My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 85425: Crash inside WebCore::CSSStyleSelector::checkSelector
2 people starred this issue and may be notified of changes. Back to list
 
Project Member Reported by thestig@chromium.org, Jun 8, 2011
Product, Version 	Chrome ,  12.0.742.91 
ptype 	renderer 
http://crash/reportdetail?reportid=09e72fb7adcb785d

Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x10443b0c )
0x01d0db60 	[chrome.dll 	- cssstyleselector.cpp:2068] 	WebCore::selectorTagMatches
0x01d0dbb1 	[chrome.dll 	- cssstyleselector.cpp:2147] 	WebCore::CSSStyleSelector::SelectorChecker::fastCheckSelector(WebCore::CSSSelector const *,WebCore::Element const *)
0x01d0db04 	[chrome.dll 	- cssstyleselector.cpp:2054] 	WebCore::CSSStyleSelector::checkSelector(WebCore::RuleData const &)
0x01d0b230 	[chrome.dll 	- cssstyleselector.cpp:762] 	WebCore::CSSStyleSelector::matchRulesForList(WTF::Vector<WebCore::RuleData,0> const *,int &,int &,bool)
0x01d0afc5 	[chrome.dll 	- cssstyleselector.cpp:703] 	WebCore::CSSStyleSelector::matchRules(WebCore::RuleSet *,int &,int &,bool)
0x01d0c677 	[chrome.dll 	- cssstyleselector.cpp:1427] 	WebCore::CSSStyleSelector::styleForElement(WebCore::Element *,WebCore::RenderStyle *,bool,bool,bool)
0x01ccd795 	[chrome.dll 	- node.cpp:1550] 	WebCore::Node::styleForRenderer()
0x01ccd623 	[chrome.dll 	- node.cpp:1490] 	WebCore::Node::createRendererAndStyle()
0x01ccd731 	[chrome.dll 	- node.cpp:1528] 	WebCore::Node::createRendererIfNeeded()
0x01ce29a1 	[chrome.dll 	- element.cpp:985] 	WebCore::Element::attach()
0x01f89d4c 	[chrome.dll 	- htmlformcontrolelement.cpp:162] 	WebCore::HTMLFormControlElement::attach()
0x01f873b0 	[chrome.dll 	- htmlinputelement.cpp:695] 	WebCore::HTMLInputElement::attach()
0x01fc8e06 	[chrome.dll 	- htmlconstructionsite.cpp:112] 	WebCore::HTMLConstructionSite::attach<WebCore::Comment>(WebCore::ContainerNode *,WTF::PassRefPtr<WebCore::Comment>)
0x01fc8622 	[chrome.dll 	- htmlconstructionsite.cpp:264] 	WebCore::HTMLConstructionSite::attachToCurrent(WTF::PassRefPtr<WebCore::Element>)
0x01fc8784 	[chrome.dll 	- htmlconstructionsite.cpp:300] 	WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement(WebCore::AtomicHTMLToken &)
0x01fbd8a5 	[chrome.dll 	- htmltreebuilder.cpp:897] 	WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken &)
0x01fbe0e0 	[chrome.dll 	- htmltreebuilder.cpp:1210] 	WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken &)
0x01fbcc8f 	[chrome.dll 	- htmltreebuilder.cpp:461] 	WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken &)
0x01fbcbe4 	[chrome.dll 	- htmltreebuilder.cpp:442] 	WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken &)
0x01f91877 	[chrome.dll 	- htmldocumentparser.cpp:276] 	WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
0x01f9161f 	[chrome.dll 	- htmldocumentparser.cpp:175] 	WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
0x01f91ce6 	[chrome.dll 	- htmldocumentparser.cpp:524] 	WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource *)
0x01cc067e 	[chrome.dll 	- cachedresource.cpp:144] 	WebCore::CachedResource::checkNotify()
0x01dc7666 	[chrome.dll 	- cachedscript.cpp:104] 	WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>,bool)
0x01dc7034 	[chrome.dll 	- cachedresourcerequest.cpp:165] 	WebCore::CachedResourceRequest::didFinishLoading(WebCore::SubresourceLoader *,double)
0x01e02e5a 	[chrome.dll 	- subresourceloader.cpp:192] 	WebCore::SubresourceLoader::didFinishLoading(double)
0x01dc506f 	[chrome.dll 	- resourceloader.cpp:436] 	WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle *,double)
0x01fd95c1 	[chrome.dll 	- resourcehandle.cpp:188] 	WebCore::ResourceHandleInternal::didFinishLoading(WebKit::WebURLLoader *,double)
0x02565d15 	[chrome.dll 	- weburlloader_impl.cc:663] 	webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::Time const &)
0x02014aa6 	[chrome.dll 	- resource_dispatcher.cc:435] 	ResourceDispatcher::OnRequestComplete(int,net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::Time const &)
0x02015ae0 	[chrome.dll 	- ipc_message_utils.h:961] 	IPC::MessageWithTuple<Tuple4<int,net::URLRequestStatus,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::Time> >::Dispatch<ResourceDispatcher,ResourceDispatcher,void ( ResourceDispatcher::*)(int,net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::Time const &)>(IPC::Message const *,ResourceDispatcher *,ResourceDispatcher *,void ( ResourceDispatcher::*)(int,net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::Time const &))
0x02014d74 	[chrome.dll 	- resource_dispatcher.cc:506] 	ResourceDispatcher::DispatchMessageW(IPC::Message const &)
0x02014652 	[chrome.dll 	- resource_dispatcher.cc:281] 	ResourceDispatcher::OnMessageReceived(IPC::Message const &)
0x0200b09b 	[chrome.dll 	- child_thread.cc:149] 	ChildThread::OnMessageReceived(IPC::Message const &)
0x0265eb11 	[chrome.dll 	- task.h:332] 	RunnableMethod<CancelableRequest<CallbackRunner<Tuple2<int,history::FaviconData> > >,void ( CancelableRequest<CallbackRunner<Tuple2<int,history::FaviconData> > >::*)(Tuple2<int,history::FaviconData> const &),Tuple1<Tuple2<int,history::FaviconData> > >::Run()
0x021bc52c 	[chrome.dll 	- message_loop.cc:371] 	MessageLoop::RunTask(Task *)
0x021bc5b3 	[chrome.dll 	- message_loop.cc:380] 	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x021bc94e 	[chrome.dll 	- message_loop.cc:573] 	MessageLoop::DoWork()
0x021d392f 	[chrome.dll 	- message_pump_default.cc:50] 	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x021bc4ad 	[chrome.dll 	- message_loop.cc:346] 	MessageLoop::RunInternal()
0x021bc432 	[chrome.dll 	- message_loop.cc:319] 	MessageLoop::RunHandler()
0x021bc326 	[chrome.dll 	- message_loop.cc:243] 	MessageLoop::Run()
0x01c3f99b 	[chrome.dll 	- renderer_main.cc:233] 	RendererMain(MainFunctionParams const &)


