[Webkit-unassigned] [Bug 17313] querySelectorAll() causing crashes when called via dojo.query() wrapper

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 3 04:30:25 PST 2008 

http://bugs.webkit.org/show_bug.cgi?id=17313





------- Comment #16 from mrowe at apple.com  2008-03-03 04:30 PDT -------
Created an attachment (id=19494)
 --> (http://bugs.webkit.org/attachment.cgi?id=19494&action=view)
Crash under guard malloc

The reduction is small enough to run quickly under guard malloc, and it
confirms the bogus write!  Under guard malloc, we conveniently crash at the
point where the write occurs.  A little further poking around shows that the
RenderStyle that previously resided at this memory location belonged to the
<input> element, and is destroyed at the point of the following backtrace:

Breakpoint 2, WebCore::RenderStyle::~RenderStyle (this=0xd2641fbc) at
WebCore/rendering/RenderStyle.cpp:1047
1047    }
#0  WebCore::RenderStyle::~RenderStyle (this=0xd2641fbc) at
WebCore/rendering/RenderStyle.cpp:1047
#1  0x01f846f5 in WebCore::RenderStyle::~RenderStyle (this=0xd2641fbc) at
WebCore/rendering/RenderStyle.cpp:1047
#2  0x01f84752 in WebCore::RenderStyle::arenaDelete (this=0xd2641fbc,
arena=0xd1ea3e50) at WebCore/rendering/RenderStyle.cpp:924
#3  0x01b54139 in WebCore::RenderStyle::deref (this=0xd2641fbc,
arena=0xd1ea3e50) at rendering/RenderStyle.h:1377
#4  0x01cb6955 in WebCore::Element::recalcStyle (this=0xd2569f80,
change=WebCore::Node::Force) at WebCore/dom/Element.cpp:769
#5  0x01d40814 in WebCore::HTMLGenericFormElement::recalcStyle
(this=0xd2569f80, change=WebCore::Node::Force) at
WebCore/html/HTMLGenericFormElement.cpp:176
#6  0x01cb6a22 in WebCore::Element::recalcStyle (this=0xd252dfb0,
change=WebCore::Node::Force) at WebCore/dom/Element.cpp:781
#7  0x01cb6a22 in WebCore::Element::recalcStyle (this=0xd21b7fb0,
change=WebCore::Node::Force) at WebCore/dom/Element.cpp:781
#8  0x01c88a42 in WebCore::Document::recalcStyle (this=0xd1e72950,
change=WebCore::Node::Force) at WebCore/dom/Document.cpp:1118
#9  0x01c8ab98 in WebCore::Document::updateStyleSelector (this=0xd1e72950) at
WebCore/dom/Document.cpp:2068
#10 0x01cf1a37 in WebCore::Frame::reapplyStyles (this=0xc1d09ff0) at
WebCore/page/Frame.cpp:755
#11 0x01d11786 in WebCore::FrameView::layout (this=0xc2ca3fd0,
allowSubtree=true) at WebCore/page/FrameView.cpp:376
#12 0x01c85761 in WebCore::Document::implicitClose (this=0xd1e72950) at
WebCore/dom/Document.cpp:1512
#13 0x01cf612e in WebCore::FrameLoader::checkCallImplicitClose
(this=0xc1d11da0) at WebCore/loader/FrameLoader.cpp:1310
#14 0x01d019ae in WebCore::FrameLoader::checkCompleted (this=0xc1d11da0) at
WebCore/loader/FrameLoader.cpp:1263


Perhaps someone that knows something (anything?) about how the CSS style system
and rendering fit together would have more luck taking things from here?


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list