Comment #4 on issue 28699 by [email protected]: Crash on mouse movement
on sunrise.ch
http://code.google.com/p/chromium/issues/detail?id=28699
Tested with latest 4.0.285.0 (35335).
I consistently get the same crash, with a different stack than reported
above:
Id: WebCore::RenderButton::styleDidChange rea...@null
(6739b7fe455ecb54a6812c0866c3b47c)
Description: Attempt to read from NULL pointer (+0x144) in
WebCore::RenderButton::styleDidChange
-- Stack
--------------------------------------------------------------------------------------
WebCore::RenderButton::styleDidChange
WebCore::RenderObject::setStyle
WebCore::RenderObject::setAnimatableStyle
WebCore::Node::setRenderStyle
WebCore::Element::recalcStyle
WebCore::HTMLFormControlElement::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Element::recalcStyle
WebCore::Document::recalcStyle
WebCore::Document::updateStyleIfNeeded
WebCore::Document::prepareMouseEvent
WebCore::EventHandler::prepareMouseEvent
WebCore::EventHandler::handleMouseMoveEvent
WebCore::EventHandler::mouseMoved
WebKit::WebViewImpl::mouseMove
WebKit::WebViewImpl::handleInputEvent
RenderWidget::OnHandleInputEvent
IPC::Message::Dispatch<...>
RenderWidget::OnMessageReceived
RenderView::OnMessageReceived
MessageRouter::RouteMessage
MessageRouter::OnMessageReceived
ChildThread::OnMessageReceived
RunnableMethod<...><...><...><...><...><...><...><...><...><...><...><...><...><...><...><...><...><...>::Run
MessageLoop::RunTask
MessageLoop::DoWork
base::MessagePumpDefault::Run
MessageLoop::RunInternal
MessageLoop::Run
RendererMain
-- Event details
--------------------------------------------------------------------------------------
Processes
0 id: 15a4 create name: chrome.exe
. 1 id: 1524 child name: chrome.exe
Current process:
0n5412 chrome.exe
Session: 1 User: GOOGLE\skylined Command
Line: "g:\chromium-latest\chrome.exe" --type=renderer --lang=en-US --force-
fieldtest=DnsImpact/_max_2s_queue_prefetch/GlobalSdch/_global_disable_sdch/SocketLateBinding/_enable_late_binding/
--channel=5540.043D1A00.1236609449
Threads
. 12 Id: 1524.14f8 Suspend: 1 Teb: 7efdb000 Unfrozen "Main Thread"
13 Id: 1524.11f0 Suspend: 1 Teb: 7efd8000 Unfrozen "Chrome_ChildIOThread"
14 Id: 1524.151c Suspend: 1 Teb: 7efd5000 Unfrozen
16 Id: 1524.c68 Suspend: 1 Teb: 7ef4a000 Unfrozen
ExceptionAddress 000000006851b206
(chrome_67f10000!WebCore::RenderButton::styleDidChange+0x0000000000000036)
ExceptionCode c0000005 (Access violation)
ExceptionFlags 00000000
NumberParameters 2
Parameter[0] 0000000000000000
Parameter[1] 0000000000000144
Attempt to read from address 0000000000000144
-- Relevant source code
---------------------------------------------------------------------
void RenderButton::styleDidChange(StyleDifference diff, const RenderStyle*
oldStyle)
{
RenderBlock::styleDidChange(diff, oldStyle);
if (m_buttonText)
m_buttonText->setStyle(style());
if (m_inner) // RenderBlock handled updating the anonymous block's
style.
setupInnerStyle(m_inner->style());
setReplaced(isInline());
if (!m_default && theme()->isDefault(this)) {
if (!m_timer)
m_timer.set(new Timer<RenderButton>(this,
&RenderButton::timerFired));
m_timer->startRepeating(0.03);
m_default = true;
} else if (m_default && !theme()->isDefault(this)) {
m_default = false;
m_timer.clear();
}
}
-- Relevant locals
----------------------------------------------------------------------------
class WebCore::RenderButton * this (size: 4, address: 0x5d5ce00, @ecx)
Structure class WebCore::RenderButton *
+0x000 __VFN_table : (null)
+0x004 m_style : WTF::RefPtr<WebCore::RenderStyle>
+0x000 m_ptr : 0x05d70ba0
+0x008 m_node : 0x028bc800
+0x00c m_parent : (null)
+0x010 m_previous : (null)
+0x014 m_next : (null)
+0x018 m_needsLayout : 0y1
+0x018 m_needsPositionedMovementLayout : 0y0
+0x018 m_normalChildNeedsLayout : 0y0
+0x018 m_posChildNeedsLayout : 0y0
+0x018 m_prefWidthsDirty : 0y1
+0x018 m_floating : 0y0
+0x018 m_positioned : 0y0
+0x018 m_relPositioned : 0y0
+0x019 m_paintBackground : 0y0
+0x019 m_isAnonymous : 0y1
+0x019 m_isText : 0y1
+0x019 m_isBox : 0y0
+0x019 m_inline : 0y1
+0x019 m_replaced : 0y0
+0x019 m_isDragging : 0y0
+0x019 m_hasLayer : 0y0
+0x01a m_hasOverflowClip : 0y0
+0x01a m_hasTransform : 0y0
+0x01a m_hasReflection : 0y0
+0x01a m_hasOverrideSize : 0y0
+0x01a m_hasCounterNodeMap : 0y0
+0x01a m_everHadLayout : 0y0
+0x01a m_childrenInline : 0y0
+0x01a m_topMarginQuirk : 0y0
+0x01b m_bottomMarginQuirk : 0y0
+0x01b m_hasMarkupTruncation : 0y0
+0x01c m_selectionState : 0y000
+0x020 m_hasColumns : 0y0
+0x020 m_cellWidthChanged : 0y0
=68f358a4 WebCore::RenderObject::s_affectsParentBlock : 0
+0x024 m_layer : 0xffffffff
=68f361d0 WebCore::RenderBoxModelObject::s_wasFloating : 0
=68f361d1 WebCore::RenderBoxModelObject::s_hadLayer : 0
=68f361d2 WebCore::RenderBoxModelObject::s_layerWasSelfPainting : 1
+0x028 m_frameRect : WebCore::IntRect
+0x000 m_location : WebCore::IntPoint
+0x000 m_x : 97985088
+0x004 m_y : 0
+0x008 m_size : WebCore::IntSize
+0x000 m_width : 0
+0x004 m_height : -1
+0x038 m_marginLeft : 0
+0x03c m_marginRight : 0
+0x040 m_marginTop : 128
+0x044 m_marginBottom : 0
+0x048 m_minPrefWidth : 8
+0x04c m_maxPrefWidth : 97985088
+0x050 m_inlineBoxWrapper : (null)
+0x054 m_overflow : WTF::OwnPtr<WebCore::RenderOverflow>
+0x000 m_ptr : 0x68c5dc28
=68f360d4 WebCore::RenderBox::s_hadOverflowClip : 0
+0x058 m_floatingObjects : 0x05fd87e0
+0x05c m_positionedObjects : 0x028bc800
+0x060 m_inlineContinuation : 0x05d5cd70
+0x064 m_maxMargin : (null)
+0x068 m_children : WebCore::RenderObjectChildList
+0x000 m_firstChild : (null)
+0x004 m_lastChild : 0x00680a15
+0x070 m_lineBoxes : WebCore::RenderLineBoxList
+0x000 m_firstLineBox : (null)
+0x004 m_lastLineBox : (null)
+0x078 m_lineHeight : 0
+0x07c m_flexingChildren : 0y0
+0x07c m_stretchingChildren : 0y0
+0x080 m_buttonText : 0x00000002
+0x084 m_inner : 0x000000d8
+0x088 m_timer :
WTF::OwnPtr<WebCore::Timer<WebCore::RenderButton> >
+0x000 m_ptr : 0x00000010
+0x08c m_default : 0
"m_buttonText" is not a valid pointer, but it's also not NULL as one would
expect if it wasn't set at all...
This seems to be a webkit problem, caused by style compution on hover going
bad on an "input type=submit" button without text, but that is a guess
based on the page in question.
I've saved the website to a local file and that crashes Chrome instantly
without mouse move. I'll run it through my fuzzframework to try and reduce
it to a more manageable size and hopefully find the root cause.
Attached is some information I grabbed about the crash from a debugger.
Attachments:
WebCore..RenderButton..styleDidChange rea...@null
(6739b7fe455ecb54a6812c0866c3b47c).html 1.4 MB
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
