[Webkit-unassigned] [Bug 31093] New: WebKit crasher (Safari/chrome Mac/Windows) related to layout/style recalculation
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 3 17:52:18 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=31093
Summary: WebKit crasher (Safari/chrome Mac/Windows) related to
layout/style recalculation
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jaimeyap at google.com
CC: timothy at hatcher.name, knorton at google.com,
jamesr at chromium.org
Created an attachment (id=42439)
--> (https://bugs.webkit.org/attachment.cgi?id=42439)
Code sample that crashed webkit based browser (rigged to crash on clicking an
anchor)
I am seeing a very very odd crasher that seemingly is related to layout... and
apparently the phase of the moon on sunday.
I have attached as minimal a reproduction case as I could get. It seems to be a
compounded bug that depends on a typo in a CSS rule and the right mix of DOM
structure and CSS.
The code sample has comments that should further elaborate on the crasher.
Note that clicking the "die" anchor WILL CRASH THE BROWSER (or tab if you are
using chrome).
It is failing this assert in RenderObject.cpp (line 214):
ASSERT(!node() || documentBeingDestroyed() || !document()->frame()->view() ||
document()->frame()->view()->layoutRoot() != this);
Stack trace of the crash:
chrome.dll!WebCore::RenderObject::~RenderObject() Line 214 + 0x75 bytes
C++
chrome.dll!WebCore::RenderBoxModelObject::~RenderBoxModelObject() Line 58
+ 0x8 bytes C++
chrome.dll!WebCore::RenderBox::~RenderBox() Line 82 + 0x13 bytes C++
chrome.dll!WebCore::RenderBlock::~RenderBlock() Line 156 + 0x13 bytes
C++
chrome.dll!WebCore::RenderTextControl::~RenderTextControl() Line 83 +
0x16 bytes C++
chrome.dll!WebCore::RenderTextControlSingleLine::~RenderTextControlSingleLine()
Line 69 + 0x6a bytes C++
chrome.dll!WebCore::RenderTextControlSingleLine::`scalar deleting
destructor'() + 0x16 bytes C++
chrome.dll!WebCore::RenderObject::arenaDelete(WebCore::RenderArena *
arena=0x045e8540, void * base=0x0700f30c) Line 1923 + 0x22 bytes C++
chrome.dll!WebCore::RenderObject::destroy() Line 1897 C++
chrome.dll!WebCore::RenderBoxModelObject::destroy() Line 76 C++
chrome.dll!WebCore::RenderBox::destroy() Line 96 C++
chrome.dll!WebCore::RenderBlock::destroy() Line 197 C++
chrome.dll!WebCore::Node::detach() Line 1256 + 0x1d bytes C++
chrome.dll!WebCore::ContainerNode::detach() Line 591 C++
chrome.dll!WebCore::Element::detach() Line 751 C++
> chrome.dll!WebCore::HTMLInputElement::detach() Line 880 C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 803 + 0x12 bytes C++
chrome.dll!WebCore::HTMLFormControlElement::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 240 C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 867 + 0x16 bytes C++
chrome.dll!WebCore::Document::recalcStyle(WebCore::Node::StyleChange
change=NoChange) Line 1285 + 0x16 bytes C++
chrome.dll!WebCore::Document::updateStyleIfNeeded() Line 1326 + 0x14
bytes C++
chrome.dll!WebCore::Document::updateLayout() Line 1352 + 0x12 bytes
C++
chrome.dll!WebCore::Document::updateLayoutIgnorePendingStylesheets() Line
1390 C++
chrome.dll!WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(int
propertyID=1051, WebCore::EUpdateLayout updateLayout=UpdateLayout) Line 663
C++
chrome.dll!WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(int
propertyID=1051) Line 580 + 0x12 bytes C++
chrome.dll!WebCore::CSSComputedStyleDeclaration::getPropertyValue(int
propertyID=1051) Line 1439 + 0x17 bytes C++
chrome.dll!WebCore::CSSStyleDeclaration::getPropertyValue(const
WebCore::String & propertyName={...}) Line 53 + 0x17 bytes C++
chrome.dll!WebCore::CSSStyleDeclarationInternal::getPropertyValueCallback(const
v8::Arguments & args={...}) Line 80 + 0x10 bytes C++
chrome.dll!v8::internal::Builtin_HandleApiCall(v8::internal::Arguments
args={...}) Line 383 + 0x13 bytes C++
02e3018b()
chrome.dll!v8::internal::Invoke(bool construct=false,
v8::internal::Handle<v8::internal::JSFunction> func={...},
v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1,
v8::internal::Object * * * args=0x0452e974, bool *
has_pending_exception=0x0452e8a3) Line 103 + 0x19 bytes C++
chrome.dll!v8::internal::Execution::Call(v8::internal::Handle<v8::internal::JSFunction>
func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int
argc=1, v8::internal::Object * * * args=0x0452e974, bool *
pending_exception=0x0452e8a3) Line 129 + 0x1f bytes C++
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list