RESOLVED FIXED 31642
Crash in RenderObject::destroy() 
https://bugs.webkit.org/show_bug.cgi?id=31642
Summary Crash in RenderObject::destroy()
James Robinson
Reported 2009-11-18 13:29:00 PST
The URL above consistently crashes WebKit nightlies during page load (be sure to click through the ad if one shows). It looks like a virtual function is being called on a destroyed/corrupt object. This looks like a regression from Safari 4.0.3's version of WebKit.
Attachments
Add attachment proposed patch, testcase, etc.
James Robinson
Comment 1 2009-11-18 13:46:50 PST
Here's what the top of the stack looks like (from a Chromium build): > chrome.dll!WebCore::RenderObject::destroy() Line 1862 + 0xa bytes C++ chrome.dll!WebCore::RenderBoxModelObject::destroy() Line 76 C++ chrome.dll!WebCore::RenderBox::destroy() Line 96 C++ chrome.dll!WebCore::RenderBlock::destroy() Line 197 C++ chrome.dll!WebCore::RenderObjectChildList::destroyLeftoverChildren() Line 59 + 0x1d bytes C++ chrome.dll!WebCore::RenderInline::destroy() Line 62 C++ chrome.dll!WebCore::Node::detach() Line 1256 + 0x1d bytes C++ chrome.dll!WebCore::ContainerNode::detach() Line 591 C++ chrome.dll!WebCore::Element::detach() Line 759 C++ chrome.dll!WebCore::ContainerNode::removeChild(WebCore::Node * oldChild=0x0ade8b00, int & ec=0) Line 344 + 0x1d bytes C++ chrome.dll!WebCore::HTMLParser::handleResidualStyleCloseTagAcrossBlocks(WebCore::HTMLStackElem * elem=0x09e05ec0) Line 1225 + 0x2b bytes C++ chrome.dll!WebCore::HTMLParser::popBlock(const WebCore::AtomicString & tagName={...}, bool reportErrors=true) Line 1408 + 0xc bytes C++ chrome.dll!WebCore::HTMLParser::processCloseTag(WebCore::Token * t=0x0676b420) Line 994 C++ chrome.dll!WebCore::HTMLParser::parseToken(WebCore::Token * t=0x0676b420) Line 228 C++ chrome.dll!WebCore::HTMLTokenizer::processToken() Line 1934 + 0x20 bytes C++ chrome.dll!WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...}) Line 1506 + 0xf bytes C++ chrome.dll!WebCore::HTMLTokenizer::write(const WebCore::SegmentedString & str={...}, bool appendData=false) Line 1757 + 0x1d bytes C++ chrome.dll!WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource * __formal=0x06deec80) Line 2078 + 0x1c bytes C++ chrome.dll!WebCore::CachedScript::checkNotify() Line 105 + 0x13 bytes C++ chrome.dll!WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer> data={...}, bool allDataReceived=true) Line 96 C++ chrome.dll!WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader * loader=0x0536c400) Line 368 C++ chrome.dll!WebCore::SubresourceLoader::didFinishLoading() Line 184 + 0x21 bytes C++ I kind of suspect that ruby's to blame here - the element on which ContainerNode::removeChild() is called on has a tag name "ruby" and its children appear to be somehow corrupt.
Roland Steiner
Comment 2 2009-11-18 18:42:50 PST
(In reply to comment #1) Yes, this is in all likelihood the same issue reported in https://bugs.webkit.org/show_bug.cgi?id=31574.
Roland Steiner
Comment 3 2009-11-18 21:05:33 PST
(In reply to comment #2) > Yes, this is in all likelihood the same issue reported in > https://bugs.webkit.org/show_bug.cgi?id=31574. Patch for 31574 has been landed in r51169.
Note You need to log in before you can comment on or make changes to this bug.