20513 – REGRESSION: -webkit-transition-property: inherit; crashes webkit nightly

RESOLVED FIXED 20513

REGRESSION: -webkit-transition-property: inherit; crashes webkit nightly

https://bugs.webkit.org/show_bug.cgi?id=20513

Summary REGRESSION: -webkit-transition-property: inherit; crashes webkit nightly

Robert Swiecki

Reported 2008-08-25 11:11:37 PDT

Hi, the following code crashes webkit nightly (r35904), but not stable Safari 3.1.2 <html> <style media="all" type="text/css"> body { -webkit-transition-property: inherit; } </style> </html> Stackdump: (cc.1254): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=7fd11fb0 ecx=00000000 edx=00000000 esi=00000000 edi=7fed8780 eip=00aae901 esp=0012f3c0 ebp=0012f940 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 WebKit!WebCore::CSSStyleSelector::applyProperty+0x316bc1: 00aae901 3930 cmp dword ptr [eax],esi ds:0023:00000000=???????? 0:000> kb ChildEBP RetAddr Args to Child 0012f940 00797c48 000004c8 7fd11f90 00000000 WebKit!WebCore::CSSStyleSelector::applyProperty+0x316bc1 0012f964 00797850 7fed8780 00000000 00000001 WebKit!WebCore::CSSStyleSelector::applyDeclarations+0x88 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 2492] 0012f998 007902f4 7fd51960 00000001 00000001 WebKit!WebCore::CSSStyleSelector::styleForElement+0x230 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 1177] 0012f9ac 00791f9c 7fd4c448 7fd51960 0012fa28 WebKit!WebCore::Element::styleForRenderer+0x14 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 672] 0012f9cc 00790bbb 7fe93a00 7fd51960 0076f0f0 WebKit!WebCore::Node::createRendererIfNeeded+0x5c [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\node.cpp @ 1015] 0012f9d8 0076f0f0 7ff0b800 0000000a 7ff9005c WebKit!WebCore::Element::attach+0xb [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 718] 0012fa04 00769873 00000000 0012fa28 00000000 WebKit!WebCore::ContainerNode::appendChild+0xf0 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\containernode.cpp @ 574] 0012fa40 009387fd 7febf6a8 7fe91250 00938ec8 WebKit!WebCore::Document::implicitClose+0x283 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 1540] 0012fa4c 00938ec8 7fe91250 7ff0b82c 007ea32b WebKit!WebCore::FrameLoader::checkCompleted+0x9d [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1295] 0012fa58 007ea32b 00000000 7fd3a540 00007f1e WebKit!WebCore::FrameLoader::finishedParsing+0x28 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1243] 0012fa70 007e4f27 00c4916e 0000001e 00007f1e WebKit!WebCore::Document::finishedParsing+0x4b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 3779] 0012fa94 007dc65e 7fd3a540 7fef6434 7fef6400 WebKit!WebCore::HTMLParser::finished+0xc7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmlparser.cpp @ 1538] 0012fab4 007f4a21 7fd39a00 7febf6a8 7fe91250 WebKit!WebCore::HTMLTokenizer::end+0x12e [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1851] 0012fb08 00938e67 7fecca00 7febf6a8 00938b2b WebKit!WebCore::HTMLTokenizer::finish+0x51 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1889] 0012fb14 00938b2b 7ff01a00 7fecca00 04c75cd8 WebKit!WebCore::FrameLoader::endIfNotLoadingMainResource+0x47 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1076] 0012fb24 009f2243 7fd2b4c8 04c74a28 009f4e67 WebKit!WebCore::FrameLoader::finishedLoading+0x2b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 2914] 0012fb30 009f4e67 00944e11 7fd2b4c8 04c74a28 WebKit!WebCore::MainResourceLoader::didFinishLoading+0x23 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\mainresourceloader.cpp @ 321] 0012fb34 00944e11 7fd2b4c8 04c74a28 6a535f00 WebKit!WebCore::ResourceLoader::didFinishLoading+0x7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\resourceloader.cpp @ 399] *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\CFNetwork.dll - 0012fb40 6a535f00 04c74a28 7fd2b4c8 04c75cd8 WebKit!WebCore::didFinishLoading+0x21 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\network\cf\resourcehandlecfnet.cpp @ 119] WARNING: Stack unwind information not available. Following frames may be wrong. 0012fb50 6a536353 0012fbdc 6a5364d5 0012fb74 CFNetwork!CFURLConnectionResume+0x4e3

Attachments
Testcase (115 bytes, text/html) 2008-08-25 11:20 PDT, Simon Fraser (smfr)	no flags	Details
patch for crash (1.39 KB, patch) 2008-08-25 13:10 PDT, Dean Jackson	hyatt: review+	Details Formatted Diff Diff
Updated patch with testcases and changelogs (10.61 KB, patch) 2008-08-25 14:01 PDT, Dean Jackson	dino: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Simon Fraser (smfr)

Comment 1 2008-08-25 11:19:52 PDT

Crashes at: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x00d3a923 WebCore::CSSStyleSelector::applyProperty(int, WebCore::CSSValue*) + 57971 1 com.apple.WebCore 0x00d4a582 WebCore::CSSStyleSelector::applyDeclarations(bool, bool, int, int) + 226 2 com.apple.WebCore 0x00d4c95e WebCore::CSSStyleSelector::styleForElement(WebCore::Element*, WebCore::RenderStyle*, bool, bool) + 1694 3 com.apple.WebCore 0x00e82fc3 WebCore::Element::styleForRenderer(WebCore::RenderObject*) + 51

Simon Fraser (smfr)

Comment 2 2008-08-25 11:20:25 PDT

Created attachment 22983 [details] Testcase

Adam Roben (:aroben)

Comment 3 2008-08-25 12:51:14 PDT

<rdar://problem/6173914>

Dean Jackson

Comment 4 2008-08-25 13:10:33 PDT

Created attachment 22985 [details] patch for crash

Robert Swiecki

Comment 5 2008-08-25 13:17:08 PDT

Similar one: <html> <style> body { unicode-range: searchfield-cancel-buttonpt=-webkit-dashboard-region= } </style> </html>

Dave Hyatt

Comment 6 2008-08-25 13:18:57 PDT

Comment on attachment 22985 [details] patch for crash Don't forget a ChangeLog.

Simon Fraser (smfr)

Comment 7 2008-08-25 13:22:37 PDT

Robert: please file a new bug on the issue in comment 5.

Robert Swiecki

Comment 8 2008-08-25 13:27:19 PDT

It's here: https://bugs.webkit.org/show_bug.cgi?id=20515

Dean Jackson

Comment 9 2008-08-25 14:01:04 PDT

Created attachment 22986 [details] Updated patch with testcases and changelogs new patch with testcases - transferring r+ from hyatt

Dean Jackson

Comment 10 2008-08-25 14:06:46 PDT

Committed r35923 M WebCore/ChangeLog M WebCore/css/CSSStyleSelector.cpp M LayoutTests/ChangeLog A LayoutTests/transitions/inherit-expected.txt A LayoutTests/transitions/inherit-other-props-expected.txt A LayoutTests/transitions/inherit-other-props.html A LayoutTests/transitions/inherit.html

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component CSS

Assignee

Dean Jackson

Reported

2008-08-25 11:11 PDT

Modified

2008-08-25 14:06 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks