141639 – Crash in WebCore::RenderObject::parent

Bug 141639 - Crash in WebCore::RenderObject::parent

Summary: Crash in WebCore::RenderObject::parent

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	zalan

URL:
Keywords:	InRadar

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2015-02-16 04:49 PST by Renata Hodovan
Modified:	2015-02-16 19:20 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Test case (171 bytes, text/html) 2015-02-16 04:49 PST, Renata Hodovan	no flags	Details
Patch (8.28 KB, patch) 2015-02-16 13:33 PST, zalan	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2015-02-16 04:49:13 PST

Created attachment 246646 [details]
Test case

Load this with release/debug WK:

<!DOCTYPE html>
<style>
h1 {
    display: table-cell !important;
    background-clip: padding-box;
    -webkit-transform: rotateX(75deg);
}
</style>
<h1>
    <i></i>
</h1>


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff8affd700 (LWP 30642)]
0x00007ffff2b6af72 in WebCore::RenderObject::parent (this=0x0) at ../../Source/WebCore/rendering/RenderObject.h:160
160	    RenderElement* parent() const { return m_parent; }
#0  0x00007ffff2b6af72 in WebCore::RenderObject::parent (this=0x0) at ../../Source/WebCore/rendering/RenderObject.h:160
#1  0x00007ffff2bc16f6 in WebCore::RenderTableCell::table (this=0x7ffff7f1b750) at ../../Source/WebCore/rendering/RenderTableCell.h:79
#2  0x00007ffff3989e4e in WebCore::RenderTableCell::borderBottom (this=0x7ffff7f1b750) at ../../Source/WebCore/rendering/RenderTableCell.cpp:950
#3  0x00007ffff381e976 in WebCore::RenderBox::clientHeight (this=0x7ffff7f1b750) at ../../Source/WebCore/rendering/RenderBox.cpp:524
#4  0x00007ffff30195d8 in WebCore::RenderBox::contentHeight (this=0x7ffff7f1b750) at ../../Source/WebCore/rendering/RenderBox.h:217
#5  0x00007ffff37d44f2 in WebCore::RenderBox::paddingBoxRect (this=0x7ffff7f1b750) at ../../Source/WebCore/rendering/RenderBox.h:158
#6  0x00007ffff38fde1a in WebCore::backgroundRectForBox (box=...) at ../../Source/WebCore/rendering/RenderLayerBacking.cpp:2017
#7  0x00007ffff38fdebf in WebCore::RenderLayerBacking::backgroundBoxForPainting (this=0x7ffff7e882c0) at ../../Source/WebCore/rendering/RenderLayerBacking.cpp:2033
#8  0x00007ffff38fc678 in WebCore::RenderLayerBacking::updateDirectlyCompositedBackgroundColor (this=0x7ffff7e882c0, isSimpleContainer=true, didUpdateContentsRect=@0x7fffffffc81b: false) at ../../Source/WebCore/rendering/RenderLayerBacking.cpp:1633
#9  0x00007ffff38f9760 in WebCore::RenderLayerBacking::updateDirectlyCompositedContents (this=0x7ffff7e882c0, isSimpleContainer=true, didUpdateContentsRect=@0x7fffffffc81b: false) at ../../Source/WebCore/rendering/RenderLayerBacking.cpp:1060
#10 0x00007ffff38f64a9 in WebCore::RenderLayerBacking::updateConfiguration (this=0x7ffff7e882c0) at ../../Source/WebCore/rendering/RenderLayerBacking.cpp:588
#11 0x00007ffff390679f in WebCore::RenderLayerCompositor::updateLayerCompositingState (this=0x7ffff7f1a900, layer=..., shouldRepaint=WebCore::RenderLayerCompositor::CompositingChangeRepaintNow) at ../../Source/WebCore/rendering/RenderLayerCompositor.cpp:1039
#12 0x00007ffff39061a8 in WebCore::RenderLayerCompositor::layerStyleChanged (this=0x7ffff7f1a900, layer=..., oldStyle=0x0) at ../../Source/WebCore/rendering/RenderLayerCompositor.cpp:920
#13 0x00007ffff38e6322 in WebCore::RenderLayer::styleChanged (this=0x7ffff7e9ec60, diff=WebCore::StyleDifferenceEqual, oldStyle=0x0) at ../../Source/WebCore/rendering/RenderLayer.cpp:6658
#14 0x00007ffff391f328 in WebCore::RenderLayerModelObject::styleDidChange (this=0x7ffff7f1b750, diff=WebCore::StyleDifferenceEqual, oldStyle=0x0) at ../../Source/WebCore/rendering/RenderLayerModelObject.cpp:160
#15 0x00007ffff381dc02 in WebCore::RenderBox::styleDidChange (this=0x7ffff7f1b750, diff=WebCore::StyleDifferenceEqual, oldStyle=0x0) at ../../Source/WebCore/rendering/RenderBox.cpp:323
#16 0x00007ffff37c0e22 in WebCore::RenderBlock::styleDidChange (this=0x7ffff7f1b750, diff=WebCore::StyleDifferenceEqual, oldStyle=0x0) at ../../Source/WebCore/rendering/RenderBlock.cpp:294
#17 0x00007ffff37f472c in WebCore::RenderBlockFlow::styleDidChange (this=0x7ffff7f1b750, diff=WebCore::StyleDifferenceEqual, oldStyle=0x0) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1941
#18 0x00007ffff3987116 in WebCore::RenderTableCell::styleDidChange (this=0x7ffff7f1b750, diff=WebCore::StyleDifferenceEqual, oldStyle=0x0) at ../../Source/WebCore/rendering/RenderTableCell.cpp:409
#19 0x00007ffff386bb46 in WebCore::RenderElement::initializeStyle (this=0x7ffff7f1b750) at ../../Source/WebCore/rendering/RenderElement.cpp:391
#20 0x00007ffff3ac13bb in WebCore::Style::createRendererIfNeeded (element=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:323
#21 0x00007ffff3ac2713 in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:615
#22 0x00007ffff3ac1e24 in WebCore::Style::attachChildren (current=..., inheritedStyle=..., renderTreePosition=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:484
