WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED CONFIGURATION CHANGED
86318
Crash null ptr WebKit!WebCore::RenderBox::styleDidChange+0x1f8.
https://bugs.webkit.org/show_bug.cgi?id=86318
Summary
Crash null ptr WebKit!WebCore::RenderBox::styleDidChange+0x1f8.
Mario Gomes
Reported
2012-05-13 07:25:27 PDT
Tested On Safari 5.1.7, Chrome 20.0.1132.3 dev and Webkit Nightly
r116595
Windows 7 SP1 x86 Reproduce: 1. Open poc.html. 2. Wait... 3. See the crash. Stacktrace(From webkit nightly) ================================ (324.1518): Access violation - code c0000005 (!!! second chance !!!) eax=7fb10022 ebx=00000000 ecx=7fb07500 edx=7f1f3880 esi=00000000 edi=7faefb4c eip=59a22f18 esp=0013ea0c ebp=0013ea38 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 WebKit!WebCore::RenderBox::styleDidChange+0x1f8: 59a22f18 8b4670 mov eax,dword ptr [esi+70h] ds:0023:00000070=???????? 0:000> .exr -1 ExceptionAddress: 59a22f18 (WebKit!WebCore::RenderBox::styleDidChange+0x000001f8) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000070 Attempt to read from address 00000070 0:000> .lastevent Last event: 324.1518: Access violation - code c0000005 (!!! second chance !!!) debugger time: Sun May 13 11:18:25.960 2012 (UTC - 3:00) 0:000> k ChildEBP RetAddr 0013ea38 59a23db8 WebKit!WebCore::RenderBox::styleDidChange+0x1f8 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderbox.cpp @ 368] 0013ea58 59a245f5 WebKit!WebCore::RenderBlock::styleDidChange+0x18 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 328] 0013ea74 59a1a374 WebKit!WebCore::RenderScrollbarPart::styleDidChange+0x15 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderscrollbarpart.cpp @ 143] 0013ea98 599faba5 WebKit!WebCore::RenderObject::setStyle+0x1f4 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderobject.cpp @ 1782] 0013eacc 599fe788 WebKit!WebCore::RenderScrollbar::updateScrollbarPart+0x1d5 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderscrollbar.cpp @ 284] 0013eb04 59a0352a WebKit!WebCore::RenderScrollbar::updateScrollbarParts+0x18 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderscrollbar.cpp @ 184] 0013eb0c 59a1de5a WebKit!WebCore::RenderScrollbar::styleChanged+0xa [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderscrollbar.cpp @ 109] 0013eb68 59a20bbf WebKit!WebCore::RenderLayer::styleChanged+0x12a [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderlayer.cpp @ 4774] 0013eb80 59a22d42 WebKit!WebCore::RenderBoxModelObject::styleDidChange+0x15f [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderboxmodelobject.cpp @ 450] 0013ebbc 59a23db8 WebKit!WebCore::RenderBox::styleDidChange+0x22 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderbox.cpp @ 353] 0013ebdc 59a1a374 WebKit!WebCore::RenderBlock::styleDidChange+0x18 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 328] 0013ec00 599d4372 WebKit!WebCore::RenderObject::setStyle+0x1f4 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderobject.cpp @ 1782] 0013ec18 59c8620a WebKit!WebCore::RenderObject::setAnimatableStyle+0x42 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderobject.cpp @ 1686] 0013ec28 59b17779 WebKit!WebCore::Node::setRenderStyle+0x1a [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\node.cpp @ 1454] 0013ec58 59b17a14 WebKit!WebCore::Element::recalcStyle+0x2a9 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\element.cpp @ 1133] 0013ec88 59b17a14 WebKit!WebCore::Element::recalcStyle+0x544 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\element.cpp @ 1177] 0013ecb8 59b196cb WebKit!WebCore::Element::recalcStyle+0x544 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\element.cpp @ 1177] 0013ece0 59b19a46 WebKit!WebCore::Document::recalcStyle+0x1cb [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\document.cpp @ 1748] 0013ecf8 59b1c4f3 WebKit!WebCore::Document::styleResolverChanged+0xa6 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\document.cpp @ 3278] 0013ed04 59b1edf9 WebKit!WebCore::Document::removePendingSheet+0x13 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\document.cpp @ 3230] 0013ed0c 59ac1bfc WebKit!WebCore::StyleElement::sheetLoaded+0x29 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\styleelement.cpp @ 200] 0013ed14 59bcdbd1 WebKit!WebCore::HTMLStyleElement::sheetLoaded+0xc [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\htmlstyleelement.h @ 73] 0013ed24 59b1edbf WebKit!WebCore::StyleSheetInternal::checkLoaded+0x71 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\css\cssstylesheet.cpp @ 379] 0013ed98 59b20d56 WebKit!WebCore::StyleElement::createSheet+0x2df [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\styleelement.cpp @ 184] 0013eddc 59b2124f WebKit!WebCore::StyleElement::process+0x186 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\styleelement.cpp @ 136] 0013edec 59aad71c WebKit!WebCore::StyleElement::finishParsingChildren+0xf [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\styleelement.cpp @ 107] 0013edf8 59fd843f WebKit!WebCore::HTMLStyleElement::finishParsingChildren+0xc [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\htmlstyleelement.cpp @ 96] 0013ee04 59fb5860 WebKit!WebCore::HTMLElementStack::popCommon+0xf [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmlelementstack.cpp @ 584] 0013ee48 59fb5476 WebKit!WebCore::HTMLTreeBuilder::processEndTag+0x3a0 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmltreebuilder.cpp @ 2151] 0013ee54 59fb5fb3 WebKit!WebCore::HTMLTreeBuilder::processToken+0x46 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmltreebuilder.cpp @ 516] 0013ee68 59fb6270 WebKit!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken+0x23 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmltreebuilder.cpp @ 477] 0013eea0 59f0e6a9 WebKit!WebCore::HTMLTreeBuilder::constructTreeFromToken+0x30 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmltreebuilder.cpp @ 461] 0013eee0 59f0ea28 WebKit!WebCore::HTMLDocumentParser::pumpTokenizer+0x119 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmldocumentparser.cpp @ 278] 0013eef0 59b06b78 WebKit!WebCore::HTMLDocumentParser::append+0xc8 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmldocumentparser.cpp @ 372] 0013ef3c 59efbb05 WebKit!WebCore::DecodedDataDocumentParser::appendBytes+0x58 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\decodeddatadocumentparser.cpp @ 50] 0013ef54 59c1727e WebKit!WebCore::DocumentWriter::addData+0x55 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\documentwriter.cpp @ 218] 0013efa0 598d3b7c WebKit!WebCore::DocumentLoader::commitData+0xee [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\documentloader.cpp @ 349] 0013efd8 59c17853 WebKit!WebKit::WebFrameLoaderClient::committedLoad+0x2c [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webcoresupport\webframeloaderclient.cpp @ 866] 0013eff8 59c178ee WebKit!WebCore::DocumentLoader::commitLoad+0x93 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\documentloader.cpp @ 322] 0013f010 59f32d73 WebKit!WebCore::DocumentLoader::receivedData+0x4e [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\documentloader.cpp @ 360] 0013f02c 59ddfb85 WebKit!WebCore::MainResourceLoader::addData+0x23 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\mainresourceloader.cpp @ 192] 0013f04c 59f33fc8 WebKit!WebCore::ResourceLoader::didReceiveData+0x25 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\resourceloader.cpp @ 276] 0013f168 59ddfa90 WebKit!WebCore::MainResourceLoader::didReceiveData+0x188 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\mainresourceloader.cpp @ 512] 0013f198 59a6c9f3 WebKit!WebCore::ResourceLoader::didReceiveData+0x60 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\resourceloader.cpp @ 430] *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\Apple Application Support\CFNetwork.dll - 0013f1bc 5e706581 WebKit!WebCore::didReceiveData+0x43 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\platform\network\cf\resourcehandlecfnet.cpp @ 265] WARNING: Stack unwind information not available. Following frames may be wrong. 0013f2d8 5e708f20 CFNetwork!CFReadStreamCreateWithFormArray+0x6671 0013f464 5e7026e2 CFNetwork!CFReadStreamCreateWithFormArray+0x9010 0013f4d4 5e7038e4 CFNetwork!CFReadStreamCreateWithFormArray+0x27d2 0013f4f8 75cbc4e7 CFNetwork!CFReadStreamCreateWithFormArray+0x39d4 0013f524 75cbc5e7 USER32!InternalCallWinProc+0x23 0013f59c 75cbcc19 USER32!UserCallWinProcCheckWow+0x14b 0013f5fc 75cbcc70 USER32!DispatchMessageWorker+0x35e 0013f60c 5994f231 USER32!DispatchMessageW+0xf 0013f640 598efe0e WebKit!WebCore::RunLoop::run+0x41 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\platform\win\runloopwin.cpp @ 76] 0013f654 598c5ff6 WebKit!WebKit::WebProcessMain+0xde [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\win\webprocessmainwin.cpp @ 84] 0013f674 598c609c WebKit!WebKitMain+0x116 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webkitmain.cpp @ 59] 0013f6a0 00da1098 WebKit!WebKitMain+0x9c [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webkitmain.cpp @ 187] 0013f8d0 00da1258 WebKit2WebProcess!wWinMain+0x98 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\win\mainwin.cpp @ 67] 0013f964 7611ed6c WebKit2WebProcess!__tmainCRTStartup+0x150 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 589] 0013f970 7772377b kernel32!BaseThreadInitThunk+0xe 0013f9b0 7772374e ntdll!__RtlUserThreadStart+0x70 0013f9c8 00000000 ntdll!_RtlUserThreadStart+0x1b 0:000> dv /v @ecx this = 0x7fb07500 0013ea40 diff = StyleDifferenceLayout (0n7) 0013ea44 oldStyle = 0x7fb2ae40 0013ea47 isBodyRenderer = true 0013ea34 newStyle = 0x7fb1c280 0013ea43 isRootRenderer = false 0013ea40 left = 0n7 0013ea40 top = 0n7 0013ea2c viewRenderer = 0x00000a00
Attachments
PoC.html
(92.89 KB, text/html)
2012-05-13 07:26 PDT
,
Mario Gomes
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Mario Gomes
Comment 1
2012-05-13 07:26:10 PDT
Created
attachment 141604
[details]
PoC.html
David Barr
Comment 2
2012-06-13 21:44:11 PDT
Confirmed with attached reproduction. Google Chrome: 21.0.1173.0 (Official Build 141861) canary OS: Mac OS X WebKit: 537.1 (@120155) WebKit Nightly Version 5.1.7 (6534.57.2,
r120264
) A reduced reproduction would be nice.
Brent Fulgham
Comment 3
2022-07-13 15:32:56 PDT
This code has been significantly refactored since this patch was proposed. There doesn't seem to be any action we can take here.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug