WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
49316
chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (7079875ef32458c5c891a311715b683f)
https://bugs.webkit.org/show_bug.cgi?id=49316
Summary
chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (7079875ef32458c...
Berend-Jan Wever
Reported
2010-11-10 04:10:36 PST
Created
attachment 73485
[details]
Repro Repro.html: <svg><use><style>:first-letter{margin-right:auto}<i><style> id: chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (7079875ef32458c5c891a311715b683f) description: Attempt to read from unallocated NULL pointer+0x20 in chrome.dll!WebCore::Node::createRendererIfNeeded application: Chromium 9.0.571.0 stack: chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::HTMLMediaElement::attach chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::SVGUseElement::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Document::recalcStyle chrome.dll!WebCore::Document::styleSelectorChanged chrome.dll!WebCore::Document::removePendingSheet chrome.dll!WebCore::StyleElement::sheetLoaded chrome.dll!WebCore::HTMLStyleElement::sheetLoaded chrome.dll!WebCore::CSSStyleSheet::checkLoaded chrome.dll!WebCore::StyleElement::createSheet chrome.dll!WebCore::StyleElement::process chrome.dll!WebCore::StyleElement::finishParsingChildren chrome.dll!WebCore::HTMLStyleElement::finishParsingChildren chrome.dll!WebCore::HTMLElementStack::popCommon chrome.dll!WebCore::HTMLTreeBuilder::processEndOfFile chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading ...
Attachments
Repro
(59 bytes, text/html)
2010-11-10 04:10 PST
,
Berend-Jan Wever
no flags
Details
Trivial fix: land the test case for the solved bug
(3.04 KB, patch)
2011-06-13 10:47 PDT
,
Julien Chaffraix
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1
2010-11-10 09:27:41 PST
Guessing from the stack trace, HTMLMediaElement::attach is probably not handling a null pointer like it should.
Eric Carlson
Comment 2
2010-11-10 11:25:03 PST
Node::createRendererIfNeeded asserts in a debug build because parentNode() return NULL.
Eric Carlson
Comment 3
2010-11-10 11:33:05 PST
And HTMLMediaElement::attach isn't called: WebCore::Node::createRendererIfNeeded at Node.cpp:1327 WebCore::Element::attach at Element.cpp:882 WebCore::SVGStyledElement::attach at SVGStyledElement.cpp:266 WebCore::Element::recalcStyle at Element.cpp:973 WebCore::RenderSVGShadowTreeRootContainer::updateStyle at RenderSVGShadowTreeRootContainer.cpp:46 WebCore::SVGUseElement::recalcStyle at SVGUseElement.cpp:346 WebCore::Element::recalcStyle at Element.cpp:1036 WebCore::Element::recalcStyle at Element.cpp:1036 WebCore::Element::recalcStyle at Element.cpp:1036 WebCore::Document::recalcStyle at Document.cpp:1511 WebCore::Document::styleSelectorChanged at Document.cpp:2841 WebCore::Document::removePendingSheet at Document.cpp:2799 WebCore::StyleElement::sheetLoaded at StyleElement.cpp:168 WebCore::HTMLStyleElement::sheetLoaded at HTMLStyleElement.h:53 WebCore::CSSStyleSheet::checkLoaded at CSSStyleSheet.cpp:214 WebCore::StyleElement::createSheet at StyleElement.cpp:152 WebCore::StyleElement::process at StyleElement.cpp:121 WebCore::StyleElement::finishParsingChildren at StyleElement.cpp:90 WebCore::HTMLStyleElement::finishParsingChildren at HTMLStyleElement.cpp:61 WebCore::HTMLElementStack::popCommon at HTMLElementStack.cpp:538 WebCore::HTMLElementStack::pop at HTMLElementStack.cpp:209 WebCore::HTMLTreeBuilder::processEndOfFile at HTMLTreeBuilder.cpp:2627 WebCore::HTMLTreeBuilder::processToken at HTMLTreeBuilder.cpp:477 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken at HTMLTreeBuilder.cpp:446 WebCore::HTMLTreeBuilder::constructTreeFromToken at HTMLTreeBuilder.cpp:441 WebCore::HTMLDocumentParser::pumpTokenizer at HTMLDocumentParser.cpp:223 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible at HTMLDocumentParser.cpp:169 WebCore::HTMLDocumentParser::prepareToStopParsing at HTMLDocumentParser.cpp:139 WebCore::HTMLDocumentParser::attemptToEnd at HTMLDocumentParser.cpp:344 WebCore::HTMLDocumentParser::finish at HTMLDocumentParser.cpp:372 WebCore::Document::finishParsing at Document.cpp:2191 WebCore::DocumentWriter::endIfNotLoadingMainResource at DocumentWriter.cpp:221 WebCore::DocumentWriter::end at DocumentWriter.cpp:206 WebCore::DocumentLoader::finishedLoading at DocumentLoader.cpp:276 WebCore::FrameLoader::finishedLoading at FrameLoader.cpp:2165 WebCore::MainResourceLoader::didFinishLoading at MainResourceLoader.cpp:456 WebCore::ResourceLoader::didFinishLoading at ResourceLoader.cpp:421
Alexey Proskuryakov
Comment 4
2010-11-10 14:28:14 PST
It would be very interesting if HTMLMediaElement::attach() were actually called, given that there are no media elements in the test case. SkyLined, can you double-check in Chrome?
