Bug 99587 - REGRESSION(r131464): Null-pointer crash in StyleResolver::styleForElement
Summary: REGRESSION(r131464): Null-pointer crash in StyleResolver::styleForElement
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-17 05:06 PDT by dstockwell
Modified: 2012-10-18 09:00 PDT (History)
7 users (show)

See Also:


Attachments
Test case (32 bytes, text/html)
2012-10-17 05:06 PDT, dstockwell
no flags Details
Patch (4.10 KB, patch)
2012-10-17 22:07 PDT, Takashi Sakamoto
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description dstockwell 2012-10-17 05:06:55 PDT
Created attachment 169161 [details]
Test case

==26072== ERROR: AddressSanitizer crashed on unknown address 0x000000000030 (pc 0x00000066533d sp 0x7fffd83fb500 bp 0x7fffd83fb500 T0)
AddressSanitizer can not provide additional info.
    #0 0x66533c in WTF::RefPtr<WebCore::StyleRareInheritedData>::get() const third_party/WebKit/Source/WTF/wtf/RefPtr.h:58
    #1 0xb8df7c in WebCore::RenderStyle::userModify() const third_party/WebKit/Source/WebCore/rendering/style/RenderStyle.h:838
    #2 0x1ab07bf in WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion*) third_party/WebKit/Source/WebCore/css/StyleResolver.cpp:1551
    #3 0xadba28 in WebCore::Document::styleForElementIgnoringPendingStylesheets(WebCore::Element*) third_party/WebKit/Source/WebCore/dom/Document.cpp:1972
    #4 0xb56d24 in WebCore::Element::computedStyle(WebCore::PseudoId) third_party/WebKit/Source/WebCore/dom/Element.cpp:1759
    #5 0x148813e in WebCore::HTMLTitleElement::textWithDirection() third_party/WebKit/Source/WebCore/html/HTMLTitleElement.cpp:87
    #6 0x1488041 in WebCore::HTMLTitleElement::childrenChanged(bool, WebCore::Node*, WebCore::Node*, int) third_party/WebKit/Source/WebCore/html/HTMLTitleElement.cpp:67
    #7 0xab3e3c in WebCore::ContainerNode::parserAppendChild(WTF::PassRefPtr<WebCore::Node>) third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:627
    #8 0x15d0e4b in WebCore::executeTask(WebCore::HTMLConstructionSiteTask&) third_party/WebKit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:83
    #9 0x15d4e95 in WebCore::HTMLConstructionSite::insertTextNode(WTF::String const&, WebCore::WhitespaceMode) third_party/WebKit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:385
    #10 0x154d2bf in WebCore::HTMLTreeBuilder::processCharacterBuffer(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer&) third_party/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2281
    #11 0x154c47e in WebCore::HTMLTreeBuilder::processCharacter(WebCore::AtomicHTMLToken*) third_party/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2154
    #12 0x15496d1 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken*) third_party/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:389
    #13 0x154952c in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) third_party/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:370
    #14 0x150c04e in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:269
    #15 0x150d1e9 in WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:361
    #16 0x32430eb in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter*) third_party/WebKit/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
    #17 0x1d1d9ea in WebCore::DocumentWriter::end() third_party/WebKit/Source/WebCore/loader/DocumentWriter.cpp:241
    #18 0x1d06714 in WebCore::DocumentLoader::finishedLoading() third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:299
    #19 0x1d5c02d in WebCore::MainResourceLoader::didFinishLoading(double) third_party/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:525
Comment 1 Takashi Sakamoto 2012-10-17 22:07:42 PDT
Created attachment 169342 [details]
Patch
Comment 2 Allan Sandfeld Jensen 2012-10-18 04:03:30 PDT
Would it be possible for the summary to be shown later with the end result of the title not inheriting its userModify setting?
Comment 3 Dimitri Glazkov (Google) 2012-10-18 08:55:24 PDT
Comment on attachment 169342 [details]
Patch

I am sorry, I should've caught this.
Comment 4 WebKit Review Bot 2012-10-18 09:00:31 PDT
Comment on attachment 169342 [details]
Patch

Clearing flags on attachment: 169342

Committed r131758: <http://trac.webkit.org/changeset/131758>
Comment 5 WebKit Review Bot 2012-10-18 09:00:39 PDT
All reviewed patches have been landed.  Closing bug.