[Webkit-unassigned] [Bug 7956] New: REPRO CRASH: css background images can cause floating RenderStyle objects to die too soon

bugzilla-daemon at opendarwin.org bugzilla-daemon at opendarwin.org
Fri Mar 24 01:04:28 PST 2006 

http://bugzilla.opendarwin.org/show_bug.cgi?id=7956

           Summary: REPRO CRASH: css background images can cause floating
                    RenderStyle objects to die too soon
           Product: WebKit
           Version: 420+ (nightly)
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: normal
          Priority: P1
         Component: CSS
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: macdome at opendarwin.org


Tim Omernick and I worked on this bug we found with Mail this afternoon.

It turns out that using CSS background images can cause RenderStyle objects
(which are floating during construction) to be destroyed before they are used. 
This happens when the same CSS background image is referenced twice from two
different styles on two different elements within the same doc.  The crash will
only reproduce under memory pressure (or some other way to cause the
RenderArena memory to be reused.)

Attached is the crazy backtrace.  (It shows breaking on RenderStyle:ref() while
in CSSStyleSelector::styleForElement RenderStyle creation.)

There are several issues at play here.
1.  Synchronous load semantics of CachedObject::ref(this) are really wacky,
causing this sort of bug.
2.  The fact that we ever have floating objects (like RenderStyle) is a bad
idea to begin with.
3.  RenderStyle cannot be made non-floating using the normal RefPtr, PassRefPtr
conventions due to deref(RenderArena *) requiring an argument.

I talked with Maciej a bit on irc and proposed a couple solutions:
1.  add a float() or release() method to RenderStyle to allow holding a ref
over critical sections.
2.  add a deref() method which ASSERTs on m_refcount == 0, and is only used by
RefPtr and PassRefPtr
3.  Change the calling semantics to return with a ref of 1

#0  WebCore::RenderStyle::ref (this=0x22dc8e5c) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/rendering/render_style.h:884
#1  0x017ac1a0 in WebCore::Element::recalcStyle (this=0x22d98e90,
change=NoChange) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/dom/dom_elementimpl.cpp:563
#2  0x017ac3eb in WebCore::Element::recalcStyle (this=0x22dcc520,
change=NoChange) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/dom/dom_elementimpl.cpp:599
#3  0x017ac3eb in WebCore::Element::recalcStyle (this=0x22dcc1c0,
change=NoChange) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/dom/dom_elementimpl.cpp:599
#4  0x017ac3eb in WebCore::Element::recalcStyle (this=0x22dc8dc0,
change=NoChange) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/dom/dom_elementimpl.cpp:599
#5  0x017ac3eb in WebCore::Element::recalcStyle (this=0x23a33d10,
change=NoChange) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/dom/dom_elementimpl.cpp:599
#6  0x0188e7c1 in WebCore::Document::recalcStyle (this=0xef13800,
change=NoChange) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/dom/Document.cpp:835
#7  0x018865ca in WebCore::FrameView::layout (this=0x23548280) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/page/FrameView.cpp:333
#8  0x01866f17 in WebCore::Frame::forceLayout (this=0x22dc8670) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/page/Frame.cpp:2904
#9  0x0189f059 in -[WebCoreFrameBridge forceLayoutAdjustingViewSize:]
(self=0x22d2d060, _cmd=0x90a9fec4, flag=0 '\0') at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/bridge/mac/WebCoreFrameBridge.mm:891
#10 0x0035b8d7 in -[WebHTMLView
layoutToMinimumPageWidth:maximumPageWidth:adjustingViewSize:] (self=0x2353f950,
_cmd=0x90aab8b8, minPageWidth=0, maxPageWidth=0, adjustViewSize=0 '\0') at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebHTMLView.m:2309
#11 0x0035bad7 in -[WebHTMLView layout] (self=0x2353f950, _cmd=0x90aab644) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebHTMLView.m:2334
#12 0x0004a868 in ?? ()
#13 0x0001cb26 in ?? ()
#14 0x933ae181 in -[NSView setFrameSize:] ()
#15 0x0001c822 in ?? ()
#16 0x933cf5a9 in -[NSView resizeSubviewsWithOldSize:] ()
#17 0x933ae181 in -[NSView setFrameSize:] ()
#18 0x933cf38f in -[NSClipView setFrameSize:] ()
#19 0x933cf0fa in -[NSScrollView tile] ()
#20 0x933ce259 in -[NSScrollView _update] ()
#21 0x933ce22e in -[NSScrollView resizeSubviewsWithOldSize:] ()
#22 0x933ae181 in -[NSView setFrameSize:] ()
#23 0x933cdfa2 in -[NSScrollView setFrameSize:] ()
#24 0x00086193 in ?? ()
#25 0x000a0771 in ?? ()
#26 0x9271404f in _nsnote_callback ()
#27 0x9084c861 in __CFXNotificationPost ()
#28 0x9084408c in _CFXNotificationPostNotification ()
#29 0x92731bda in -[NSNotificationCenter postNotification:] ()
#30 0x00003ebf in ?? ()
#31 0x00002a2e in ?? ()
#32 0x9a1298fb in -[WebMessageDocument setContainsRemoteContent:] ()
#33 0x00046d2c in ?? ()
#34 0x0033c6e2 in -[WebLoader willSendRequest:redirectResponse:]
(self=0x22deb020, _cmd=0x90ac9490, newRequest=0x23123a80, redirectResponse=0x0)
at /Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebLoader.m:416
#35 0x00332082 in -[WebSubresourceLoader willSendRequest:redirectResponse:]
(self=0x22deb020, _cmd=0x90ac9490, newRequest=0x22dc8f60, redirectResponse=0x0)
at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebCoreSupport/WebSubresourceLoader.m:151
#36 0x0033bb7f in -[WebLoader loadWithRequest:] (self=0x22deb020,
_cmd=0x90aac294, r=0x22dc8f60) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebLoader.m:239
#37 0x00331dcc in +[WebSubresourceLoader
startLoadingResource:withRequest:customHeaders:referrer:forDataSource:]
(self=0x3ec9c0, _cmd=0x90ac2700, rLoader=0x23113030, newRequest=0x22dc8f60,
customHeaders=0x0, referrer=0x0, source=0x22dc5a60) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebCoreSupport/WebSubresourceLoader.m:94
#38 0x00331ea9 in +[WebSubresourceLoader
startLoadingResource:withMethod:URL:customHeaders:referrer:forDataSource:]
(self=0x3ec9c0, _cmd=0x3c278c, rLoader=0x23113030, method=0x22dfde10,
URL=0x231063d0, customHeaders=0x0, referrer=0x0, source=0x22dc5a60) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebCoreSupport/WebSubresourceLoader.m:114
#39 0x003280c1 in -[WebFrameBridge
startLoadingResource:withMethod:URL:customHeaders:] (self=0x22d2d060,
_cmd=0x1a39ab0, resourceLoader=0x23113030, method=0x22dfde10, URL=0x231063d0,
customHeaders=0x0) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebCoreSupport/WebFrameBridge.m:465
#40 0x019e021a in WebCore::TransferJob::start (this=0x231288a0,
docLoader=0x22d8aeb0) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/platform/mac/TransferJobMac.mm:88
#41 0x018adc9b in WebCore::Loader::servePendingRequests (this=0x23128b60) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/loader/loader.cpp:112
#42 0x018add48 in WebCore::Loader::load (this=0x23128b60, dl=0x22d8aeb0,
object=0x23129930, incremental=true) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/loader/loader.cpp:84
#43 0x018a9895 in WebCore::Cache::requestImage (dl=0x22d8aeb0, url=@0xbfffda00,
reload=false, expireDate=0) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/loader/Cache.cpp:145
#44 0x018acc8c in WebCore::DocLoader::requestImage (this=0x22d8aeb0,
url=@0xbfffdae8) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/loader/DocLoader.cpp:101
#45 0x018e0003 in WebCore::CSSImageValue::image (this=0x22d316f0,
loader=0x22d8aeb0) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/css/css_valueimpl.cpp:1096
#46 0x018efa5f in WebCore::CSSStyleSelector::mapBackgroundImage
