[Webkit-unassigned] [Bug 99141] New: Crash in RenderBlock::addChildIgnoringAnonymousColumnBlocks

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 11 23:02:08 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=99141

           Summary: Crash in
                    RenderBlock::addChildIgnoringAnonymousColumnBlocks
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: HasReduction
          Severity: Normal
          Priority: P1
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: esprehn at chromium.org
                CC: eric at webkit.org, inferno at chromium.org


This crash was found by the fuzzer as a use-after-free with the new generated content but it turns out it's actually in Canary and doesn't seem to have anything to do with generated content.

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000018

0   com.apple.WebCore                 0x0000000102eea273 WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks(WebCore::RenderObject*, WebCore::RenderObject*) + 99
1   com.apple.WebCore                 0x0000000102f81285 WebCore::RenderListItem::updateMarkerLocation() + 261
2   com.apple.WebCore                 0x0000000102f814e1 WebCore::RenderListItem::layout() + 17
3   com.apple.WebCore                 0x0000000102ef2c98 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 840
4   com.apple.WebCore                 0x0000000102eedd4a WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 586
5   com.apple.WebCore                 0x0000000102eec604 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1044
6   com.apple.WebCore                 0x0000000102eebbf0 WebCore::RenderBlock::layout() + 64
7   com.apple.WebCore                 0x0000000102ef2c98 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 840
8   com.apple.WebCore                 0x0000000102eedd4a WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 586
9   com.apple.WebCore                 0x0000000102eec604 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1044
10  com.apple.WebCore                 0x0000000102eebbf0 WebCore::RenderBlock::layout() + 64
11  com.apple.WebCore                 0x000000010302b605 WebCore::RenderView::layout() + 773
12  com.apple.WebCore                 0x00000001029387b5 WebCore::FrameView::layout(bool) + 1733
13  com.apple.WebCore                 0x0000000102770032 WebCore::Document::implicitClose() + 738
14  com.apple.WebCore                 0x000000010291cf41 WebCore::FrameLoader::checkCompleted() + 337
15  com.apple.WebCore                 0x000000010291bfef WebCore::FrameLoader::finishedParsing() + 95
16  com.apple.WebCore                 0x00000001027778f3 WebCore::Document::finishedParsing() + 339
17  com.apple.WebCore                 0x00000001029a158e WebCore::HTMLDocumentParser::prepareToStopParsing() + 158
18  com.apple.WebCore                 0x000000010279359d WebCore::DocumentWriter::end() + 61

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list