set the FIRST_LETTER flag on the style. When generating the blocks for layout, RenderBlock find that one block has FIRST_LETTER, and try to get its style. Since the selector does not actually match, the style never resolve and the code continue with a null style.
Benjamin Poulain
Comment 2
2014-06-04 14:37:12 PDT
Created
attachment 232501
[details]
Patch
Benjamin Poulain
Comment 3
2014-06-04 14:37:49 PDT
<
rdar://problem/17154371
>
Benjamin Poulain
Comment 4
2014-06-04 15:09:11 PDT
Comment on
attachment 232501
[details]
Patch Clearing flags on attachment: 232501 Committed
r169599
: <
http://trac.webkit.org/changeset/169599
>
Benjamin Poulain
Comment 5
2014-06-04 15:09:17 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug