[Webkit-unassigned] [Bug 46224] New: Reproducible Crash when Inspector Open in CSSStyleSelector::loadPendingImages()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 21 15:27:50 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=46224

           Summary: Reproducible Crash when Inspector Open in
                    CSSStyleSelector::loadPendingImages()
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
               URL: http://www.weather.com/weather/map/44118
        OS/Version: Mac OS X 10.6
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: possessedpenguinbob at gmail.com


Steps for reproduction:

1) Navigate to http://www.weather.com/weather/map/44118   --  (the US Zip Code at the end doesn't matter, it can be any valid zip)

2) Show Web Inspector

3) Change the Selector Box below the main weather image to something else, other than "Select Another Map."  Crash will ensue.

Stack Trace from the r67838 Nightly:

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                 0x0000000100d929b6 WebCore::CSSStyleSelector::loadPendingImages() + 150
1   com.apple.WebCore                 0x0000000100d952b6 WebCore::CSSStyleSelector::styleForElement(WebCore::Element*, WebCore::RenderStyle*, bool, bool, bool) + 1414
2   com.apple.WebCore                 0x00000001014b9f72 WebCore::Node::styleForRenderer() + 82
3   com.apple.WebCore                 0x00000001014bbf8f WebCore::Node::createRendererIfNeeded() + 143
4   com.apple.WebCore                 0x0000000100ec3940 WebCore::Element::attach() + 32
5   com.apple.WebCore                 0x0000000100fbfc41 WebCore::HTMLLIElement::attach() + 17
6   com.apple.WebCore                 0x0000000100f893a2 WTF::PassRefPtr<WebCore::Element> WebCore::HTMLConstructionSite::attach<WebCore::Element>(WebCore::ContainerNode*, WTF::PassRefPtr<WebCore::Element>) + 178
7   com.apple.WebCore                 0x0000000100f8853b WebCore::HTMLConstructionSite::attachToCurrent(WTF::PassRefPtr<WebCore::Element>) + 43
8   com.apple.WebCore                 0x0000000100f888cb WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&) + 59
9   com.apple.WebCore                 0x0000000100ffe5c8 WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&) + 776
10  com.apple.WebCore                 0x0000000100fff99e WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&) + 910
11  com.apple.WebCore                 0x0000000101003fc1 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) + 17
12  com.apple.WebCore                 0x0000000101004045 WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) + 37
13  com.apple.WebCore                 0x0000000100f8dd14 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 132
14  com.apple.WebCore                 0x0000000100f8f0aa WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 138
15  com.apple.WebCore                 0x0000000100dbb1e7 WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, int, bool) + 471
16  com.apple.WebCore                 0x0000000100debe34 WebCore::DocumentLoader::commitData(char const*, int) + 132
17  com.apple.WebKit                  0x0000000100a3044d -[WebHTMLRepresentation receivedData:withDataSource:] + 493
18  com.apple.WebKit                  0x0000000100a0110b -[WebDataSource(WebInternal) _receivedData:] + 75
19  com.apple.WebKit                  0x0000000100a1b62f WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 111
20  com.apple.WebCore                 0x0000000100de9a26 WebCore::DocumentLoader::commitLoad(char const*, int) + 150
--------------------------------------

Reproducible in a release build of r67988, though the stack trace is a little different. So I took a look in the code and discovered the issue.

In WebCore::CSSStyleSelector::loadPendingImages():

...
case CSSPropertyBackgroundImage: {
                for (FillLayer* backgroundLayer = m_style->accessBackgroundLayers(); backgroundLayer; backgroundLayer = backgroundLayer->next()) {
                    if (backgroundLayer->image() && backgroundLayer->image()->isPendingImage()) {
                        CSSImageValue* imageValue = static_cast<StylePendingImage*>(backgroundLayer->image())->cssImageValue();
 -->backgroundLayer->setImage(imageValue->cachedImage(cachedResourceLoader));
                    }
                }
                break;
            } 
...

As it is running through, at the point just before it crashes m_style becomes null after the arrowed statement is executed.

resulting in the crash when m_style is dereferenced at the arrow in WebCore::CSSStyleSelector::styleForElement:

...
    adjustRenderStyle(style(), e);

    // Start loading images referenced by this style.
    loadPendingImages();

    // If we have first-letter pseudo style, do not share this style
-->if (m_style->hasPseudoStyle(FIRST_LETTER))
        m_style->setUnique();
...


At first I thought it was just a loop running an extra iteration when it shouldn't, but now I am unsure. So I'll sit back and let the experts fix it.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list