Berend-Jan Wever
Comment 5
2010-11-10 14:50:14 PST
(In reply to
comment #4
)
> It would be very interesting if HTMLMediaElement::attach() were actually called, given that there are no media elements in the test case. SkyLined, can you double-check in Chrome?
I checked and I am now seeing the same stack trace as Eric and a different id with the same repro...? Maybe I screwed up somewhere... very odd. I'll let it run a zillion times overnight to see if it can happen again. id: chrome.dll!WebCore::Node::createRendererIfNeeded ReadAV@NULL (e3c5b4a57108b2b92aca035978f4519f) description: Attempt to read from unallocated NULL pointer+0x20 in chrome.dll!WebCore::Node::createRendererIfNeeded application: Chromium 9.0.579.0 stack: chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::SVGStyledElement::attach chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::SVGUseElement::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Document::recalcStyle chrome.dll!WebCore::Document::styleSelectorChanged chrome.dll!WebCore::Document::removePendingSheet chrome.dll!WebCore::StyleElement::sheetLoaded chrome.dll!WebCore::SVGStyleElement::sheetLoaded chrome.dll!WebCore::CSSStyleSheet::checkLoaded chrome.dll!WebCore::StyleElement::createSheet chrome.dll!WebCore::StyleElement::process chrome.dll!WebCore::StyleElement::finishParsingChildren chrome.dll!WebCore::HTMLStyleElement::finishParsingChildren chrome.dll!WebCore::HTMLElementStack::popCommon chrome.dll!WebCore::HTMLTreeBuilder::processEndOfFile chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest chrome.dll!ResourceDispatcher::OnRequestComplete chrome.dll!IPC::MessageWithTuple<...> chrome.dll!ResourceDispatcher::DispatchMessageW chrome.dll!ResourceDispatcher::OnMessageReceived chrome.dll!ChildThread::OnMessageReceived chrome.dll!RunnableMethod<...>::Run chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run chrome.dll!RendererMain chrome.dll!ChromeMain
Berend-Jan Wever
Comment 6
2010-11-10 14:52:20 PST
(In reply to
comment #5
) Just noticed I updated my Chrome, so it may be there was a bad build or a bug that was fixed that changed this. Anyway, I will try to see if I can get the "HTMLMediaElement::attach" crash again. Please assume that that was a fluke unless I report back that it can really happen.
Berend-Jan Wever
Comment 7
2010-11-11 00:12:00 PST
(In reply to
comment #6
)
> Anyway, I will try to see if I can get the "HTMLMediaElement::attach" crash again.
I ran it 146 times overnight and got only crashes without "HTMLMediaElement::attach" on the stack.
Berend-Jan Wever
Comment 8
2010-11-15 06:49:19 PST
Another repro for the same issue: <script> document.write('<svg><use style="float:right;"><style>'); </script>
Julien Chaffraix
Comment 9
2011-06-13 10:47:41 PDT
Created
attachment 96972
[details]
Trivial fix: land the test case for the solved bug
WebKit Review Bot
Comment 10
2011-06-13 13:16:32 PDT
Comment on
attachment 96972
[details]
Trivial fix: land the test case for the solved bug Clearing flags on attachment: 96972 Committed
r88678
: <
http://trac.webkit.org/changeset/88678
>
WebKit Review Bot
Comment 11
2011-06-13 13:16:36 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug