[Webkit-unassigned] [Bug 60231] New: REGRESSION(73385): Crash in WebCore::RenderBlock::marginBeforeForChild

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 4 17:01:31 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=60231

           Summary: REGRESSION(73385): Crash in
                    WebCore::RenderBlock::marginBeforeForChild
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
               URL: http://gossipcenter.com/lindsay-lohan/lindsay-lohan-ha
                    s-she-dodged-her-jail-sentence-502374
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jamesr at chromium.org
                CC: hyatt at apple.com, mitz at webkit.org,
                    simon.fraser at apple.com, kerz at chromium.org


Originally reported as http://code.google.com/p/chromium/issues/detail?id=81468

Visit the URL in the bug link, let the page load, the mouse over the picture of Lindsay Lohan, then move your mouse out.  Boom!  Stack:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000530
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                 0x0000000101678fbc WebCore::RenderBlock::marginBeforeForChild(WebCore::RenderBoxModelObject*) const + 44
1   com.apple.WebCore                 0x000000010167f201 WebCore::RenderBlock::addOverflowFromFloats() + 81
2   com.apple.WebCore                 0x000000010167f2fb WebCore::RenderBlock::computeOverflow(int, bool) + 91
3   com.apple.WebCore                 0x0000000101692b09 WebCore::RenderBlock::layoutBlock(bool, int) + 1865
4   com.apple.WebCore                 0x0000000101679a85 WebCore::RenderBlock::layout() + 37
5   com.apple.WebCore                 0x000000010168f00c WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 540
6   com.apple.WebCore                 0x0000000101692376 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 678
7   com.apple.WebCore                 0x00000001016931f2 WebCore::RenderBlock::layoutBlock(bool, int) + 3634
8   com.apple.WebCore                 0x0000000101679a85 WebCore::RenderBlock::layout() + 37
9   com.apple.WebCore                 0x000000010168f00c WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 540
10  com.apple.WebCore                 0x0000000101692376 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 678
11  com.apple.WebCore                 0x00000001016931f2 WebCore::RenderBlock::layoutBlock(bool, int) + 3634
12  com.apple.WebCore                 0x0000000101679a85 WebCore::RenderBlock::layout() + 37
13  com.apple.WebCore                 0x000000010168518d WebCore::RenderBlock::layoutPositionedObjects(bool) + 221
14  com.apple.WebCore                 0x0000000101685607 WebCore::RenderBlock::simplifiedLayout() + 631
15  com.apple.WebCore                 0x0000000101692da8 WebCore::RenderBlock::layoutBlock(bool, int) + 2536
16  com.apple.WebCore                 0x0000000101679a85 WebCore::RenderBlock::layout() + 37
17  com.apple.WebCore                 0x0000000101683d5e WebCore::RenderBlock::simplifiedNormalFlowLayout() + 638
18  com.apple.WebCore                 0x0000000101685614 WebCore::RenderBlock::simplifiedLayout() + 644
19  com.apple.WebCore                 0x0000000101692da8 WebCore::RenderBlock::layoutBlock(bool, int) + 2536
20  com.apple.WebCore                 0x0000000101679a85 WebCore::RenderBlock::layout() + 37
21  com.apple.WebCore                 0x0000000101683d5e WebCore::RenderBlock::simplifiedNormalFlowLayout() + 638
22  com.apple.WebCore                 0x0000000101685614 WebCore::RenderBlock::simplifiedLayout() + 644
23  com.apple.WebCore                 0x0000000101692da8 WebCore::RenderBlock::layoutBlock(bool, int) + 2536
24  com.apple.WebCore                 0x0000000101679a85 WebCore::RenderBlock::layout() + 37
25  com.apple.WebCore                 0x000000010168518d WebCore::RenderBlock::layoutPositionedObjects(bool) + 221
26  com.apple.WebCore                 0x0000000101685607 WebCore::RenderBlock::simplifiedLayout() + 631
27  com.apple.WebCore                 0x0000000101692da8 WebCore::RenderBlock::layoutBlock(bool, int) + 2536
28  com.apple.WebCore                 0x0000000101679a85 WebCore::RenderBlock::layout() + 37
29  com.apple.WebCore                 0x000000010168518d WebCore::RenderBlock::layoutPositionedObjects(bool) + 221
30  com.apple.WebCore                 0x0000000101685607 WebCore::RenderBlock::simplifiedLayout() + 631
31  com.apple.WebCore                 0x0000000101692da8 WebCore::RenderBlock::layoutBlock(bool, int) + 2536
32  com.apple.WebCore                 0x0000000101679a85 WebCore::RenderBlock::layout() + 37
33  com.apple.WebCore                 0x00000001017a86c2 WebCore::RenderView::layout() + 306
34  com.apple.WebCore                 0x0000000100fe63c0 WebCore::FrameView::layout(bool) + 1872
35  com.apple.WebCore                 0x000000010194b576 WebCore::ThreadTimers::sharedTimerFiredInternal() + 150
36  com.apple.WebCore                 0x0000000101826ea5 WebCore::timerFired(__CFRunLoopTimer*, void*) + 53
37  com.apple.CoreFoundation          0x00007fff82b94be8 __CFRunLoopRun + 6488
38  com.apple.CoreFoundation          0x00007fff82b92dbf CFRunLoopRunSpecific + 575
39  com.apple.HIToolbox               0x00007fff81ad17ee RunCurrentEventLoopInMode + 333
40  com.apple.HIToolbox               0x00007fff81ad15f3 ReceiveNextEventCommon + 310
41  com.apple.HIToolbox               0x00007fff81ad14ac BlockUntilNextEventMatchingListInMode + 59
42  com.apple.AppKit                  0x00007fff842f1e64 _DPSNextEvent + 718
43  com.apple.AppKit                  0x00007fff842f17a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
44  com.apple.Safari                  0x0000000100015ff6 0x100000000 + 90102
45  com.apple.AppKit                  0x00007fff842b748b -[NSApplication run] + 395
46  com.apple.AppKit                  0x00007fff842b01a8 NSApplicationMain + 364
47  com.apple.Safari                  0x0000000100009f18 0x100000000 + 40728


I've partially reduced this down - the culprit seems to be some ad code that causes an add to animate into view on top of the image when the mouse enters, then animates out when the mouse leaves.  The javascript driving this animation is nontrivial and minimized (of course) so I haven't pinned down exactly what is leading up to the crash.  The page (and this ad) seem to work fine in Firefox.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list