Bug 77786 - NULL ptr in WebCore::RenderBlock::layoutRunsAndFloatsInRange
Summary: NULL ptr in WebCore::RenderBlock::layoutRunsAndFloatsInRange
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Levi Weintraub
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2012-02-03 14:51 PST by Berend-Jan Wever
Modified: 2012-05-24 11:59 PDT (History)
9 users (show)

See Also:


Attachments
Repro (281 bytes, text/html)
2012-02-03 14:51 PST, Berend-Jan Wever
no flags Details
Repro 2 (56 bytes, text/html)
2012-05-15 15:16 PDT, Levi Weintraub
no flags Details
Patch (4.65 KB, patch)
2012-05-16 12:16 PDT, Levi Weintraub
no flags Details | Formatted Diff | Diff
Patch for landing (5.15 KB, patch)
2012-05-22 17:33 PDT, Levi Weintraub
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2012-02-03 14:51:36 PST
Created attachment 125424 [details]
Repro

Chromium: http://code.google.com/p/chromium/issues/detail?id=112660

Fuzzer: Cris_happyfuntime

  - crash stack -
  WebCore::RenderBlock::layoutRunsAndFloatsInRange
  WebCore::RenderBlock::layoutRunsAndFloats
  WebCore::RenderBlock::layoutInlineChildren