Jun 9, 2011
#1 kar...@google.com
(No comment was entered for this change.)
Status: Assigned
Owner: mikelawt...@chromium.org
Labels: -Pri-2 Pri-1
Aug 22, 2011
#2 rtenneti@chromium.org
There are few crashes in renderer in M14 and M15 (I wasn't able to repro the crash with Canary build  with the URLs listed in some of the crashes).

http://crash/search?query=product%3A%22Chrome%22+version%3A%2215.0.854.0%22+crashed_thread_function_name.contains%3A%22WebCore%3A%3A`anonymous+namespace%27%3A%3AselectorTagMatches%22

Lot of them have third party avcodec-53.dll.
Jan 12, 2012
#3 kar...@google.com
mike i see these again: 

Stack Trace (Jump to crashing thread)

Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x4058c008 )

0x5c97ee87	 [chrome.dll	 - cssstyleselector.cpp:1982	WebCore::RuleSet::addRule(WebCore::CSSStyleRule *,WebCore::CSSSelector *)
0x5c987b6c	 [chrome.dll	 - cssstyleselector.cpp:2104	WebCore::collectFeaturesFromList
0x5c9878b3	 [chrome.dll	 - cssstyleselector.cpp:2118	WebCore::RuleSet::collectFeatures(WebCore::CSSStyleSelector::Features &)
0x5c98783f	 [chrome.dll	 - cssstyleselector.cpp:439	WebCore::CSSStyleSelector::collectFeatures()
0x5cadbc26	 [chrome.dll	 - cssstyleselector.cpp:461	WebCore::CSSStyleSelector::appendAuthorStylesheets(unsigned int,WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>,0> const &)
0x5cada041	 [chrome.dll	 - document.cpp:3268	WebCore::Document::updateActiveStylesheets(WebCore::StyleSelectorUpdateFlag)
0x5cad9e90	 [chrome.dll	 - document.cpp:2991	WebCore::Document::styleSelectorChanged(WebCore::StyleSelectorUpdateFlag)
0x5cad9bd1	 [chrome.dll	 - document.cpp:2970	WebCore::Document::removePendingSheet()
0x5cbeef60	 [chrome.dll	 - htmllinkelement.cpp:358	WebCore::HTMLLinkElement::sheetLoaded()
0x5cad9b11	 [chrome.dll	 - cssstylesheet.cpp:240	WebCore::CSSStyleSheet::checkLoaded()
0x5cbee521	 [chrome.dll	 - htmllinkelement.cpp:333	WebCore::HTMLLinkElement::setCSSStyleSheet(WTF::String const &,WebCore::KURL const &,WTF::String const &,WebCore::CachedCSSStyleSheet const *)
0x5cbee206	 [chrome.dll	 - cachedcssstylesheet.cpp:117	WebCore::CachedCSSStyleSheet::checkNotify()
0x5cbedf01	 [chrome.dll	 - cachedcssstylesheet.cpp:105	WebCore::CachedCSSStyleSheet::data(WTF::PassRefPtr<WebCore::SharedBuffer>,bool)
0x5cbe93a2	 [chrome.dll	 - subresourceloader.cpp:266	WebCore::SubresourceLoader::didFinishLoading(double)
0x5cb583de	 [chrome.dll	 - resourceloader.cpp:451	WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle *,double)
0x5cb5834a	 [chrome.dll	 - resourcehandle.cpp:158	WebCore::ResourceHandleInternal::didFinishLoading(WebKit::WebURLLoader *,double)
0x5cb582d2	 [chrome.dll	 - weburlloader_impl.cc:647	webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::TimeTicks const &)
0x5cb57b43	 [chrome.dll	 - resource_dispatcher.cc:488	ResourceDispatcher::OnRequestComplete(int,net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::TimeTicks const &)
0x5cb57aa5	 [chrome.dll	 - tuple.h:566	DispatchToMethod<ResourceDispatcher,void ( ResourceDispatcher::*)(int,net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::TimeTicks const &),int,net::URLRequestStatus,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::TimeTicks>(ResourceDispatcher *,void ( ResourceDispatcher::*)(int,net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::TimeTicks const &),Tuple4<int,net::URLRequestStatus,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::TimeTicks> const &)
0x5cb57813	 [chrome.dll	 - resource_messages.h:172	ResourceMsg_RequestComplete::Dispatch<ResourceDispatcher,ResourceDispatcher,void ( ResourceDispatcher::*)(int,net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::TimeTicks const &)>(IPC::Message const *,ResourceDispatcher *,ResourceDispatcher *,void ( ResourceDispatcher::*)(int,net::URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::TimeTicks const &))
0x5c9eaa65	 [chrome.dll	 - resource_dispatcher.cc:559	ResourceDispatcher::DispatchMessageW(IPC::Message const &)
0x5c8ccc43	 [chrome.dll	 - resource_dispatcher.cc:326	ResourceDispatcher::OnMessageReceived(IPC::Message const &)
0x5c8cca06	 [chrome.dll	 - child_thread.cc:172	ChildThread::OnMessageReceived(IPC::Message const &)
0x5c8824ed	 [chrome.dll	 - bind_internal.h:1254	base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void ( GeolocationProvider::*)(GeolocationObserverOptions const &)>,void (GeolocationProvider *,GeolocationObserverOptions const &),void (base::internal::UnretainedWrapper<GeolocationProvider>,GeolocationObserverOptions)>,void (GeolocationProvider *,GeolocationObserverOptions const &)>::Run(base::internal::BindStateBase *)
0x5c881d9b	 [chrome.dll	 - message_loop.cc:458	MessageLoop::RunTask(base::PendingTask const &)
0x5c881a73	 [chrome.dll	 - message_loop.cc:660	MessageLoop::DoWork()

top crasher in dev: http://crash/reportdetail?reportid=95e5e949a95f6cb3

can u take a look?
Labels: Mstone-18
Jan 12, 2012
#4 mikelawt...@chromium.org
A fix has just landed for stylesheets being added in http://trac.webkit.org/changeset/104845 (https://code.google.com/p/chromium/issues/detail?id=109326). I suspect the issues are related, so let's see what happens once that patch rolls.
Mar 29, 2012
#5 kar...@google.com
(No comment was entered for this change.)
Labels: -Mstone-18 Mstone-20
Mar 29, 2012
#6 kar...@google.com
(No comment was entered for this change.)
Labels: MovedFrom18
May 7, 2012
#7 dhar...@google.com
M20 is about to sail. If this still need to be part of M20, put them back and add release block label.
Labels: -Mstone-20 Mstone-21 MovedFrom-20
Jul 11, 2012
#8 ka...@chromium.org
Moving all non essential bugs to the next Milestone
Labels: -Mstone-21 MovedFrom-21 Mstone-22
Oct 2, 2012
#9 kerz@google.com
Moving out to M24, Please pull back in to previous milestones if needed.
Labels: -Mstone-22 Mstone-24 MovedFrom-22
Nov 5, 2012
#10 dhar...@google.com
Since the bug has moved few times, removing the milestone label. Please target the right milestone.
Labels: -Mstone-24
Nov 20, 2012
#11 kar...@google.com
P1 bugs that have been moved 3+ times. Downgrading to P2
Labels: -Pri-1 Pri-2
Mar 10, 2013
#12 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-WebKit Cr-Content
Apr 5, 2013
#13 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Sign in to add a comment

Powered by Google Project Hosting