Tested on Windows 7 SP1 Apple Safari 5.1.5 Reproduce: 1. Open poc.html. 2. Wait... 3. See the crash. Stacktrace =================== (ff4.17f4): Access violation - code c0000005 (!!! second chance !!!) eax=7feabbb0 ebx=7ff46c00 ecx=00000001 edx=7ff0bc70 esi=00000000 edi=7feabaa8 eip=557c645a esp=0012e6c8 ebp=0012eb78 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\Apple Application Support\WebKit.dll - WebKit!WKBackForwardListItemGetTypeID+0x3f72a: 557c645a 837e3000 cmp dword ptr [esi+30h],0 ds:0023:00000030=???????? 0:000> .exr -1 ExceptionAddress: 557c645a (WebKit!WKBackForwardListItemGetTypeID+0x0003f72a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000030 Attempt to read from address 00000030 0:000> .lastevent Last event: ff4.17f4: Access violation - code c0000005 (!!! second chance !!!) debugger time: Tue Mar 27 20:26:13.722 2012 (UTC - 3:00) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\Apple Application Support\JavaScriptCore.dll - 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012eb78 55a95056 WebKit!WKBackForwardListItemGetTypeID+0x3f72a 0012eb94 55a8438d WebKit!DllRegisterServer+0x7acc6 0012ebe8 559bfc34 WebKit!DllRegisterServer+0x69ffd 0012ec1c 556fe322 WebKit!WKArrayGetTypeID+0x1f8be4 0012ec60 5571219f WebKit!SetWebLocalizedStringMainBundle+0x20bb2 0012eca8 559c14d8 WebKit!WKDictionaryGetTypeID+0x1b9f 0012ecd4 558eea40 WebKit!WKArrayGetTypeID+0x1fa488 0012ed00 559b2826 WebKit!WKArrayGetTypeID+0x1279f0 0012ed40 558bceac WebKit!WKArrayGetTypeID+0x1eb7d6 0012ed70 558ccbec WebKit!WKArrayGetTypeID+0xf5e5c 0012eda0 558e399c WebKit!WKArrayGetTypeID+0x105b9c 0012edd0 59b14aad WebKit!WKArrayGetTypeID+0x11c94c 0012edf8 59b153cf JavaScriptCore!JSObjectSetProperty+0x3ca 0012ee88 59a607c9 JavaScriptCore!JSObjectSetProperty+0xcec 0012eea4 59ac69d8 JavaScriptCore!JSC::JSGlobalObject::~JSGlobalObject+0x99 0012eeb0 59ab4788 JavaScriptCore!JSC::Interpreter::retrieveCallerFromVMCode+0x4f1 0012eeb4 59ab48b1 JavaScriptCore!WTF::deleteOwnedPtr+0x29288 0012eee4 59a6496a JavaScriptCore!WTF::deleteOwnedPtr+0x293b1 0012ef18 55674ca4 JavaScriptCore!JSC::call+0x3a 0012f03c 5572c027 WebKit!WKPluginSiteDataManagerGetTypeID+0x2edd4 0012f068 5572bf38 WebKit!WKDictionaryGetTypeID+0x1ba27 0012f098 5586b2b0 WebKit!WKDictionaryGetTypeID+0x1b938 0012f0c8 5586b350 WebKit!WKArrayGetTypeID+0xa4260 0012f0d8 5586b0af WebKit!WKArrayGetTypeID+0xa4300 00000000 00000000 WebKit!WKArrayGetTypeID+0xa405f
Created attachment 134180 [details] PoC file.
With the attached test, I get a null pointer crash in Safari 5.1.5, or an assertion failure in ToT WebKit: SHOULD NEVER BE REACHED /Users/ap/Safari/OpenSource/Source/WebCore/css/SelectorChecker.cpp(1166) : bool WebCore::SelectorChecker::checkOneSelector(const WebCore::SelectorChecker::SelectorCheckingContext &, WebCore::PseudoId &) const 1 0x10945d0b3 WebCore::SelectorChecker::checkSelector(WebCore::SelectorChecker::SelectorCheckingContext const&, WebCore::PseudoId&) const 2 0x1083f17e2 WebCore::CSSStyleSelector::checkSelector(WebCore::RuleData const&, WebCore::ContainerNode const*) 3 0x1083d9e51 WebCore::CSSStyleSelector::collectMatchingRulesForList(WTF::Vector<WebCore::RuleData, 0ul> const*, int&, int&, WebCore::CSSStyleSelector::MatchOptions const&) 4 0x1083d9d03 WebCore::CSSStyleSelector::collectMatchingRules(WebCore::RuleSet*, int&, int&, WebCore::CSSStyleSelector::MatchOptions const&) 5 0x1083da7e6 WebCore::CSSStyleSelector::matchAuthorRules(WebCore::CSSStyleSelector::MatchResult&, bool) 6 0x1083dad89 WebCore::CSSStyleSelector::matchAllRules(WebCore::CSSStyleSelector::MatchResult&) 7 0x1083d81f5 WebCore::CSSStyleSelector::styleForElement(WebCore::Element*, WebCore::RenderStyle*, bool, bool, WebCore::RenderRegion*) 8 0x108679d32 WebCore::Element::styleForRenderer() 9 0x108679f39 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 10 0x10867a6ca WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 11 0x10867a6ca WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 12 0x108499836 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) 13 0x10849a233 WebCore::Document::updateStyleIfNeeded() 14 0x108499f15 WebCore::Document::implicitClose() The crash in 5.1.5 is possibly same as <rdar://problem/9970343> and/or bug 66291.
This ASSERT_NOT_REACHED looks unusual - we normally don't put default in switches, so that omissions could be found at compile time. Or is this value not a valid one for the enum?
I'm seeing this assertion fail on every bug reported by Mario, albeit with different backtraces. It would be great if we could get clarity about the cause of these.
This code has been significantly refactored since this patch was proposed. There doesn't seem to be any action we can take here.