84774 2012-04-24 14:18:37 -0700 NULL-deref in RenderBox::clippedOverflowRectForRepaint 2012-04-27 11:43:22 -0700 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) All All RESOLVED FIXED P1 Normal --- 1 jchaffraix jchaffraix tony webkit.review.bot oldest_to_newest 609053 0 138641 jchaffraix 2012-04-24 14:18:37 -0700 Created attachment 138641 test case Backtrace: WebCore::RenderLayer::hasVisibleContent() [0x18f5490] WebCore::RenderBox::clippedOverflowRectForRepaint() [0x192f6f5] WebCore::RenderObject::rectWithOutlineForRepaint() [0x19d8e1f] WebCore::RenderBlock::rectWithOutlineForRepaint() [0x18ecd85] WebCore::RenderInline::clippedOverflowRectForRepaint() [0x1981d36] WebCore::RenderText::clippedOverflowRectForRepaint() [0x1a1d7d5] WebCore::RenderObject::repaint() [0x19d7b5b] WebCore::RenderObjectChildList::removeChildNode() [0x19df707] WebCore::RenderObject::removeChild() [0x19d2ba9] WebCore::RenderObject::remove() [0x197778a] WebCore::RenderObject::willBeDestroyed() [0x19dc231] WebCore::RenderText::willBeDestroyed() [0x1a180d8] WebCore::RenderTextFragment::willBeDestroyed() [0x1a26872] WebCore::RenderObject::destroy() [0x19dc5a7] WebCore::RenderObjectChildList::destroyLeftoverChildren() [0x19df560] WebCore::RenderInline::willBeDestroyed() [0x197c417] WebCore::RenderObject::destroy() [0x19dc5a7] WebCore::RenderObjectChildList::updateBeforeAfterContent() [0x19e12cc] WebCore::RenderInline::addChildIgnoringContinuation() [0x197d2db] WebCore::RenderInline::addChild() [0x197cf52] WebCore::NodeRendererFactory::createRendererIfNeeded() [0x77be2c] WebCore::Node::createRendererIfNeeded() [0x75d563] WebCore::Element::attach() [0x73479d] WebCore::Node::reattach() [0x7395b2] WebCore::Element::recalcStyle() [0x735054] WebCore::Element::recalcStyle() [0x7356eb] The issue is at the following line: if (style()->visibility() != VISIBLE && !enclosingLayer()->hasVisibleContent()) enclosingLayer() returns 0 as we are called on a not-yet-inserted RenderObject (it's a newly created continuation, see test case). 609081 1 138647 jchaffraix 2012-04-24 14:34:58 -0700 Created attachment 138647 Proposed fix 1: Check that we have an attached continuation. 