[Webkit-unassigned] [Bug 31642] Crash in RenderObject::destroy()

Wed Nov 18 13:46:50 PST 2009

https://bugs.webkit.org/show_bug.cgi?id=31642

James Robinson <jamesr at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|New Bugs                    |WebCore Misc.

--- Comment #1 from James Robinson <jamesr at chromium.org>  2009-11-18 13:46:50 PST ---
Here's what the top of the stack looks like (from a Chromium build):

>	chrome.dll!WebCore::RenderObject::destroy()  Line 1862 + 0xa bytes	C++
     chrome.dll!WebCore::RenderBoxModelObject::destroy()  Line 76    C++
     chrome.dll!WebCore::RenderBox::destroy()  Line 96    C++
     chrome.dll!WebCore::RenderBlock::destroy()  Line 197    C++
     chrome.dll!WebCore::RenderObjectChildList::destroyLeftoverChildren()  Line
59 + 0x1d bytes    C++
     chrome.dll!WebCore::RenderInline::destroy()  Line 62    C++
     chrome.dll!WebCore::Node::detach()  Line 1256 + 0x1d bytes    C++
     chrome.dll!WebCore::ContainerNode::detach()  Line 591    C++
     chrome.dll!WebCore::Element::detach()  Line 759    C++
     chrome.dll!WebCore::ContainerNode::removeChild(WebCore::Node *
oldChild=0x0ade8b00, int & ec=0)  Line 344 + 0x1d bytes    C++

chrome.dll!WebCore::HTMLParser::handleResidualStyleCloseTagAcrossBlocks(WebCore::HTMLStackElem
* elem=0x09e05ec0)  Line 1225 + 0x2b bytes    C++
     chrome.dll!WebCore::HTMLParser::popBlock(const WebCore::AtomicString &
tagName={...}, bool reportErrors=true)  Line 1408 + 0xc bytes    C++
     chrome.dll!WebCore::HTMLParser::processCloseTag(WebCore::Token *
t=0x0676b420)  Line 994    C++
     chrome.dll!WebCore::HTMLParser::parseToken(WebCore::Token * t=0x0676b420) 
Line 228    C++
     chrome.dll!WebCore::HTMLTokenizer::processToken()  Line 1934 + 0x20 bytes 
  C++
     chrome.dll!WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString &
src={...}, WebCore::HTMLTokenizer::State state={...})  Line 1506 + 0xf bytes   
C++
     chrome.dll!WebCore::HTMLTokenizer::write(const WebCore::SegmentedString &
str={...}, bool appendData=false)  Line 1757 + 0x1d bytes    C++
     chrome.dll!WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource
* __formal=0x06deec80)  Line 2078 + 0x1c bytes    C++
     chrome.dll!WebCore::CachedScript::checkNotify()  Line 105 + 0x13 bytes   
C++

chrome.dll!WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>
data={...}, bool allDataReceived=true)  Line 96    C++

chrome.dll!WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader *
loader=0x0536c400)  Line 368    C++
     chrome.dll!WebCore::SubresourceLoader::didFinishLoading()  Line 184 + 0x21
bytes    C++

I kind of suspect that ruby's to blame here - the element on which
ContainerNode::removeChild() is called on has a tag name "ruby" and its
children appear to be somehow corrupt.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.