78314 – Infrequent crash below WebCore::CSSStyleSelector::canShareStyleWithElement

RESOLVED CONFIGURATION CHANGED 78314

Infrequent crash below WebCore::CSSStyleSelector::canShareStyleWithElement

https://bugs.webkit.org/show_bug.cgi?id=78314

Summary Infrequent crash below WebCore::CSSStyleSelector::canShareStyleWithElement

David Barr

Reported 2012-02-09 18:58:47 PST

Initial crash report: Product: Chrome_Mac Stack Signature: WebCore::CSSStyleSelector::canShareStyleWithElement-79F1607 New Signature Label: WebCore::CSSStyleSelector::canShareStyleWithElement New Signature Hash: fb144783_581f1024_9ea68f85_a1cbadf4_dfc89a1a Report link (internal): http://go/crash/reportdetail?reportid=56da979d59f5655b Meta information: Product Name: Chrome_Mac Product Version: 14.0.827.12 Report ID: 56da979d59f5655b Report Time: 2011/07/21 21:03:42, Thu Uptime: 0 sec Cumulative Uptime: 0 sec OS Name: Mac OS X OS Version: 10.7.0 11A511 CPU Architecture: x86 CPU Info: GenuineIntel family 6 model 37 stepping 5 0x01a9a4c1 [Google Chrome Framework - ../dom/QualifiedName.h:75] WebCore::CSSStyleSelector::canShareStyleWithElement 0x01ac0de5 [Google Chrome Framework - CSSStyleSelector.cpp:1168 WebCore::CSSStyleSelector::styleForElement 0x0176d0dd [Google Chrome Framework - Node.cpp:1465 WebCore::Node::styleForRenderer 0x0175a05e [Google Chrome Framework - Element.cpp:1112 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x0175a226 [Google Chrome Framework - Element.cpp:1179 WebCore::Element::recalcStyle 0x01738bd1 [Google Chrome Framework - Document.cpp:1529 WebCore::Document::recalcStyle 0x0172d10b [Google Chrome Framework - Document.cpp:1582 WebCore::Document::updateStyleIfNeeded 0x0172df96 [Google Chrome Framework - Document.cpp:1599 WebCore::Document::updateStyleForAllDocuments 0x019cd5c4 [Google Chrome Framework - ScheduledAction.cpp:128 WebCore::ScheduledAction::execute 0x01cacec0 [Google Chrome Framework - DOMTimer.cpp:148 WebCore::DOMTimer::fired 0x018b625c [Google Chrome Framework - ThreadTimers.cpp:114 WebCore::ThreadTimers::sharedTimerFiredInternal 0x018b6351 [Google Chrome Framework - ThreadTimers.cpp:92 WebCore::ThreadTimers::sharedTimerFired 0x00904ac4 [Google Chrome Framework - message_loop.cc:104 TaskClosureAdapter::Run 0x00905584 [Google Chrome Framework - ../base/callback.h:265] MessageLoop::RunTask 0x00907971 [Google Chrome Framework - message_loop.cc:502 MessageLoop::DoDelayedWork 0x008d8755 [Google Chrome Framework - message_pump_mac.mm:262 base::MessagePumpCFRunLoopBase::RunWork 0x9619210e [CoreFoundation + 0x0001210e] 0x96191ac5 [CoreFoundation + 0x00011ac5] 0x961bb9d7 [CoreFoundation + 0x0003b9d7] 0x961bb1eb [CoreFoundation + 0x0003b1eb] 0x961bb097 [CoreFoundation + 0x0003b097] 0x94088486 [HIToolbox + 0x00002486] 0x9408fdc2 [HIToolbox + 0x00009dc2] 0x9408fc31 [HIToolbox + 0x00009c31] 0x975178eb [AppKit + 0x000098eb] 0x97517158 [AppKit + 0x00009158] 0x975134ca [AppKit + 0x000054ca] 0x008d85ca [Google Chrome Framework - message_pump_mac.mm:554 base::MessagePumpNSApplication::DoRun 0x008d7de3 [Google Chrome Framework - message_pump_mac.mm:175 base::MessagePumpCFRunLoopBase::Run 0x00905433 [Google Chrome Framework - message_loop.cc:451 MessageLoop::Run 0x025f0786 [Google Chrome Framework - renderer_main.cc:228 RendererMain 0x02825d1c [Google Chrome Framework + 0x027d6d1c] (anonymous namespace)::PepperWidget::themeChanged()::__PRETTY_FUNCTION__ 0x008fd717 [Google Chrome Framework - logging.cc:405 logging::GetMinLogLevel 0x02825c50 [Google Chrome Framework + 0x027d6c50] (anonymous namespace)::PepperWidget::themeChanged()::__PRETTY_FUNCTION__ 0x027cca49 [Google Chrome Framework + 0x0277da49] switches::kExtensionProcess

Attachments
Patch (2.22 KB, patch) 2012-02-09 19:46 PST, David Barr	simon.fraser: review+ ews-feeder: commit-queue-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

David Barr

Comment 1 2012-02-09 19:02:08 PST

We have fielded a number of crash reports in this code. The signatures vary a bit thanks to heavy inlining. Mike's initial hunch and my ongoing investigation highlight QualifiedName::matches(). It appears that QualifiedName::m_impl != NULL is not an invariant of this class. As such, I propose that on the slow path of ::matches() we guard against NULL.

David Barr

Comment 2 2012-02-09 19:46:36 PST

Created attachment 126436 [details] Patch

David Barr

Comment 3 2012-02-09 19:55:43 PST

This fairly heavily exercised part of the code crashes in edge conditions. Any comments on hardening vs performance are welcome.

Alexey Proskuryakov

Comment 4 2012-02-10 11:04:04 PST

What in the crash report says that this is a null dereference? That said, even a null value here would look more like memory corruption than an actual QualifiedName without impl. So, I strongly doubt that this patch is right. Might be the same as <rdar://problem/10738221>.

Mike Lawther

Comment 5 2012-02-12 15:25:50 PST

Is there an equivalent WebKit bug for <rdar://problem/10738221>? Searching for 'problem/10738221' only turns up this bug.

Alexey Proskuryakov

Comment 6 2012-02-12 18:42:54 PST

No, there is no other bug in Bugzilla. There isn't interesting information to share, just a similar stack trace.

David Barr

Comment 7 2012-04-19 21:11:30 PDT

I have inspected a crash dump that hits a non-inlined path for WebCore::QualifiedName::matches(). I can confirm that it the arguments it gives AtomicString::operator==() are both NULL.

David Barr

Comment 8 2012-04-19 22:43:44 PDT

(In reply to comment #7) > I have inspected a crash dump that hits a non-inlined path for WebCore::QualifiedName::matches(). > I can confirm that it the arguments it gives AtomicString::operator==() are both NULL. Sorry, that statement came out wrong. I will reply after consulting with someone skill in the art of minidump parsing.

David Barr

Comment 9 2012-04-20 05:39:19 PDT

I have 2 cases identified in crash dumps: XMLNames::langAttr is out of range. HTMLNames::noframesTag is partially out of range.

Brent Fulgham

Comment 10 2022-07-13 15:32:18 PDT

This code has been significantly refactored since this patch was proposed. There doesn't seem to be any action we can take here.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution CONFIGURATION CHANGED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component CSS

Assignee

David Barr

Reported

2012-02-09 18:58 PST

Modified

2022-07-13 15:32 PDT History

CC List

8 users Show

URL

http://crbug.com/90102

Keywords

Depends on

Blocks