Repro:
<!>
<style>
.class2{float:right}
b{border-style:double}
</style>
<script>
  window.onload = function(){
    document.designMode="on";document.execCommand("SelectAll");
    document.execCommand("InsertUnorderedList");
  }
</script>
<p ><svg:font ></svg:font><bdi ><b class="class2">
Comment 1 James Robinson 2012-02-03 14:55:35 PST
That's not much of a stack, do you have the full thing?
Comment 2 Berend-Jan Wever 2012-02-03 15:17:48 PST
00 0039ae64 59172e4f webkit!WebCore::BidiCharacterRun::setNext(struct WebCore::BidiCharacterRun * next = 0x00000000)+0x14 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\platform\text\bidiresolver.h @ 147]
01 0039ae78 59167ce6 webkit!WebCore::BidiRunList<WebCore::BidiRun>::replaceRunWithRuns(struct WebCore::BidiRun * toReplace = 0x024fd324, class WebCore::BidiRunList<WebCore::BidiRun> * newRuns = 0x0039af30)+0x11f [c:\src\chromium-internal\src\third_party\webkit\source\webcore\platform\text\bidirunlist.h @ 164]
02 0039afd8 591662b5 webkit!WebCore::constructBidiRuns(class WebCore::BidiResolver<WebCore::InlineIterator,WebCore::BidiRun> * topResolver = 0x0039b248, class WebCore::BidiRunList<WebCore::BidiRun> * bidiRuns = 0x0039b2c4, class WebCore::InlineIterator * endOfLine = 0x0039b190, WebCore::VisualDirectionOverride override = NoVisualOverride (0n0), bool previousLineBrokeCleanly = false)+0x1c6 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 996]
03 0039b1c0 59165912 webkit!WebCore::RenderBlock::layoutRunsAndFloatsInRange(class WebCore::LineLayoutState * layoutState = 0x0039b3e0, class WebCore::BidiResolver<WebCore::InlineIterator,WebCore::BidiRun> * resolver = 0x0039b248, class WebCore::InlineIterator * cleanLineStart = 0x0039b220, struct WebCore::BidiStatus * cleanLineBidiStatus = 0x0039b208, unsigned int consecutiveHyphenatedLines = 0)+0x4a5 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1267]
04 0039b360 59169547 webkit!WebCore::RenderBlock::layoutRunsAndFloats(class WebCore::LineLayoutState * layoutState = 0x0039b3e0, bool hasInlineChild = true)+0x382 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1207]
05 0039b430 5912350e webkit!WebCore::RenderBlock::layoutInlineChildren(bool relayoutChildren = false, int * repaintLogicalTop = 0x0039b53c, int * repaintLogicalBottom = 0x0039b530)+0x427 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1506]
06 0039b5cc 59122f60 webkit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = false, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x55e [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1330]
07 0039b5e8 59126ffa webkit!WebCore::RenderBlock::layout(void)+0x40 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1202]
08 0039b690 59126cc8 webkit!WebCore::RenderBlock::layoutBlockChild(class WebCore::RenderBox * child = 0x0250dc0c, class WebCore::RenderBlock::MarginInfo * marginInfo = 0x0039b6f0, int * previousFloatLogicalBottom = 0x0039b6e0, int * maxFloatLogicalBottom = 0x0039b848)+0x27a [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2117]
09 0039b758 59123524 webkit!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren = false, int * maxFloatLogicalBottom = 0x0039b848)+0x398 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2054]
0a 0039b8f0 59122f60 webkit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = false, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x574 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1334]
0b 0039b90c 59126ffa webkit!WebCore::RenderBlock::layout(void)+0x40 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1202]
0c 0039b9b4 59126cc8 webkit!WebCore::RenderBlock::layoutBlockChild(class WebCore::RenderBox * child = 0x00a7eacc, class WebCore::RenderBlock::MarginInfo * marginInfo = 0x0039ba14, int * previousFloatLogicalBottom = 0x0039ba04, int * maxFloatLogicalBottom = 0x0039bb6c)+0x27a [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2117]
0d 0039ba7c 59123524 webkit!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren = false, int * maxFloatLogicalBottom = 0x0039bb6c)+0x398 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2054]
0e 0039bc14 59122f60 webkit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = false, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x574 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1334]
0f 0039bc30 59126ffa webkit!WebCore::RenderBlock::layout(void)+0x40 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1202]
10 0039bcd8 59126cc8 webkit!WebCore::RenderBlock::layoutBlockChild(class WebCore::RenderBox * child = 0x00a7ed8c, class WebCore::RenderBlock::MarginInfo * marginInfo = 0x0039bd38, int * previousFloatLogicalBottom = 0x0039bd28, int * maxFloatLogicalBottom = 0x0039be90)+0x27a [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2117]
11 0039bda0 59123524 webkit!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren = false, int * maxFloatLogicalBottom = 0x0039be90)+0x398 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2054]
12 0039bf38 59122f60 webkit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = false, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x574 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1334]
13 0039bf54 5907271d webkit!WebCore::RenderBlock::layout(void)+0x40 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1202]
14 0039bff8 5941f56d webkit!WebCore::RenderView::layout(void)+0x1fd [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderview.cpp @ 137]
15 0039c12c 59bea631 webkit!WebCore::FrameView::layout(bool allowSubtree = true)+0x94d [c:\src\chromium-internal\src\third_party\webkit\source\webcore\page\frameview.cpp @ 1111]
16 0039c148 59bea6e5 webkit!WebCore::Document::updateLayout(void)+0xd1 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\dom\document.cpp @ 1672]
17 0039c15c 59c2b7fd webkit!WebCore::Document::updateLayoutIgnorePendingStylesheets(void)+0xa5 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\dom\document.cpp @ 1705]
18 0039c168 59693559 webkit!WebCore::Node::isContentEditable(void)+0x1d [c:\src\chromium-internal\src\third_party\webkit\source\webcore\dom\node.cpp @ 707]
19 0039c22c 59694676 webkit!WebCore::ApplyStyleCommand::surroundNodeRangeWithElement(class WTF::PassRefPtr<WebCore::Node> passedStartNode = class WTF::PassRefPtr<WebCore::Node>, class WTF::PassRefPtr<WebCore::Node> endNode = class WTF::PassRefPtr<WebCore::Node>, class WTF::PassRefPtr<WebCore::Element> elementToInsert = class WTF::PassRefPtr<WebCore::Element>)+0x189 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\applystylecommand.cpp @ 1278]
1a 0039c5ac 596900f4 webkit!WebCore::ApplyStyleCommand::addInlineStyleIfNeeded(class WebCore::EditingStyle * style = 0x02518a90, class WTF::PassRefPtr<WebCore::Node> passedStart = class WTF::PassRefPtr<WebCore::Node>, class WTF::PassRefPtr<WebCore::Node> passedEnd = class WTF::PassRefPtr<WebCore::Node>, WebCore::ApplyStyleCommand::EAddStyledElement addStyledElement = AddStyledElement (0n0))+0xc36 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\applystylecommand.cpp @ 1390]
1b 0039c654 5968fcbd webkit!WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange(class WebCore::EditingStyle * style = 0x02518a90, class WebCore::Node * node = 0x0250d090, class WebCore::Node * pastEndNode = 0x00000000)+0x3d4 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\applystylecommand.cpp @ 761]
1c 0039c6d4 5968f69f webkit!WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle(class WebCore::EditingStyle * style = 0x02518a90, class WebCore::Position * start = 0x0039c994, class WebCore::Position * end = 0x0039c97c)+0x23d [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\applystylecommand.cpp @ 693]
1d 0039c9c0 5968c7e7 webkit!WebCore::ApplyStyleCommand::applyInlineStyle(class WebCore::EditingStyle * style = 0x02518a90)+0xbdf [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\applystylecommand.cpp @ 658]
1e 0039c9fc 596671dd webkit!WebCore::ApplyStyleCommand::doApply(void)+0x137 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\applystylecommand.cpp @ 226]
1f 0039ca3c 596674d8 webkit!WebCore::CompositeEditCommand::applyCommandToComposite(class WTF::PassRefPtr<WebCore::EditCommand> prpCommand = class WTF::PassRefPtr<WebCore::EditCommand>)+0x8d [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\compositeeditcommand.cpp @ 256]
20 0039ca70 5966f09d webkit!WebCore::CompositeEditCommand::applyStyle(class WebCore::EditingStyle * style = 0x02518ae0, WebCore::EditAction editingAction = EditActionChangeAttributes (0n14))+0x88 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\compositeeditcommand.cpp @ 277]
21 0039d03c 5966e0c8 webkit!WebCore::CompositeEditCommand::moveParagraphs(class WebCore::VisiblePosition * startOfParagraphToMove = 0x0039d334, class WebCore::VisiblePosition * endOfParagraphToMove = 0x0039d318, class WebCore::VisiblePosition * destination = 0x0039d16c, bool preserveSelection = true, bool preserveStyle = true)+0xfbd [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\compositeeditcommand.cpp @ 1209]
22 0039d05c 5968910d webkit!WebCore::CompositeEditCommand::moveParagraph(class WebCore::VisiblePosition * startOfParagraphToMove = 0x0039d334, class WebCore::VisiblePosition * endOfParagraphToMove = 0x0039d318, class WebCore::VisiblePosition * destination = 0x0039d16c, bool preserveSelection = true, bool preserveStyle = true)+0x98 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\compositeeditcommand.cpp @ 1099]
23 0039d35c 59687fc2 webkit!WebCore::InsertListCommand::listifyParagraph(class WebCore::VisiblePosition * originalStart = 0x0039d430, class WebCore::QualifiedName * listTag = 0x5e8a64d8)+0x85d [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\insertlistcommand.cpp @ 385]
24 0039d638 59687622 webkit!WebCore::InsertListCommand::doApplyForSingleParagraph(bool forceCreateList = false, class WebCore::QualifiedName * listTag = 0x5e8a64d8, class WebCore::Range * currentSelection = 0x024d2248)+0x842 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\insertlistcommand.cpp @ 250]
25 0039d9e4 59666e1b webkit!WebCore::InsertListCommand::doApply(void)+0x962 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\insertlistcommand.cpp @ 186]
26 0039da2c 59666ad8 webkit!WebCore::CompositeEditCommand::apply(void)+0x15b [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\compositeeditcommand.cpp @ 204]
27 0039da44 593aaa77 webkit!WebCore::applyCommand(class WTF::PassRefPtr<WebCore::CompositeEditCommand> command = class WTF::PassRefPtr<WebCore::CompositeEditCommand>)+0x38 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\compositeeditcommand.cpp @ 162]
28 0039da74 593aecd3 webkit!WebCore::executeInsertUnorderedList(class WebCore::Frame * frame = 0x02470260, class WebCore::Event * __formal = 0x00000000)+0x77 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\editorcommand.cpp @ 557]
29 0039da94 59bf5999 webkit!WebCore::Editor::Command::execute(class WTF::String * parameter = 0x0039dafc, class WebCore::Event * triggeringEvent = 0x00000000)+0x93 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\editing\editorcommand.cpp @ 1664]
2a 0039dad0 5a27af7a webkit!WebCore::Document::execCommand(class WTF::String * commandName = 0x0039daf8, bool userInterface = false, class WTF::String * value = 0x0039dafc)+0x79 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\dom\document.cpp @ 4188]
2b 0039db8c 660bfa0c webkit!WebCore::DocumentInternal::execCommandCallback(class v8::Arguments * args = 0x0039dc0c)+0x28a [c:\src\chromium-internal\src\build\debug\obj\global_intermediate\webcore\bindings\v8document.cpp @ 1503]
2c 0039dcb8 660ba2b4 v8!v8::internal::HandleApiCallHelper<0>(class v8::internal::`anonymous-namespace'::BuiltinArguments<1> args = class v8::internal::`anonymous-namespace'::BuiltinArguments<1>, class v8::internal::Isolate * isolate = 0x00a750f8)+0x3dc [c:\src\chromium-internal\src\v8\src\builtins.cc @ 1136]
2d 0039dccc 660ba226 v8!v8::internal::Builtin_Impl_HandleApiCall(class v8::internal::`anonymous-namespace'::BuiltinArguments<1> args = class v8::internal::`anonymous-namespace'::BuiltinArguments<1>, class v8::internal::Isolate * isolate = 0x00a750f8)+0x14 [c:\src\chromium-internal\src\v8\src\builtins.cc @ 1153]
2e 0039dce0 02a083b6 v8!v8::internal::Builtin_HandleApiCall(class v8::internal::`anonymous-namespace'::BuiltinArguments<1> args = class v8::internal::`anonymous-namespace'::BuiltinArguments<1>, class v8::internal::Isolate * isolate = 0x00a750f8)+0x46 [c:\src\chromium-internal\src\v8\src\builtins.cc @ 1152]
WARNING: Frame IP not in any known module. Following frames may be wrong.
2f 0039dd8c 65ef343c 0x2a083b6
30 0039de3c 65ef31c4 v8!v8::internal::Invoke(bool is_construct = true, class v8::internal::Handle<v8::internal::JSFunction> function = class v8::internal::Handle<v8::internal::JSFunction>, class v8::internal::Handle<v8::internal::Object> receiver = class v8::internal::Handle<v8::internal::Object>, int argc = 0n3792208, class v8::internal::Handle<v8::internal::Object> * args = 0x02a1f2b2, bool * has_pending_exception = 0x03746a0d)+0x1cc [c:\src\chromium-internal\src\v8\src\execution.cc @ 118]
31 0039de7c 65e80314 v8!v8::internal::Execution::Call(class v8::internal::Handle<v8::internal::Object> callable = class v8::internal::Handle<v8::internal::Object>, class v8::internal::Handle<v8::internal::Object> receiver = class v8::internal::Handle<v8::internal::Object>, int argc = 0n1, class v8::internal::Handle<v8::internal::Object> * argv = 0x0039e06c, bool * pending_exception = 0x0039dedf, bool convert_receiver = false)+0x1a4 [c:\src\chromium-internal\src\v8\src\execution.cc @ 173]
32 0039df40 5929c7fd v8!v8::Function::Call(class v8::Handle<v8::Object> recv = class v8::Handle<v8::Object>, int argc = 0n1, class v8::Handle<v8::Value> * argv = 0x0039e06c)+0x1e4 [c:\src\chromium-internal\src\v8\src\api.cc @ 3603]
33 0039dfdc 5929c605 webkit!WebCore::V8Proxy::instrumentedCallFunction(class WebCore::Page * page = 0x024663a0, class v8::Handle<v8::Function> function = class v8::Handle<v8::Function>, class v8::Handle<v8::Object> receiver = class v8::Handle<v8::Object>, int argc = 0n1, class v8::Handle<v8::Value> * args = 0x0039e06c)+0x18d [c:\src\chromium-internal\src\third_party\webkit\source\webcore\bindings\v8\v8proxy.cpp @ 432]
34 0039e01c 59642a00 webkit!WebCore::V8Proxy::callFunction(class v8::Handle<v8::Function> function = class v8::Handle<v8::Function>, class v8::Handle<v8::Object> receiver = class v8::Handle<v8::Object>, int argc = 0n1, class v8::Handle<v8::Value> * args = 0x0039e06c)+0x75 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\bindings\v8\v8proxy.cpp @ 407]
35 0039e09c 5986eba8 webkit!WebCore::V8EventListener::callListenerFunction(class WebCore::ScriptExecutionContext * context = 0x0249b110, class v8::Handle<v8::Value> jsEvent = class v8::Handle<v8::Value>, class WebCore::Event * event = 0x024be2e0)+0x120 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\bindings\v8\v8eventlistener.cpp @ 89]
36 0039e150 5986e7e3 webkit!WebCore::V8AbstractEventListener::invokeEventHandler(class WebCore::ScriptExecutionContext * context = 0x0249b110, class WebCore::Event * event = 0x024be2e0, class v8::Handle<v8::Value> jsEvent = class v8::Handle<v8::Value>)+0x1c8 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\bindings\v8\v8abstracteventlistener.cpp @ 152]
37 0039e1cc 59bd2f35 webkit!WebCore::V8AbstractEventListener::handleEvent(class WebCore::ScriptExecutionContext * context = 0x0249b110, class WebCore::Event * event = 0x024be2e0)+0x163 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\bindings\v8\v8abstracteventlistener.cpp @ 98]