(this=0x23142780, layer=0x231b8464, value=0x22d316f0) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/css/cssstyleselector.cpp:4020
#47 0x018f4eb8 in WebCore::CSSStyleSelector::applyProperty (this=0x23142780,
id=5, value=0x22d316f0) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/css/cssstyleselector.cpp:2374
#48 0x018fc2cf in WebCore::CSSStyleSelector::applyDeclarations
(this=0x23142780, applyFirst=false, isImportant=false, startIndex=1,
endIndex=4) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/css/cssstyleselector.cpp:1741
#49 0x018fd5c0 in WebCore::CSSStyleSelector::styleForElement (this=0x23142780,
e=0x22d314e0, defaultParent=0x0, allowSharing=true) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/css/cssstyleselector.cpp:813
#50 0x017abfc8 in WebCore::Element::styleForRenderer (this=0x22d314e0,
parentRenderer=0x22dcc5dc) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/dom/dom_elementimpl.cpp:502
#51 0x01896d56 in WebCore::Node::createRendererIfNeeded (this=0x22d314e0) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/dom/Node.cpp:888
#52 0x017ac0a9 in WebCore::Element::attach (this=0x22d314e0) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/dom/dom_elementimpl.cpp:550
#53 0x01797ab5 in WebCore::HTMLTableElement::attach (this=0x22d314e0) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/html/html_tableimpl.cpp:515
#54 0x017a1010 in WebCore::HTMLParser::insertNode (this=0x23a3d500,
n=0x22d314e0, flat=false) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/html/HTMLParser.cpp:276
#55 0x017a2b85 in WebCore::HTMLParser::parseToken (this=0x23a3d500,
t=0xef29214) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/html/HTMLParser.cpp:218
#56 0x017a5bb2 in WebCore::HTMLTokenizer::processToken (this=0xef29200) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1654
#57 0x017a8ab7 in WebCore::HTMLTokenizer::parseTag (this=0xef29200,
src=@0xef29788, state={static EntityShift = <optimized out>, m_bits = 0}) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1232
#58 0x017a9439 in WebCore::HTMLTokenizer::write (this=0xef29200,
str=@0xbfffe9a0, appendData=true) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1458
#59 0x0187054a in WebCore::Frame::write (this=0x22dc8670, str=0x23662000
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01
Transitional//EN\"\n\"http://www.w3.org/TR/html4/loose.dtd\">\n<html>\n<head>\n<style
type=text/css>\n\n\ttd.vertical {\n\t\tbackground-image:
url(http://www.continenta"..., len=75592) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/page/Frame.cpp:669
#60 0x01866304 in WebCore::Frame::addData (this=0x22dc8670, bytes=0x23662000
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01
Transitional//EN\"\n\"http://www.w3.org/TR/html4/loose.dtd\">\n<html>\n<head>\n<style
type=text/css>\n\n\ttd.vertical {\n\t\tbackground-image:
url(http://www.continenta"..., length=75592) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/page/Frame.cpp:2610
#61 0x0189e682 in -[WebCoreFrameBridge addData:] (self=0x22d2d060,
_cmd=0x90a90118, data=0x23128180) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebCore/bridge/mac/WebCoreFrameBridge.mm:565
#62 0x00327f9d in -[WebFrameBridge receivedData:textEncodingName:]
(self=0x22d2d060, _cmd=0x90ab4160, data=0x23128180,
textEncodingName=0x231eb680) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebCoreSupport/WebFrameBridge.m:450
#63 0x00350ebe in -[WebHTMLRepresentation receivedData:withDataSource:]
(self=0x23530060, _cmd=0x90ab4180, data=0x23128180, dataSource=0x22dc5a60) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebHTMLRepresentation.m:120
#64 0x00341c23 in -[WebDataSource(WebPrivate) _commitLoadWithData:]
(self=0x22dc5a60, _cmd=0x3c79f4, data=0x23128180) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebDataSource.m:897
#65 0x00340ae8 in -[WebDataSource(WebPrivate) _receivedData:] (self=0x22dc5a60,
_cmd=0x90a7d0f8, data=0x23128180) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebDataSource.m:649
#66 0x0036b935 in -[WebMainResourceLoader addData:] (self=0x2357e750,
_cmd=0x90a90118, data=0x23128180) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebMainResourceLoader.m:162
#67 0x0033d058 in -[WebLoader didReceiveData:lengthReceived:] (self=0x2357e750,
_cmd=0x90a9b254, data=0x23128180, lengthReceived=75592) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebLoader.m:533
#68 0x0036ca4d in -[WebMainResourceLoader didReceiveData:lengthReceived:]
(self=0x2357e750, _cmd=0x90a9b254, data=0x23128180, lengthReceived=75592) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebMainResourceLoader.m:377
#69 0x0033d8a8 in -[WebLoader connection:didReceiveData:lengthReceived:]
(self=0x2357e750, _cmd=0x90a97084, con=0x23573570, data=0x23128180,
lengthReceived=75592) at
/Volumes/Stuff/Projects/WebKit/OpenSource/WebKit/WebView/WebLoader.m:648
#70 0x927827f6 in -[NSURLConnection(NSURLConnectionInternal)
_sendDidReceiveDataCallback] ()
#71 0x92780adb in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] ()
#72 0x927807b7 in _sendCallbacks ()
#73 0x9082363d in CFRunLoopRunSpecific ()
#74 0x90823179 in CFRunLoopRunInMode ()
#75 0x92ef5c5c in RunCurrentEventLoopInMode ()
#76 0x92ef5363 in ReceiveNextEventCommon ()
#77 0x92ef51ba in BlockUntilNextEventMatchingListInMode ()
#78 0x93396ad1 in _DPSNextEvent ()
#79 0x933966be in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#80 0x93390443 in -[NSApplication run] ()
#81 0x93384397 in NSApplicationMain ()
#82 0x00094322 in ?? ()
#83 0x0009423d in ?? ()


-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list