#23 0x00007ffff3ac27ea in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:629
#24 0x00007ffff3ac1e24 in WebCore::Style::attachChildren (current=..., inheritedStyle=..., renderTreePosition=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:484
#25 0x00007ffff3ac27ea in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:629
#26 0x00007ffff3ac3006 in WebCore::Style::resolveLocal (current=..., inheritedStyle=..., renderTreePosition=..., inheritedChange=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:756
#27 0x00007ffff3ac379d in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:918
#28 0x00007ffff3ac3c82 in WebCore::Style::resolveTree (document=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:994
#29 0x00007ffff2ec680a in WebCore::Document::recalcStyle (this=0x7ffff7e91000, change=WebCore::Style::Force) at ../../Source/WebCore/dom/Document.cpp:1764
#30 0x00007ffff2ec6b01 in WebCore::Document::updateStyleIfNeeded (this=0x7ffff7e91000) at ../../Source/WebCore/dom/Document.cpp:1812
#31 0x00007ffff2ed1e3e in WebCore::Document::finishedParsing (this=0x7ffff7e91000) at ../../Source/WebCore/dom/Document.cpp:4627
#32 0x00007ffff3243961 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7ffff7f35800) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:404
#33 0x00007ffff328047a in WebCore::HTMLTreeBuilder::finished (this=0x7ffff7f357e0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2940
#34 0x00007ffff324c2fc in WebCore::HTMLDocumentParser::end (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:402
#35 0x00007ffff324c3ca in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:411
#36 0x00007ffff324b07a in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:132
#37 0x00007ffff324c401 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:423
#38 0x00007ffff324c4af in WebCore::HTMLDocumentParser::finish (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:451
#39 0x00007ffff33bbb29 in WebCore::DocumentWriter::end (this=0x7ffff7ebbaa0) at ../../Source/WebCore/loader/DocumentWriter.cpp:247
#40 0x00007ffff33a70f9 in WebCore::DocumentLoader::finishedLoading (this=0x7ffff7ebba00, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:440
#41 0x00007ffff33a6e62 in WebCore::DocumentLoader::notifyFinished (this=0x7ffff7ebba00, resource=0x7ffff7ec8680) at ../../Source/WebCore/loader/DocumentLoader.cpp:374
#42 0x00007ffff345b7e8 in WebCore::CachedResource::checkNotify (this=0x7ffff7ec8680) at ../../Source/WebCore/loader/cache/CachedResource.cpp:293
#43 0x00007ffff345b8e6 in WebCore::CachedResource::finishLoading (this=0x7ffff7ec8680) at ../../Source/WebCore/loader/cache/CachedResource.cpp:309
#44 0x00007ffff3457f1f in WebCore::CachedRawResource::finishLoading (this=0x7ffff7ec8680, data=0x7ffff7e89570) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:104
#45 0x00007ffff340a3f1 in WebCore::SubresourceLoader::didFinishLoading (this=0x7ffff7ec8200, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:364
#46 0x00007ffff3405d2b in WebCore::ResourceLoader::didFinishLoading (this=0x7ffff7ec8200, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:542
#47 0x00007ffff3db92b5 in WebCore::readCallback (asyncResult=0x6e41f0, data=0x7ffff7e7eb40) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1295
#48 0x00007fffeb2777e6 in async_ready_callback_wrapper (source_object=0x7c72d0, res=0x6e41f0, user_data=user_data@entry=0x7ffff7e7eb40) at ginputstream.c:523
#49 0x00007fffeb29d0e5 in g_task_return_now (task=0x6e41f0) at gtask.c:1077
#50 0x00007fffeb29d109 in complete_in_idle_cb (task=0x6e41f0) at gtask.c:1086
#51 0x00007fffea555a1d in g_main_dispatch (context=0x478b00) at gmain.c:3064
#52 g_main_context_dispatch (context=context@entry=0x478b00) at gmain.c:3663
#53 0x00007fffea555d88 in g_main_context_iterate (context=0x478b00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734
#54 0x00007fffea55604a in g_main_loop_run (loop=0x901bd0) at gmain.c:3928
#55 0x00007ffff44b31e6 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#56 0x00007ffff29a1cfc in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd948) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#57 0x00007ffff29a1b61 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd948) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:77
#58 0x00000000004008d1 in main (argc=2, argv=0x7fffffffd948) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44

Comment 1 zalan 2015-02-16 13:28:45 PST

rdar://problem/19850760

Comment 2 zalan 2015-02-16 13:33:49 PST

Created attachment 246671 [details]
Patch

Comment 3 WebKit Commit Bot 2015-02-16 14:38:39 PST

Comment on attachment 246671 [details]
Patch

Clearing flags on attachment: 246671

Committed r180174: <http://trac.webkit.org/changeset/180174>

Comment 4 WebKit Commit Bot 2015-02-16 14:38:43 PST

All reviewed patches have been landed.  Closing bug.