84300 2012-04-18 16:23:57 -0700 Crash in RenderInline::clippedOverflowRectForRepaint for PrintPreview 2012-04-26 21:09:16 -0700 1 1 1 Unclassified WebKit Printing 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 eae eae abarth dglazkov eric inferno jchaffraix simon.fraser oldest_to_newest 605209 0 eae 2012-04-18 16:23:57 -0700 Certain websites trigger a crash in RenderInline::clippedOverflowRectForRepaint in chromium. Most likely caused by a null pointer dereference where containingBlock() returns NULL. Downstream chromium bug: http://code.google.com/p/chromium/issues/detail?id=123193 605211 1 137801 eae 2012-04-18 16:26:40 -0700 Created attachment 137801 Patch 606671 2 eae 2012-04-20 10:14:21 -0700 Ping? 607839 3 137801 simon.fraser 2012-04-23 10:55:37 -0700 Comment on attachment 137801 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=137801&action=review > Source/WebCore/ChangeLog:3 > + [chromium] Crash in RenderInline::clippedOverflowRectForRepaint for PrintPreview The [chromium] prefix makes it sound like this only happens in Chromium; that's unlikely. 607847 4 eae 2012-04-23 11:03:46 -0700 I have only seen it reported for chromium but you're right. There is nothing chrome specific in there. Will remove the prefix and land. Thanks Simon. 607962 5 eae 2012-04-23 13:17:47 -0700 Committed r114936: <http://trac.webkit.org/changeset/114936> 611232 6 inferno 2012-04-26 21:09:16 -0700 testcase from ClusterFuzz <script>if (window.layoutTestController) layoutTestController.waitUntilDone(); </script> <style> .c6 { visibility: hidden; opacity: 0.0; } .c11 { visibility: visible; } .c13[class^="c13"] { display: table;</style> <script> var nodes = Array(); function boom() { try { nodes[72] = document.createElement('q'); } catch(e) {} try { nodes[72].setAttribute('class', 'c6'); } catch(e) {} try { document.documentElement.appendChild(nodes[72]); } catch(e) {} try { nodes[75] = document.createElement('map'); } catch(e) {} try { nodes[76] = document.createElement('section'); } catch(e) {} try { nodes[88] = document.createElement('var'); } catch(e) {} try { nodes[88].setAttribute('class', 'c11'); } catch(e) {} try { nodes[72].appendChild(nodes[75]); } catch(e) {} setTimeout("try { nodes[75].setAttribute('class', 'c13'); } catch(e) {}", 3); try { nodes[72].appendChild(nodes[88]); } catch(e) {} try { nodes[88].appendChild(nodes[76]); } catch(e) {} } window.onload = boom; </script> > +----------------------------------------Debug Build Stacktrace----------------------------------------+ /mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/debug/asan-linux-debug-132190/DumpRenderTree ASAN:SIGSEGV ==32545== ERROR: AddressSanitizer crashed on unknown address 0x000000000034 (pc 0x00000adf1f4e sp 0x7fff26360180 bp 0x7fff26360250 T0) AddressSanitizer can not provide additional info. ABORTING #0 0xadf1f4e in WebCore::RenderObject::RenderObjectBitfields::hasColumns() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:988 #1 0xadf0bbd in WebCore::RenderObject::hasColumns() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:375 #2 0xb33a73b in WebCore::RenderInline::clippedOverflowRectForRepaint(WebCore::RenderBoxModelObject*) const third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:1037 #3 0xb36064a in WebCore::RenderLayer::computeRepaintRects(WebCore::IntPoint*) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:465 #4 0xb3647f3 in WebCore::RenderLayer::setHasVisibleContent(bool) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:629 #5 0xb5a34c8 in WebCore::RenderObjectChildList::insertChildNode(WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderObject*, bool) third_party/WebKit/Source/WebCore/rendering/RenderObjectChildList.cpp:264 #6 0xb5420e0 in WebCore::RenderObject::addChild(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:306 #7 0xb321062 in WebCore::RenderInline::addChildIgnoringContinuation(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:313 #8 0xb3238e0 in WebCore::RenderInline::splitInlines(WebCore::RenderBlock*, WebCore::RenderBlock*, WebCore::RenderBlock*, WebCore::RenderObject*, WebCore::RenderBoxModelObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:338 #9 0xb322786 in WebCore::RenderInline::splitFlow(WebCore::RenderObject*, WebCore::RenderBlock*, WebCore::RenderObject*, WebCore::RenderBoxModelObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:452 #10 0xb320f9c in WebCore::RenderInline::addChildIgnoringContinuation(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:307 #11 0xb31f17b in WebCore::RenderInline::addChildToContinuation(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:492 #12 0xb31e45e in WebCore::RenderInline::addChild(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:237 #13 0x21ac99b in WebCore::NodeRendererFactory::createRendererIfNeeded() third_party/WebKit/Source/WebCore/dom/NodeRenderingContext.cpp:399 #14 0x20b7bf2 in WebCore::Node::createRendererIfNeeded() third_party/WebKit/Source/WebCore/dom/Node.cpp:1427 #15 0x1f8c8d1 in WebCore::Element::attach() third_party/WebKit/Source/WebCore/dom/Element.cpp:956 #16 0x1fb0900 in WebCore::Node::reattach() third_party/WebKit/Source/WebCore/dom/Node.h:819 #17 0x1f8ef2f in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1074 #18 0x1f8fed2 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1151 #19 0x1f8fed2 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1151 #20 0x1d126bf in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Document.cpp:1659 #21 0x1d14fea in WebCore::Document::updateStyleIfNeeded() third_party/WebKit/Source/WebCore/dom/Document.cpp:1717 #22 0x1cf1489 in WebCore::Document::styleRecalcTimerFired(WebCore::Timer<WebCore::Document>*) third_party/WebKit/Source/WebCore/dom/Document.cpp:1609 #23 0x1ec7409 in WebCore::Timer<WebCore::Document>::fired() third_party/WebKit/Source/WebCore/platform/Timer.h:100 #24 0x73e6825 in WebCore::ThreadTimers::sharedTimerFiredInternal() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118 #25 0x73e5c69 in WebCore::ThreadTimers::sharedTimerFired() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:94 #26 0xe258dcc in webkit_glue::WebKitPlatformSupportImpl::DoTimeout() ./webkit/glue/webkitplatformsupport_impl.h:148 #27 0xe25ea1a in base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>::Run(webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:132 #28 0xe25e683 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:869 #29 0xe25e1ad in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*), void ()(base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1170 #30 0x24c5df5 in base::Callback<void ()()>::Run() const ./base/callback.h:272 #31 0xf7adfe9 in base::Timer::RunScheduledTask() base/timer.cc:182 #32 0xf7aed61 in base::BaseTimerTaskInternal::Run() base/timer.cc:45 #33 0xf7b195a in base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>::Run(base::BaseTimerTaskInternal*) ./base/bind_internal.h:132 #34 0xf7b15c3 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*) ./base/bind_internal.h:869 #35 0xf7b11b6 in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*), void ()(base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void ()(base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1170 #36 0x24c5df5 in base::Callback<void ()()>::Run() const ./base/callback.h:272 #37 0x25927d5 in MessageLoop::RunTask(base::PendingTask const&) base/message_loop.cc:459 #38 0x259418c in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:473 #39 0x25949be in MessageLoop::DoWork() base/message_loop.cc:647 #40 0x28a13b7 in base::MessagePumpGlib::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpDispatcher*) base/message_pump_glib.cc:210 #41 0x28a3b75 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_pump_glib.cc:299 #42 0x2590ffd in MessageLoop::RunInternal() base/message_loop.cc:418 #43 0x258e9a3 in MessageLoop::RunHandler() base/message_loop.cc:391 #44 0x258e891 in MessageLoop::Run() base/message_loop.cc:301 #45 0x1acb431 in webkit_support::RunMessageLoop() webkit/support/webkit_support.cc:449 #46 0x7703f7 in TestShell::waitTestFinished() third_party/WebKit/Tools/DumpRenderTree/chromium/TestShellLinux.cpp:75 #47 0x72bc57 in TestShell::runFileTest(TestParams const&) third_party/WebKit/Tools/DumpRenderTree/chromium/TestShell.cpp:270 #48 0x5da1e7 in runTest third_party/WebKit/Tools/DumpRenderTree/chromium/DumpRenderTree.cpp:129 #49 0x5d7c18 in main third_party/WebKit/Tools/DumpRenderTree/chromium/DumpRenderTree.cpp:279 #50 0x7f7d6c38ac4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258 Stats: 265M malloced (812M for red zones) by 1389743 calls Stats: 2M realloced by 4950 calls Stats: 263M freed by 1376153 calls Stats: 197M really freed by 1062565 calls Stats: 372M (95277 full pages) mmaped in 93 calls mmaps by size class: 9:360404; 10:8190; 11:4094; 12:1024; 13:1024; 14:1024; 15:768; 16:448; 17:32; 18:160; 19:8; 20:4; 21:24; mallocs by size class: 9:1350286; 10:17750; 11:9743; 12:3216; 13:2022; 14:2951; 15:2039; 16:1264; 17:37; 18:399; 19:5; 20:4; 21:27; frees by size class: 9:1337293; 10:17387; 11:9606; 12:3177; 13:1995; 14:2936; 15:2032; 16:1257; 17:35; 18:399; 19:5; 20:4; 21:27; rfrees by size class: 9:1033863; 10:12579; 11:7096; 12:2282; 13:1439; 14:2307; 15:1669; 16:957; 17:10; 18:346; 19:5; 20:1; 21:11; Stats: malloc large: 472 small slow: 7319 Also see similar https://bugs.webkit.org/show_bug.cgi?id=84774. 137801 2012-04-18 16:26:40 -0700 2012-04-23 13:18:02 -0700 Patch bug-84300-20120418162639.patch text/plain 1362 eae SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDExNDU3NykKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBACisyMDEyLTA0LTE4ICBFbWlsIEEg RWtsdW5kICA8ZWFlQGNocm9taXVtLm9yZz4KKworICAgICAgICBbY2hyb21pdW1dIENyYXNoIGlu IFJlbmRlcklubGluZTo6Y2xpcHBlZE92ZXJmbG93UmVjdEZvclJlcGFpbnQgZm9yIFByaW50UHJl dmlldworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9ODQz MDAKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBObyBu ZXcgdGVzdHMsIGhhdmUgbm90IGJlZW4gYWJsZSB0byBjb21lIHVwIHdpdGggYSByZWxpYWJsZSBy ZWR1Y3Rpb24uCisKKyAgICAgICAgKiByZW5kZXJpbmcvUmVuZGVySW5saW5lLmNwcDoKKyAgICAg ICAgKFdlYkNvcmU6OlJlbmRlcklubGluZTo6Y2xpcHBlZE92ZXJmbG93UmVjdEZvclJlcGFpbnQp OgorICAgICAgICBBZGQgTlVMTCBjaGVjayBmb3IgY29udGFpbmluZ0Jsb2NrKCkgYXMgaXQgY2Fu IHJldHVybiBOVUxMIHdoZW4gZGV0YWNoZWQKKyAgICAgICAgZnJvbSB0aGUgdHJlZS4KKwogMjAx Mi0wNC0xOCAgTWFyayBQaWxncmltICA8cGlsZ3JpbUBjaHJvbWl1bS5vcmc+CiAKICAgICAgICAg W0Nocm9taXVtXSBDYWxsIHByZWZldGNoRE5TIGRpcmVjdGx5CkluZGV4OiBTb3VyY2UvV2ViQ29y ZS9yZW5kZXJpbmcvUmVuZGVySW5saW5lLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29y ZS9yZW5kZXJpbmcvUmVuZGVySW5saW5lLmNwcAkocmV2aXNpb24gMTEzNTIyKQorKysgU291cmNl L1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlcklubGluZS5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTEw MzEsNyArMTAzMSw3IEBAIExheW91dFJlY3QgUmVuZGVySW5saW5lOjpjbGlwcGVkT3ZlcmZsb3cK IAogICAgIExheW91dFJlY3Qgcigtb3cgKyBsZWZ0LCAtb3cgKyB0b3AsIGJvdW5kaW5nQm94Lndp ZHRoKCkgKyBvdyAqIDIsIGJvdW5kaW5nQm94LmhlaWdodCgpICsgb3cgKiAyKTsKIAotICAgIGlm IChoaXRSZXBhaW50Q29udGFpbmVyKQorICAgIGlmIChoaXRSZXBhaW50Q29udGFpbmVyIHx8ICFj YikKICAgICAgICAgcmV0dXJuIHI7CiAKICAgICBpZiAoY2ItPmhhc0NvbHVtbnMoKSkK