611736 2 138647 webkit.review.bot 2012-04-27 11:43:18 -0700 Comment on attachment 138647 Proposed fix 1: Check that we have an attached continuation. Clearing flags on attachment: 138647 Committed r115458: <http://trac.webkit.org/changeset/115458> 611737 3 webkit.review.bot 2012-04-27 11:43:22 -0700 All reviewed patches have been landed. Closing bug. 138641 2012-04-24 14:18:37 -0700 2012-04-24 14:18:37 -0700 test case sparky-crashed-233.htm text/html 554 jchaffraix PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KPHN0eWxlPgogICAgb2JqZWN0OmFmdGVyIHsK ICAgICAgICBjb250ZW50OiAiaXBzdW0iOwogICAgfQogICAgb2JqZWN0IHsKICAgICAgICBvcGFj aXR5OiAwLjYwMzk2NTgzMjE1MzMzNTI7CiAgICAgICAgdmlzaWJpbGl0eTogaGlkZGVuOwogICAg ICAgIG91dGxpbmUtc3R5bGU6IGRvdHRlZDsKICAgIH0KPC9zdHlsZT4KPC9oZWFkPgo8Ym9keT4K PHNjcmlwdD4KICAgIHZhciBvYmplY3RFbGVtZW50ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgi b2JqZWN0Iik7CiAgICBuZXdDb250ZW50ID0gZG9jdW1lbnQuY3JlYXRlVGV4dE5vZGUoIkxvcmVt Iik7CiAgICBvYmplY3RFbGVtZW50LmFwcGVuZENoaWxkKG5ld0NvbnRlbnQpOwogICAgZG9jdW1l bnQuYm9keS5hcHBlbmRDaGlsZChvYmplY3RFbGVtZW50KTsKCiAgICB2YXIgb2xFbGVtZW50ID0g ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgib2wiKTsKICAgIG9iamVjdEVsZW1lbnQuYXBwZW5kQ2hp bGQob2xFbGVtZW50KTsKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPgo= 138647 2012-04-24 14:34:58 -0700 2012-04-27 11:43:18 -0700 Proposed fix 1: Check that we have an attached continuation. bug-84774-20120424143457.patch text/plain 4600 jchaffraix U3VidmVyc2lvbiBSZXZpc2lvbjogMTE1MDc5CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYTFhNGM1NjE3ZjU0NTAx YzdlZjM0NjJhZmMwNTlkYmNiNmVmNDNkZC4uNmFhNDVlNTdkNjFhNmFhNmIxNjliYTc4NWIwNGJl MTBjYWQ5MTk1MCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIzIEBACisyMDEyLTA0LTI0ICBKdWxp ZW4gQ2hhZmZyYWl4ICA8amNoYWZmcmFpeEB3ZWJraXQub3JnPgorCisgICAgICAgIE5VTEwtZGVy ZWYgaW4gUmVuZGVyQm94OjpjbGlwcGVkT3ZlcmZsb3dSZWN0Rm9yUmVwYWludAorICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9ODQ3NzQKKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUZXN0OiBmYXN0L2lubGluZS9j cmFzaC1uZXctY29udGludWF0aW9uLXdpdGgtb3V0bGluZS5odG1sCisKKyAgICAgICAgVGhlIGJ1 ZyBjb21lcyBmcm9tIHRyeWluZyB0byByZXBhaW50IHRoZSA6YWZ0ZXIgY29udGVudCBhcyBwYXJ0 IG9mIHVwZGF0ZUJlZm9yZUFmdGVyQ29udGVudC4KKyAgICAgICAgVGhlIHJlcGFpbnRpbmcgbG9n aWMgd291bGQgcXVlcnkgdGhlIHlldC10by1iZS1pbnNlcnRlZCBjb250aW51YXRpb24oKS4gVGhl biB3ZSB3b3VsZCBjcmFzaCBpbgorICAgICAgICBSZW5kZXJCb3g6OmNsaXBwZWRPdmVyZmxvd1Jl Y3RGb3JSZXBhaW50IGFzIHdlIGRpZG4ndCBoYXZlIGFuIGVuY2xvc2luZ0xheWVyKCkgKHdoaWNo IGFueQorICAgICAgICBSZW5kZXJPYmplY3QgaW4gdGhlIHRyZWUgd2lsbCBoYXZlKS4KKworICAg ICAgICBUaGUgZml4IGlzIHRvIGNoZWNrIGluIFJlbmRlcklubGluZTo6Y2xpcHBlZE92ZXJmbG93 UmVjdEZvclJlcGFpbnQgdGhhdCBvdXIgY29udGludWF0aW9uKCkKKyAgICAgICAgaXMgcHJvcGVy bHkgaW5zZXJ0ZWQgaW4gdGhlIHRyZWUuIFdlIGNvdWxkIGNoZWNrIHRoYXQgaXQgaXNSb290ZWQo KSBidXQgaXQncyBhbiBvdmVya2lsbCBoZXJlLgorCisgICAgICAgICogcmVuZGVyaW5nL1JlbmRl cklubGluZS5jcHA6CisgICAgICAgIChXZWJDb3JlOjpSZW5kZXJJbmxpbmU6OmNsaXBwZWRPdmVy Zmxvd1JlY3RGb3JSZXBhaW50KToKKwogMjAxMi0wNC0yNCAgQWxleGFuZHJ1IENoaWN1bGl0YSAg PGFjaGljdUBhZG9iZS5jb20+CiAKICAgICAgICAgW0NTUyBGaWx0ZXJzXSBNb3ZlIG1fZmlsdGVy IGFuZCByZWxhdGVkIGZpZWxkcyBmcm9tIFJlbmRlckxheWVyIHRvIGEgZGlmZmVyZW50IHN0cnVj dHVyZSBhbmQgb25seSBhbGxvY2F0ZSBpdCB3aGVuIG5lZWRlZApkaWZmIC0tZ2l0IGEvU291cmNl L1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlcklubGluZS5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9yZW5k ZXJpbmcvUmVuZGVySW5saW5lLmNwcAppbmRleCBkZDQ2YWZjYzEzYjE0OGFjMGFiNTlmOTQ5YTI3 ODIxYTcyOTFkZGQ4Li41ZTg1NjVjZjc5MTI0YzJhYjg3YTU0Y2FiNzQ1NjMxMTEyMTQ2MjQ3IDEw MDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVySW5saW5lLmNwcAorKysg Yi9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVySW5saW5lLmNwcApAQCAtMTA1OCw3ICsx MDU4LDcgQEAgTGF5b3V0UmVjdCBSZW5kZXJJbmxpbmU6OmNsaXBwZWRPdmVyZmxvd1JlY3RGb3JS ZXBhaW50KFJlbmRlckJveE1vZGVsT2JqZWN0KiByZXAKICAgICAgICAgICAgIH0KICAgICAgICAg fQogCi0gICAgICAgIGlmIChjb250aW51YXRpb24oKSAmJiAhY29udGludWF0aW9uKCktPmlzSW5s aW5lKCkpIHsKKyAgICAgICAgaWYgKGNvbnRpbnVhdGlvbigpICYmICFjb250aW51YXRpb24oKS0+ aXNJbmxpbmUoKSAmJiBjb250aW51YXRpb24oKS0+cGFyZW50KCkpIHsKICAgICAgICAgICAgIExh eW91dFJlY3QgY29udFJlY3QgPSBjb250aW51YXRpb24oKS0+cmVjdFdpdGhPdXRsaW5lRm9yUmVw YWludChyZXBhaW50Q29udGFpbmVyLCBvdyk7CiAgICAgICAgICAgICByLnVuaXRlKGNvbnRSZWN0 KTsKICAgICAgICAgfQpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nIGIvTGF5b3V0 VGVzdHMvQ2hhbmdlTG9nCmluZGV4IDM4NDBlZDgxYzg5NzI5MmY3YTA0NDMzOTFhMTc0ZTAyYmEy ZTMzNTguLjk5ZGU4YWEwZGRlMGViMjc0ZTJkZWYwNzc2ZTRmMGFhODRlYjZhMzAgMTAwNjQ0Ci0t LSBhL0xheW91dFRlc3RzL0NoYW5nZUxvZworKysgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKQEAg LTEsMyArMSwxMyBAQAorMjAxMi0wNC0yNCAgSnVsaWVuIENoYWZmcmFpeCAgPGpjaGFmZnJhaXhA d2Via2l0Lm9yZz4KKworICAgICAgICBOVUxMLWRlcmVmIGluIFJlbmRlckJveDo6Y2xpcHBlZE92 ZXJmbG93UmVjdEZvclJlcGFpbnQKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hv d19idWcuY2dpP2lkPTg0Nzc0CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISku CisKKyAgICAgICAgKiBmYXN0L2lubGluZS9jcmFzaC1uZXctY29udGludWF0aW9uLXdpdGgtb3V0 bGluZS1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAgICAqIGZhc3QvaW5saW5lL2NyYXNoLW5l dy1jb250aW51YXRpb24td2l0aC1vdXRsaW5lLmh0bWw6IEFkZGVkLgorCiAyMDEyLTA0LTI0ICBN aWtoYWlsIE5hZ2Fub3YgIDxtbmFnYW5vdkBjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgW0Nocm9t aXVtXSBVbnJldmlld2VkIHRlc3QgZXhwZWN0YXRpb25zIHVwZGF0ZS4KZGlmZiAtLWdpdCBhL0xh eW91dFRlc3RzL2Zhc3QvaW5saW5lL2NyYXNoLW5ldy1jb250aW51YXRpb24td2l0aC1vdXRsaW5l LWV4cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2Zhc3QvaW5saW5lL2NyYXNoLW5ldy1jb250aW51 YXRpb24td2l0aC1vdXRsaW5lLWV4cGVjdGVkLnR4dApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRl eCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLi40ZjM3YTQyMDMyODFl ZTUzMGNiYTViYzM5MGVhODI3MmZjMTQ0MGQ1Ci0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVz dHMvZmFzdC9pbmxpbmUvY3Jhc2gtbmV3LWNvbnRpbnVhdGlvbi13aXRoLW91dGxpbmUtZXhwZWN0 ZWQudHh0CkBAIC0wLDAgKzEsMyBAQAorVGVzdCBjYXNlIGZvciBidWcgODQ3NzQ6IE5VTEwtZGVy ZWYgaW4gUmVuZGVyQm94OjpjbGlwcGVkT3ZlcmZsb3dSZWN0Rm9yUmVwYWludAorCitQQVNTRUQs IHRoaXMgdGVzdCBkaWQgbm90IGNyYXNoZWQuCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9mYXN0 L2lubGluZS9jcmFzaC1uZXctY29udGludWF0aW9uLXdpdGgtb3V0bGluZS5odG1sIGIvTGF5b3V0 VGVzdHMvZmFzdC9pbmxpbmUvY3Jhc2gtbmV3LWNvbnRpbnVhdGlvbi13aXRoLW91dGxpbmUuaHRt bApuZXcgZmlsZSBtb2RlIDEwMDc1NQppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwLi43NTNiMTViYmFhMzQxYTgxMDM5MWFjYzMwZmU4MWI5N2VlMWZjN2NhCi0t LSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvZmFzdC9pbmxpbmUvY3Jhc2gtbmV3LWNvbnRp bnVhdGlvbi13aXRoLW91dGxpbmUuaHRtbApAQCAtMCwwICsxLDMyIEBACis8IURPQ1RZUEUgaHRt bD4KKzxodG1sPgorPGhlYWQ+Cis8c3R5bGU+CisgICAgb2JqZWN0OmFmdGVyIHsKKyAgICAgICAg Y29udGVudDogImlwc3VtIjsKKyAgICB9CisgICAgb2JqZWN0IHsKKyAgICAgICAgb3BhY2l0eTog MC42MDM5NjU4MzIxNTMzMzUyOworICAgICAgICB2aXNpYmlsaXR5OiBoaWRkZW47CisgICAgICAg IG91dGxpbmUtc3R5bGU6IGRvdHRlZDsKKyAgICB9Cis8L3N0eWxlPgorPC9oZWFkPgorPGJvZHk+ Cis8cD5UZXN0IGNhc2UgZm9yIGJ1ZyA8YSBocmVmPSJodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9z aG93X2J1Zy5jZ2k/aWQ9ODQ3NzQiPjg0Nzc0PC9hPjogTlVMTC1kZXJlZiBpbiBSZW5kZXJCb3g6 OmNsaXBwZWRPdmVyZmxvd1JlY3RGb3JSZXBhaW50PC9wPgorPHNjcmlwdD4KKyAgICBpZiAod2lu ZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgICAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5k dW1wQXNUZXh0KCk7CisKKyAgICB2YXIgb2JqZWN0RWxlbWVudCA9IGRvY3VtZW50LmNyZWF0ZUVs ZW1lbnQoIm9iamVjdCIpOworICAgIG5ld0NvbnRlbnQgPSBkb2N1bWVudC5jcmVhdGVUZXh0Tm9k ZSgiTG9yZW0iKTsKKyAgICBvYmplY3RFbGVtZW50LmFwcGVuZENoaWxkKG5ld0NvbnRlbnQpOwor ICAgIGRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQob2JqZWN0RWxlbWVudCk7CisKKyAgICB2YXIg b2xFbGVtZW50ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgib2wiKTsKKyAgICBvYmplY3RFbGVt ZW50LmFwcGVuZENoaWxkKG9sRWxlbWVudCk7CisKKyAgICBkb2N1bWVudC5ib2R5LmFwcGVuZENo aWxkKGRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCJQQVNTRUQsIHRoaXMgdGVzdCBkaWQgbm90IGNy YXNoZWQuIikpOworPC9zY3JpcHQ+Cis8L2JvZHk+Cis8L2h0bWw+Cg==