108084 2013-01-28 08:16:49 -0800 Crash inside RenderBlock::layoutRunsAndFloatsInRange in the widow code 2013-01-28 14:29:55 -0800 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 jchaffraix jchaffraix darin dino eric ojan.autocc webkit.review.bot oldest_to_newest 817764 0 jchaffraix 2013-01-28 08:16:49 -0800 We are getting bug reports for a crasher in the widow code. I tried several times to see if I could get a reproduction but unfortunately couldn't. Here is the code involved (line 1663 in RenderBlockLineLayout.cpp): int numLinesHanging = 1; while (lineBox && lineBox != firstLineInBlock && !lineBox->isFirstAfterPageBreak()) { ... } // If there were no breaks in the block, we didn't create any widows. if (!lineBox->isFirstAfterPageBreak() || lineBox == firstLineInBlock) return; The crash is a NULL dereference that happens in the 'if'. The 'while' NULL-checks |lineBox| but the following 'if' doesn't, which makes me think that this is the bug. 817778 1 184991 jchaffraix 2013-01-28 08:41:56 -0800 Created attachment 184991 Proposed blind fix. 818107 2 184991 webkit.review.bot 2013-01-28 14:29:52 -0800 Comment on attachment 184991 Proposed blind fix. Clearing flags on attachment: 184991 Committed r141009: <http://trac.webkit.org/changeset/141009> 818108 3 webkit.review.bot 2013-01-28 14:29:55 -0800 All reviewed patches have been landed. Closing bug. 184991 2013-01-28 08:41:56 -0800 2013-01-28 14:29:52 -0800 Proposed blind fix. bug-108084-20130128083843.patch text/plain 1800 jchaffraix U3VidmVyc2lvbiBSZXZpc2lvbjogMTQwOTY3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZTY1ZWFmODBjMmNlMGYy OWMxZjY3NjRiYTg1MjgzNmEwZWQyZmNlMy4uNDFlNTlhODg5NDY5YzQxYWQ3ZDUzY2ZjMWNhYjUy YTM3M2MzNWI4MSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE5IEBACisyMDEzLTAxLTI4ICBKdWxp ZW4gQ2hhZmZyYWl4ICA8amNoYWZmcmFpeEB3ZWJraXQub3JnPgorCisgICAgICAgIENyYXNoIGlu c2lkZSBSZW5kZXJCbG9jazo6bGF5b3V0UnVuc0FuZEZsb2F0c0luUmFuZ2UgaW4gdGhlIHdpZG93 IGNvZGUKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEw ODA4NAorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFRo aXMgaXMgYSBibGluZCBmaXggYmFzZWQgb24gdGhlIGNvZGUgYW5kIENocm9taXVtJ3Mgc3RhY2st dHJhY2VzLgorCisgICAgICAgIFVuZm9ydHVuYXRlbHkgbm8gbmV3IHRlc3QgYXMgSSBjb3VsZG4n dCBnZXQgYSBsb2NhbCByZXByb2R1Y3Rpb24uCisKKyAgICAgICAgKiByZW5kZXJpbmcvUmVuZGVy QmxvY2tMaW5lTGF5b3V0LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlJlbmRlckJsb2NrOjpsYXlv dXRSdW5zQW5kRmxvYXRzSW5SYW5nZSk6CisgICAgICAgIEFkZGVkIGEgbWlzc2luZyBOVUxMLWNo ZWNrOiB0aGUgcHJldmlvdXMgJ3doaWxlJyBmaW5pc2ggaWYgfGxpbmVCb3h8CisgICAgICAgIGlz IE5VTEwgYW5kIHdlIGRvbid0IHdhbnQgdG8gY3Jhc2ggaW4gdGhpcyBjYXNlLgorCiAyMDEzLTAx LTI4ICBNYXJ0aW4gUm9iaW5zb24gIDxtcm9iaW5zb25AaWdhbGlhLmNvbT4KIAogICAgICAgICBb RnJlZXR5cGVdIFN5bnRoZXRpYyBib2xkIG5vdCBhcHBsaWVkIHRvIGZhbGxiYWNrIGZvbnRzIHBy b3Blcmx5CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyQmxvY2tM aW5lTGF5b3V0LmNwcCBiL1NvdXJjZS9XZWJDb3JlL3JlbmRlcmluZy9SZW5kZXJCbG9ja0xpbmVM YXlvdXQuY3BwCmluZGV4IGZiYjNkZGJhOTkwNjZjYjM4MTdhMGE5NDVhZTgyZDRlYzU0MjkwZDIu LmU5NjBkMTNkNzI3MmEwMmU3YTFmMjU2ZGI5NDA1MTNhNzcwZWE0NmQgMTAwNjQ0Ci0tLSBhL1Nv dXJjZS9XZWJDb3JlL3JlbmRlcmluZy9SZW5kZXJCbG9ja0xpbmVMYXlvdXQuY3BwCisrKyBiL1Nv dXJjZS9XZWJDb3JlL3JlbmRlcmluZy9SZW5kZXJCbG9ja0xpbmVMYXlvdXQuY3BwCkBAIC0xNjY3 LDcgKzE2NjcsNyBAQCB2b2lkIFJlbmRlckJsb2NrOjpsYXlvdXRSdW5zQW5kRmxvYXRzSW5SYW5n ZShMaW5lTGF5b3V0U3RhdGUmIGxheW91dFN0YXRlLCBJbmxpbgogICAgICAgICB9CiAKICAgICAg ICAgLy8gSWYgdGhlcmUgd2VyZSBubyBicmVha3MgaW4gdGhlIGJsb2NrLCB3ZSBkaWRuJ3QgY3Jl YXRlIGFueSB3aWRvd3MuCi0gICAgICAgIGlmICghbGluZUJveC0+aXNGaXJzdEFmdGVyUGFnZUJy ZWFrKCkgfHwgbGluZUJveCA9PSBmaXJzdExpbmVJbkJsb2NrKQorICAgICAgICBpZiAoIWxpbmVC b3ggfHwgIWxpbmVCb3gtPmlzRmlyc3RBZnRlclBhZ2VCcmVhaygpIHx8IGxpbmVCb3ggPT0gZmly c3RMaW5lSW5CbG9jaykKICAgICAgICAgICAgIHJldHVybjsKIAogICAgICAgICBpZiAobnVtTGlu ZXNIYW5naW5nIDwgc3R5bGUoKS0+d2lkb3dzKCkpIHsK