Bug 20513 - REGRESSION: -webkit-transition-property: inherit; crashes webkit nightly
Summary: REGRESSION: -webkit-transition-property: inherit; crashes webkit nightly
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Normal
Assignee: Dean Jackson
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2008-08-25 11:11 PDT by Robert Swiecki
Modified: 2008-08-25 14:06 PDT (History)
2 users (show)

See Also:

Attachments
Testcase (115 bytes, text/html)
2008-08-25 11:20 PDT, Simon Fraser (smfr) 		no flags Details
patch for crash (1.39 KB, patch)
2008-08-25 13:10 PDT, Dean Jackson 		hyatt: review+
Details | Formatted Diff | Diff
Updated patch with testcases and changelogs (10.61 KB, patch)
2008-08-25 14:01 PDT, Dean Jackson 		dino: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Swiecki 2008-08-25 11:11:37 PDT 
Hi, the following code crashes webkit nightly (r35904), but not stable Safari 3.1.2 

<html>
<style media="all" type="text/css">
body {
        -webkit-transition-property: inherit;
}

</style>
</html>


Stackdump:
(cc.1254): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=7fd11fb0 ecx=00000000 edx=00000000 esi=00000000 edi=7fed8780
eip=00aae901 esp=0012f3c0 ebp=0012f940 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
WebKit!WebCore::CSSStyleSelector::applyProperty+0x316bc1:
00aae901 3930            cmp     dword ptr [eax],esi  ds:0023:00000000=????????
0:000> kb
ChildEBP RetAddr  Args to Child              
0012f940 00797c48 000004c8 7fd11f90 00000000 WebKit!WebCore::CSSStyleSelector::applyProperty+0x316bc1
0012f964 00797850 7fed8780 00000000 00000001 WebKit!WebCore::CSSStyleSelector::applyDeclarations+0x88 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 2492]
0012f998 007902f4 7fd51960 00000001 00000001 WebKit!WebCore::CSSStyleSelector::styleForElement+0x230 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 1177]
0012f9ac 00791f9c 7fd4c448 7fd51960 0012fa28 WebKit!WebCore::Element::styleForRenderer+0x14 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 672]
0012f9cc 00790bbb 7fe93a00 7fd51960 0076f0f0 WebKit!WebCore::Node::createRendererIfNeeded+0x5c [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\node.cpp @ 1015]
0012f9d8 0076f0f0 7ff0b800 0000000a 7ff9005c WebKit!WebCore::Element::attach+0xb [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 718]
0012fa04 00769873 00000000 0012fa28 00000000 WebKit!WebCore::ContainerNode::appendChild+0xf0 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\containernode.cpp @ 574]
0012fa40 009387fd 7febf6a8 7fe91250 00938ec8 WebKit!WebCore::Document::implicitClose+0x283 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 1540]
0012fa4c 00938ec8 7fe91250 7ff0b82c 007ea32b WebKit!WebCore::FrameLoader::checkCompleted+0x9d [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1295]
0012fa58 007ea32b 00000000 7fd3a540 00007f1e WebKit!WebCore::FrameLoader::finishedParsing+0x28 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1243]
0012fa70 007e4f27 00c4916e 0000001e 00007f1e WebKit!WebCore::Document::finishedParsing+0x4b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 3779]
0012fa94 007dc65e 7fd3a540 7fef6434 7fef6400 WebKit!WebCore::HTMLParser::finished+0xc7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmlparser.cpp @ 1538]
0012fab4 007f4a21 7fd39a00 7febf6a8 7fe91250 WebKit!WebCore::HTMLTokenizer::end+0x12e [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1851]
0012fb08 00938e67 7fecca00 7febf6a8 00938b2b WebKit!WebCore::HTMLTokenizer::finish+0x51 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1889]
0012fb14 00938b2b 7ff01a00 7fecca00 04c75cd8 WebKit!WebCore::FrameLoader::endIfNotLoadingMainResource+0x47 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1076]
0012fb24 009f2243 7fd2b4c8 04c74a28 009f4e67 WebKit!WebCore::FrameLoader::finishedLoading+0x2b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 2914]
0012fb30 009f4e67 00944e11 7fd2b4c8 04c74a28 WebKit!WebCore::MainResourceLoader::didFinishLoading+0x23 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\mainresourceloader.cpp @ 321]
0012fb34 00944e11 7fd2b4c8 04c74a28 6a535f00 WebKit!WebCore::ResourceLoader::didFinishLoading+0x7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\resourceloader.cpp @ 399]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Safari\CFNetwork.dll - 
0012fb40 6a535f00 04c74a28 7fd2b4c8 04c75cd8 WebKit!WebCore::didFinishLoading+0x21 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\network\cf\resourcehandlecfnet.cpp @ 119]
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fb50 6a536353 0012fbdc 6a5364d5 0012fb74 CFNetwork!CFURLConnectionResume+0x4e3
Comment 1 Simon Fraser (smfr) 2008-08-25 11:19:52 PDT 
Crashes at:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.WebCore             	0x00d3a923 WebCore::CSSStyleSelector::applyProperty(int, WebCore::CSSValue*) + 57971
1   com.apple.WebCore             	0x00d4a582 WebCore::CSSStyleSelector::applyDeclarations(bool, bool, int, int) + 226
2   com.apple.WebCore             	0x00d4c95e WebCore::CSSStyleSelector::styleForElement(WebCore::Element*, WebCore::RenderStyle*, bool, bool) + 1694
3   com.apple.WebCore             	0x00e82fc3 WebCore::Element::styleForRenderer(WebCore::RenderObject*) + 51
Comment 2 Simon Fraser (smfr) 2008-08-25 11:20:25 PDT 
Created attachment 22983 [details]
Testcase
Comment 3 Adam Roben (:aroben) 2008-08-25 12:51:14 PDT 
<rdar://problem/6173914>
Comment 4 Dean Jackson 2008-08-25 13:10:33 PDT 
Created attachment 22985 [details]
patch for crash
Comment 5 Robert Swiecki 2008-08-25 13:17:08 PDT 
Similar one:

<html>
<style>
body {
        unicode-range: searchfield-cancel-buttonpt=-webkit-dashboard-region=
}
</style>
</html>
Comment 6 Dave Hyatt 2008-08-25 13:18:57 PDT 
Comment on attachment 22985 [details]
patch for crash

Don't forget a ChangeLog.
Comment 7 Simon Fraser (smfr) 2008-08-25 13:22:37 PDT 
Robert: please file a new bug on the issue in comment 5.
Comment 8 Robert Swiecki 2008-08-25 13:27:19 PDT 
It's here: https://bugs.webkit.org/show_bug.cgi?id=20515
Comment 9 Dean Jackson 2008-08-25 14:01:04 PDT 
Created attachment 22986 [details]
Updated patch with testcases and changelogs

new patch with testcases - transferring r+ from hyatt
Comment 10 Dean Jackson 2008-08-25 14:06:46 PDT 
Committed r35923
	M	WebCore/ChangeLog
	M	WebCore/css/CSSStyleSelector.cpp
	M	LayoutTests/ChangeLog
	A	LayoutTests/transitions/inherit-expected.txt
	A	LayoutTests/transitions/inherit-other-props-expected.txt
	A	LayoutTests/transitions/inherit-other-props.html
	A	LayoutTests/transitions/inherit.html