<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - [GTK] Memory corruption causes web process crash in WebCore::createStyleContext"

   href="https://bugs.webkit.org/show_bug.cgi?id=164926">164926</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[GTK] Memory corruption causes web process crash in WebCore::createStyleContext

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebKit Gtk

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>mcatanzaro&#64;igalia.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>bugs-noreply&#64;webkitgtk.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Memory corruption causes web process crash in WebCore::createStyleContext. Only one report of this ever, with 2.12.4. Unfortunately I have no valgrind memcheck for this.

Truncated backtrace:

Thread no. 1 (10 frames)

 #6 g_malloc at gmem.c:94

 #7 g_data_set_internal at gdataset.c:464

 #8 g_datalist_id_set_data_full at gdataset.c:670

 #9 g_object_notify_queue_freeze at gobject.c:242

 #10 g_object_init at gobject.c:975

 #11 g_type_create_instance at gtype.c:1869

 #12 g_object_new_internal at gobject.c:1781

 #15 gtk_css_path_node_new at gtkcsspathnode.c:142

 #16 gtk_style_context_init at gtkstylecontext.c:355

 #17 g_type_create_instance at gtype.c:1875

Full backtrace downstream. Importantly:

#3  0x00007f904cc96c13 in malloc_printerr (ar_ptr=0x3, ptr=&lt;optimized out&gt;, str=0x7f904cda3250 &quot;malloc(): smallbin double linked list corrupted&quot;, action=3) at malloc.c:5004

        buf = &quot;000056427ea9ba30&quot;

        cp = &lt;optimized out&gt;

        ar_ptr = 0x3

        ptr = &lt;optimized out&gt;

        str = 0x7f904cda3250 &quot;malloc(): smallbin double linked list corrupted&quot;

        action = 3</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>