38 0039e244 59bd2dca webkit!WebCore::EventTarget::fireEventListeners(class WebCore::Event * event = 0x024be2e0, struct WebCore::EventTargetData * d = 0x0249f0f0, class WTF::Vector<WebCore::RegisteredEventListener,1> * entry = 0x00ac6518)+0x145 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\dom\eventtarget.cpp @ 231]
39 0039e268 5934d3d2 webkit!WebCore::EventTarget::fireEventListeners(class WebCore::Event * event = 0x024be2e0)+0xda [c:\src\chromium-internal\src\third_party\webkit\source\webcore\dom\eventtarget.cpp @ 200]
3a 0039e2e0 5934d06e webkit!WebCore::DOMWindow::dispatchEvent(class WTF::PassRefPtr<WebCore::Event> prpEvent = class WTF::PassRefPtr<WebCore::Event>, class WTF::PassRefPtr<WebCore::EventTarget> prpTarget = class WTF::PassRefPtr<WebCore::EventTarget>)+0x152 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\page\domwindow.cpp @ 1624]
3b 0039e36c 59bf35ef webkit!WebCore::DOMWindow::dispatchLoadEvent(void)+0x14e [c:\src\chromium-internal\src\third_party\webkit\source\webcore\page\domwindow.cpp @ 1599]
3c 0039e37c 59becde6 webkit!WebCore::Document::dispatchWindowLoadEvent(void)+0x5f [c:\src\chromium-internal\src\third_party\webkit\source\webcore\dom\document.cpp @ 3705]
3d 0039e3e8 5925d314 webkit!WebCore::Document::implicitClose(void)+0x1b6 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\dom\document.cpp @ 2255]
3e 0039e3f4 5925d09b webkit!WebCore::FrameLoader::checkCallImplicitClose(void)+0x84 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\loader\frameloader.cpp @ 795]
3f 0039e41c 5925cdbe webkit!WebCore::FrameLoader::checkCompleted(void)+0x11b [c:\src\chromium-internal\src\third_party\webkit\source\webcore\loader\frameloader.cpp @ 744]
40 0039e44c 59bf74ce webkit!WebCore::FrameLoader::finishedParsing(void)+0xbe [c:\src\chromium-internal\src\third_party\webkit\source\webcore\loader\frameloader.cpp @ 678]
41 0039e480 59b8d314 webkit!WebCore::Document::finishedParsing(void)+0x18e [c:\src\chromium-internal\src\third_party\webkit\source\webcore\dom\document.cpp @ 4452]
42 0039e490 59b258f3 webkit!WebCore::HTMLTreeBuilder::finished(void)+0x64 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\html\parser\htmltreebuilder.cpp @ 2820]
43 0039e49c 59b259e6 webkit!WebCore::HTMLDocumentParser::end(void)+0x83 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 382]
44 0039e4ac 59b244b9 webkit!WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd(void)+0xb6 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 391]
45 0039e4d8 59b25a59 webkit!WebCore::HTMLDocumentParser::prepareToStopParsing(void)+0xe9 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 154]
46 0039e4e8 59b25bb3 webkit!WebCore::HTMLDocumentParser::attemptToEnd(void)+0x39 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 402]
47 0039e4f4 5939eddc webkit!WebCore::HTMLDocumentParser::finish(void)+0x33 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 430]
48 0039e528 5939eca7 webkit!WebCore::DocumentWriter::endIfNotLoadingMainResource(void)+0x11c [c:\src\chromium-internal\src\third_party\webkit\source\webcore\loader\documentwriter.cpp @ 233]
49 0039e534 59389e94 webkit!WebCore::DocumentWriter::end(void)+0x27 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\loader\documentwriter.cpp @ 213]
4a 0039e544 592643dc webkit!WebCore::DocumentLoader::finishedLoading(void)+0x54 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\loader\documentloader.cpp @ 296]
4b 0039e57c 596e7d95 webkit!WebCore::FrameLoader::finishedLoading(void)+0x7c [c:\src\chromium-internal\src\third_party\webkit\source\webcore\loader\frameloader.cpp @ 2069]
4c 0039e5c4 596df991 webkit!WebCore::MainResourceLoader::didFinishLoading(double finishTime = 114468.22199999999)+0x145 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\loader\mainresourceloader.cpp @ 485]
4d 0039e5dc 58c290c0 webkit!WebCore::ResourceLoader::didFinishLoading(class WebCore::ResourceHandle * __formal = 0x024ad2f8, double finishTime = 114468.22199999999)+0x61 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\loader\resourceloader.cpp @ 451]
4e 0039e5f8 68927ca3 webkit!WebCore::ResourceHandleInternal::didFinishLoading(class WebKit::WebURLLoader * __formal = 0x0246bbf8, double finishTime = 114468.22199999999)+0x90 [c:\src\chromium-internal\src\third_party\webkit\source\webkit\chromium\src\resourcehandle.cpp @ 158]
4f 0039e7a0 5ebbfa0b glue!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(class net::URLRequestStatus * status = 0x0039e828, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * security_info = 0x0039e830, class base::TimeTicks * completion_time = 0x0039e7c8)+0x323 [c:\src\chromium-internal\src\webkit\glue\weburlloader_impl.cc @ 652]
50 0039e7e4 5ebcde47 content!ResourceDispatcher::OnRequestComplete(int request_id = 0n0, class net::URLRequestStatus * status = 0x0039e828, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * security_info = 0x0039e830, class base::TimeTicks * browser_completion_time = 0x0039e854)+0xeb [c:\src\chromium-internal\src\content\common\resource_dispatcher.cc @ 488]
51 0039e800 5ebcc24f content!DispatchToMethod<ResourceDispatcher,void (class ResourceDispatcher * obj = 0x00a9a180, <function> * method = 0x5eaa9b3c, struct Tuple4<int,net::URLRequestStatus,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::TimeTicks> * arg = 0x0039e824)+0x27 [c:\src\chromium-internal\src\base\tuple.h @ 566]
52 0039e870 5ebc0d47 content!ResourceMsg_RequestComplete::Dispatch<ResourceDispatcher,ResourceDispatcher,void (class IPC::Message * msg = 0x00ae51b0, class ResourceDispatcher * obj = 0x00a9a180, class ResourceDispatcher * sender = 0x00a9a180, <function> * func = 0x5eaa9b3c)+0x6f [c:\src\chromium-internal\src\content\common\resource_messages.h @ 172]
53 0039ea34 5ebbe7d7 content!ResourceDispatcher::DispatchMessageW(class IPC::Message * message = 0x00ae51b0)+0x437 [c:\src\chromium-internal\src\content\common\resource_dispatcher.cc @ 559]
54 0039ec04 5ec00528 content!ResourceDispatcher::OnMessageReceived(class IPC::Message * message = 0x00ae51b0)+0x487 [c:\src\chromium-internal\src\content\common\resource_dispatcher.cc @ 327]
55 0039edb8 6ea59185 content!ChildThread::OnMessageReceived(class IPC::Message * msg = 0x00ae51b0)+0x78 [c:\src\chromium-internal\src\content\common\child_thread.cc @ 171]
56 0039edd0 6ea61f60 ipc!IPC::ChannelProxy::Context::OnDispatchMessage(class IPC::Message * message = 0x00ae51b0)+0x85 [c:\src\chromium-internal\src\ipc\ipc_channel_proxy.cc @ 257]
57 0039ede4 6ea61dd7 ipc!base::internal::RunnableAdapter<void (class IPC::ChannelProxy::Context * object = 0x00ae3198, class IPC::Message * a1 = 0x00ae51b0)+0x30 [c:\src\chromium-internal\src\base\bind_internal.h @ 188]
58 0039edf4 6ea6198f ipc!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (class base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)> runnable = class base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>, class IPC::ChannelProxy::Context ** a1 = 0x00ae51a8, class IPC::Message * a2 = 0x00ae51b0)+0x27 [c:\src\chromium-internal\src\base\bind_internal.h @ 897]
59 0039ee18 6a5c2b2f ipc!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (class base::internal::BindStateBase * base = 0x00ae5190)+0x6f [c:\src\chromium-internal\src\base\bind_internal.h @ 1254]
5a 0039ee30 6a5ca0a5 base!base::Callback<void __cdecl(void)+0x2f [c:\src\chromium-internal\src\base\callback.h @ 272]
5b 0039ef68 6a5ca333 base!MessageLoop::RunTask(struct base::PendingTask * pending_task = 0x0039ef9c)+0x255 [c:\src\chromium-internal\src\base\message_loop.cc @ 460]
5c 0039ef78 6a5cb1d6 base!MessageLoop::DeferOrRunPendingTask(struct base::PendingTask * pending_task = 0x0039ef9c)+0x33 [c:\src\chromium-internal\src\base\message_loop.cc @ 473]
5d 0039efe8 6a5f7b06 base!MessageLoop::DoWork(void)+0x106 [c:\src\chromium-internal\src\base\message_loop.cc @ 660]
5e 0039f0e0 6a5c9c8a base!base::MessagePumpDefault::Run(class base::MessagePump::Delegate * delegate = 0x0039f560)+0x106 [c:\src\chromium-internal\src\base\message_pump_default.cc @ 28]
5f 0039f1b4 6a5c99de base!MessageLoop::RunInternal(void)+0x13a [c:\src\chromium-internal\src\base\message_loop.cc @ 417]
60 0039f1c0 6a5c8cc0 base!MessageLoop::RunHandler(void)+0x2e [c:\src\chromium-internal\src\base\message_loop.cc @ 391]
61 0039f1f8 5f67bb03 base!MessageLoop::Run(void)+0x60 [c:\src\chromium-internal\src\base\message_loop.cc @ 301]
62 0039f6e8 5eb3d108 content!RendererMain(struct content::MainFunctionParams * parameters = 0x0039fa98)+0x5e3 [c:\src\chromium-internal\src\content\renderer\renderer_main.cc @ 241]
63 0039f7b4 5eb3d955 content!`anonymous namespace'::RunNamedProcessTypeMain(class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * process_type = 0x0039fae8, struct content::MainFunctionParams * main_function_params = 0x0039fa98, class content::ContentMainDelegate * delegate = 0x0039fba0)+0x98 [c:\src\chromium-internal\src\content\app\content_main.cc @ 264]
64 0039fb7c 60ed6013 content!content::ContentMain(struct HINSTANCE__ * instance = 0x01040000, struct sandbox::SandboxInterfaceInfo * sandbox_info = 0x0039fd0c, class content::ContentMainDelegate * delegate = 0x0039fba0)+0x6a5 [c:\src\chromium-internal\src\content\app\content_main.cc @ 457]
65 0039fbc0 010430ce chrome_60ed0000!ChromeMain(struct HINSTANCE__ * instance = 0x01040000, struct sandbox::SandboxInterfaceInfo * sandbox_info = 0x0039fd0c)+0x33 [c:\src\chromium-internal\src\chrome\app\chrome_main.cc @ 28]
66 0039fc90 01041955 chrome!MainDllLoader::Launch(struct HINSTANCE__ * instance = 0x01040000, struct sandbox::SandboxInterfaceInfo * sbox_info = 0x0039fd0c)+0x22e [c:\src\chromium-internal\src\chrome\app\client_util.cc @ 342]
67 0039fd24 010d07fb chrome!wWinMain(struct HINSTANCE__ * instance = 0x01040000, struct HINSTANCE__ * __formal = 0x00000000)+0x95 [c:\src\chromium-internal\src\chrome\app\chrome_exe_main_win.cc @ 36]
68 0039fdd4 010d055f chrome!__tmainCRTStartup(void)+0x28b [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 578]
69 0039fddc 7571339a chrome!wWinMainCRTStartup(void)+0xf [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 403]
6a 0039fde8 775a9ef2 kernel32!BaseThreadInitThunk+0xe
6b 0039fe28 775a9ec5 ntdll32!__RtlUserThreadStart+0x70
6c 0039fe40 00000000 ntdll32!_RtlUserThreadStart+0x1b
Comment 3 Jeremy Moskovich 2012-04-19 02:25:24 PDT
Also filed as http://crbug.com/123438
Comment 4 Levi Weintraub 2012-04-19 09:56:23 PDT
(In reply to comment #3)
> Also filed as http://crbug.com/123438

Does this only occur on Windows? I tried the most recent Dev and Canary Mac Chrome builds but can't reproduce the crash.
Comment 5 Levi Weintraub 2012-05-15 15:16:08 PDT
Created attachment 142074 [details]
Repro 2

The test case attached to this bug doesn't repro the problem for me, but those on crbug.com/123438 and crbug.com/126607 do. The issue comes from an assumption that we'll have BiDi runs inside the isolate to populate the fake run created in the first UBA pass. In the new test case attached, the early return from https://bugs.webkit.org/show_bug.cgi?id=58176 causes us to avoid creating a BiDi run for the contained positioned div.
Comment 6 Levi Weintraub 2012-05-16 12:16:31 PDT
Created attachment 142320 [details]
Patch
Comment 7 Eric Seidel (no email) 2012-05-16 12:33:08 PDT
Comment on attachment 142320 [details]
Patch

It's unclear to me what happens when we let a fake run like this "escape" past the UBA.  I would have expected we would have ASSERTED against this. :)  We should probably at least document this possibility?
Comment 8 Levi Weintraub 2012-05-16 13:56:50 PDT
(In reply to comment #7)
> (From update of attachment 142320 [details])
> It's unclear to me what happens when we let a fake run like this "escape" past the UBA.  I would have expected we would have ASSERTED against this. :)  We should probably at least document this possibility?

It's not obvious to me where this documentation would belong. Any proposals on how we should document this where the right people will notice?
Comment 9 Ryosuke Niwa 2012-05-17 13:53:14 PDT
Comment on attachment 142320 [details]
Patch

looks sane to me.
Comment 10 Ryosuke Niwa 2012-05-17 13:54:08 PDT
Oops, missed Eric's comment. Please address eric's comment before you land it.
Comment 11 Levi Weintraub 2012-05-22 17:33:47 PDT
Created attachment 143411 [details]
Patch for landing
Comment 12 WebKit Review Bot 2012-05-22 21:00:04 PDT
Comment on attachment 143411 [details]
Patch for landing

Clearing flags on attachment: 143411

Committed r118114: <http://trac.webkit.org/changeset/118114>
Comment 13 WebKit Review Bot 2012-05-22 21:00:10 PDT
All reviewed patches have been landed.  Closing bug.
Comment 14 Darin Adler 2012-05-22 22:56:22 PDT
Comment on attachment 143411 [details]
Patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=143411&action=review

> Source/WebCore/rendering/RenderBlockLineLayout.cpp:1004
> +        // We're not guarnateed to get any BidiRuns in the previous step. If we don't, we allow the placeholder

guaranteed is misspelled here
Comment 15 Ryosuke Niwa 2012-05-23 00:36:17 PDT
Comment on attachment 143411 [details]
Patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=143411&action=review

>> Source/WebCore/rendering/RenderBlockLineLayout.cpp:1004
>> +        // We're not guarnateed to get any BidiRuns in the previous step. If we don't, we allow the placeholder
> 
> guaranteed is misspelled here

Fixed in r118139.
Comment 16 Radar WebKit Bug Importer 2012-05-24 11:59:31 PDT
<rdar://problem/11526831>