[Webkit-unassigned] [Bug 86318] New: Crash null ptr WebKit!WebCore::RenderBox::styleDidChange+0x1f8.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun May 13 07:26:23 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=86318
Summary: Crash null ptr
WebKit!WebCore::RenderBox::styleDidChange+0x1f8.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: CSS
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: netfuzzer at gmail.com
Tested On Safari 5.1.7, Chrome 20.0.1132.3 dev and Webkit Nightly r116595
Windows 7 SP1 x86
Reproduce:
1. Open poc.html.
2. Wait...
3. See the crash.
Stacktrace(From webkit nightly)
================================
(324.1518): Access violation - code c0000005 (!!! second chance !!!)
eax=7fb10022 ebx=00000000 ecx=7fb07500 edx=7f1f3880 esi=00000000 edi=7faefb4c
eip=59a22f18 esp=0013ea0c ebp=0013ea38 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
WebKit!WebCore::RenderBox::styleDidChange+0x1f8:
59a22f18 8b4670 mov eax,dword ptr [esi+70h] ds:0023:00000070=????????
0:000> .exr -1
ExceptionAddress: 59a22f18 (WebKit!WebCore::RenderBox::styleDidChange+0x000001f8)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000070
Attempt to read from address 00000070
0:000> .lastevent
Last event: 324.1518: Access violation - code c0000005 (!!! second chance !!!)
debugger time: Sun May 13 11:18:25.960 2012 (UTC - 3:00)
0:000> k
ChildEBP RetAddr
0013ea38 59a23db8 WebKit!WebCore::RenderBox::styleDidChange+0x1f8 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderbox.cpp @ 368]
0013ea58 59a245f5 WebKit!WebCore::RenderBlock::styleDidChange+0x18 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 328]
0013ea74 59a1a374 WebKit!WebCore::RenderScrollbarPart::styleDidChange+0x15 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderscrollbarpart.cpp @ 143]
0013ea98 599faba5 WebKit!WebCore::RenderObject::setStyle+0x1f4 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderobject.cpp @ 1782]
0013eacc 599fe788 WebKit!WebCore::RenderScrollbar::updateScrollbarPart+0x1d5 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderscrollbar.cpp @ 284]
0013eb04 59a0352a WebKit!WebCore::RenderScrollbar::updateScrollbarParts+0x18 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderscrollbar.cpp @ 184]
0013eb0c 59a1de5a WebKit!WebCore::RenderScrollbar::styleChanged+0xa [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderscrollbar.cpp @ 109]
0013eb68 59a20bbf WebKit!WebCore::RenderLayer::styleChanged+0x12a [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderlayer.cpp @ 4774]
0013eb80 59a22d42 WebKit!WebCore::RenderBoxModelObject::styleDidChange+0x15f [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderboxmodelobject.cpp @ 450]
0013ebbc 59a23db8 WebKit!WebCore::RenderBox::styleDidChange+0x22 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderbox.cpp @ 353]
0013ebdc 59a1a374 WebKit!WebCore::RenderBlock::styleDidChange+0x18 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 328]
0013ec00 599d4372 WebKit!WebCore::RenderObject::setStyle+0x1f4 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderobject.cpp @ 1782]
0013ec18 59c8620a WebKit!WebCore::RenderObject::setAnimatableStyle+0x42 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderobject.cpp @ 1686]
0013ec28 59b17779 WebKit!WebCore::Node::setRenderStyle+0x1a [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\node.cpp @ 1454]
0013ec58 59b17a14 WebKit!WebCore::Element::recalcStyle+0x2a9 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\element.cpp @ 1133]
0013ec88 59b17a14 WebKit!WebCore::Element::recalcStyle+0x544 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\element.cpp @ 1177]
0013ecb8 59b196cb WebKit!WebCore::Element::recalcStyle+0x544 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\element.cpp @ 1177]
0013ece0 59b19a46 WebKit!WebCore::Document::recalcStyle+0x1cb [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\document.cpp @ 1748]
0013ecf8 59b1c4f3 WebKit!WebCore::Document::styleResolverChanged+0xa6 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\document.cpp @ 3278]
0013ed04 59b1edf9 WebKit!WebCore::Document::removePendingSheet+0x13 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\document.cpp @ 3230]
0013ed0c 59ac1bfc WebKit!WebCore::StyleElement::sheetLoaded+0x29 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\styleelement.cpp @ 200]
0013ed14 59bcdbd1 WebKit!WebCore::HTMLStyleElement::sheetLoaded+0xc [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\htmlstyleelement.h @ 73]
0013ed24 59b1edbf WebKit!WebCore::StyleSheetInternal::checkLoaded+0x71 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\css\cssstylesheet.cpp @ 379]
0013ed98 59b20d56 WebKit!WebCore::StyleElement::createSheet+0x2df [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\styleelement.cpp @ 184]
0013eddc 59b2124f WebKit!WebCore::StyleElement::process+0x186 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\styleelement.cpp @ 136]
0013edec 59aad71c WebKit!WebCore::StyleElement::finishParsingChildren+0xf [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\styleelement.cpp @ 107]
0013edf8 59fd843f WebKit!WebCore::HTMLStyleElement::finishParsingChildren+0xc [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\htmlstyleelement.cpp @ 96]
0013ee04 59fb5860 WebKit!WebCore::HTMLElementStack::popCommon+0xf [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmlelementstack.cpp @ 584]
0013ee48 59fb5476 WebKit!WebCore::HTMLTreeBuilder::processEndTag+0x3a0 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmltreebuilder.cpp @ 2151]
0013ee54 59fb5fb3 WebKit!WebCore::HTMLTreeBuilder::processToken+0x46 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmltreebuilder.cpp @ 516]
0013ee68 59fb6270 WebKit!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken+0x23 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmltreebuilder.cpp @ 477]
0013eea0 59f0e6a9 WebKit!WebCore::HTMLTreeBuilder::constructTreeFromToken+0x30 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmltreebuilder.cpp @ 461]
0013eee0 59f0ea28 WebKit!WebCore::HTMLDocumentParser::pumpTokenizer+0x119 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmldocumentparser.cpp @ 278]
0013eef0 59b06b78 WebKit!WebCore::HTMLDocumentParser::append+0xc8 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\html\parser\htmldocumentparser.cpp @ 372]
0013ef3c 59efbb05 WebKit!WebCore::DecodedDataDocumentParser::appendBytes+0x58 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\decodeddatadocumentparser.cpp @ 50]
0013ef54 59c1727e WebKit!WebCore::DocumentWriter::addData+0x55 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\documentwriter.cpp @ 218]
0013efa0 598d3b7c WebKit!WebCore::DocumentLoader::commitData+0xee [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\documentloader.cpp @ 349]
0013efd8 59c17853 WebKit!WebKit::WebFrameLoaderClient::committedLoad+0x2c [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webcoresupport\webframeloaderclient.cpp @ 866]
0013eff8 59c178ee WebKit!WebCore::DocumentLoader::commitLoad+0x93 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\documentloader.cpp @ 322]
0013f010 59f32d73 WebKit!WebCore::DocumentLoader::receivedData+0x4e [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\documentloader.cpp @ 360]
0013f02c 59ddfb85 WebKit!WebCore::MainResourceLoader::addData+0x23 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\mainresourceloader.cpp @ 192]
0013f04c 59f33fc8 WebKit!WebCore::ResourceLoader::didReceiveData+0x25 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\resourceloader.cpp @ 276]
0013f168 59ddfa90 WebKit!WebCore::MainResourceLoader::didReceiveData+0x188 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\mainresourceloader.cpp @ 512]
0013f198 59a6c9f3 WebKit!WebCore::ResourceLoader::didReceiveData+0x60 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\resourceloader.cpp @ 430]
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\Apple Application Support\CFNetwork.dll -
0013f1bc 5e706581 WebKit!WebCore::didReceiveData+0x43 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\platform\network\cf\resourcehandlecfnet.cpp @ 265]
WARNING: Stack unwind information not available. Following frames may be wrong.
0013f2d8 5e708f20 CFNetwork!CFReadStreamCreateWithFormArray+0x6671
0013f464 5e7026e2 CFNetwork!CFReadStreamCreateWithFormArray+0x9010
0013f4d4 5e7038e4 CFNetwork!CFReadStreamCreateWithFormArray+0x27d2
0013f4f8 75cbc4e7 CFNetwork!CFReadStreamCreateWithFormArray+0x39d4
0013f524 75cbc5e7 USER32!InternalCallWinProc+0x23
0013f59c 75cbcc19 USER32!UserCallWinProcCheckWow+0x14b
0013f5fc 75cbcc70 USER32!DispatchMessageWorker+0x35e
0013f60c 5994f231 USER32!DispatchMessageW+0xf
0013f640 598efe0e WebKit!WebCore::RunLoop::run+0x41 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\platform\win\runloopwin.cpp @ 76]
0013f654 598c5ff6 WebKit!WebKit::WebProcessMain+0xde [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\win\webprocessmainwin.cpp @ 84]
0013f674 598c609c WebKit!WebKitMain+0x116 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webkitmain.cpp @ 59]
0013f6a0 00da1098 WebKit!WebKitMain+0x9c [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webkitmain.cpp @ 187]
0013f8d0 00da1258 WebKit2WebProcess!wWinMain+0x98 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\win\mainwin.cpp @ 67]
0013f964 7611ed6c WebKit2WebProcess!__tmainCRTStartup+0x150 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 589]
0013f970 7772377b kernel32!BaseThreadInitThunk+0xe
0013f9b0 7772374e ntdll!__RtlUserThreadStart+0x70
0013f9c8 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> dv /v
@ecx this = 0x7fb07500
0013ea40 diff = StyleDifferenceLayout (0n7)
0013ea44 oldStyle = 0x7fb2ae40
0013ea47 isBodyRenderer = true
0013ea34 newStyle = 0x7fb1c280
0013ea43 isRootRenderer = false
0013ea40 left = 0n7
0013ea40 top = 0n7
0013ea2c viewRenderer = 0x00000a00
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list