Bug 105393

Summary: ::first-letter { overflow: -webkit-paged-y } causes crash
Product: WebKit Reporter: Takashi Sakamoto <tasak>
Component: CSSAssignee: Takashi Sakamoto <tasak>
Status: RESOLVED FIXED    
Severity: Normal CC: allan.jensen, bdakin, cmarcelo, macpherson, menard, ojan.autocc, tasak, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Takashi Sakamoto
Reported 2012-12-18 23:17:16 PST
Reported by fuzzer: https://cluster-fuzz.appspot.com/testcase?key=102884484 The following is a stack trace in the above report: /mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/debug/asan-linux-debug-154320/DumpRenderTree ASAN:SIGSEGV ================================================================= ==32198== ERROR: AddressSanitizer crashed on unknown address 0x000000000060 (pc 0x7f435c2a3d32 sp 0x7fff95826a80 bp 0x7fff95826bd0 T0) AddressSanitizer can not provide additional info. #0 0x7f435c2a3d31 in WebCore::QualifiedName::matches(WebCore::QualifiedName const&) const third_party/WebKit/Source/WebCore/dom/QualifiedName.h:85 #1 0x7f435c2a3b7e in WebCore::Element::hasTagName(WebCore::QualifiedName const&) const third_party/WebKit/Source/WebCore/dom/Element.h:222 #2 0x7f436690eb52 in WebCore::StyleResolver::adjustRenderStyle(WebCore::RenderStyle*, WebCore::RenderStyle*, WebCore::Element*) third_party/WebKit/Source/WebCore/css/StyleResolver.cpp:2240 #3 0x7f43669259bb in WebCore::StyleResolver::pseudoStyleForElement(WebCore::PseudoId, WebCore::Element*, WebCore::RenderStyle*) third_party/WebKit/Source/WebCore/css/StyleResolver.cpp:1956 #4 0x7f4368e8379e in WebCore::RenderObject::getUncachedPseudoStyle(WebCore::PseudoId, WebCore::RenderStyle*, WebCore::RenderStyle*) const third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2688 #5 0x7f4368e993b8 in WebCore::RenderObject::getCachedPseudoStyle(WebCore::PseudoId, WebCore::RenderStyle*) const third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2659 #6 0x7f4368e98993 in WebCore::RenderObject::firstLineStyleSlowCase() const third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2637 #7 0x7f43684e16c9 in WebCore::RenderObject::firstLineStyle() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:728 #8 0x7f43684df4bc in WebCore::RenderObject::style(bool) const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:729 #9 0x7f4368859392 in WebCore::RenderBlock::LineBreaker::nextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::RenderBlock::RenderTextInfo&, WebCore::RenderBlock::FloatingObject*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:2407 #10 0x7f436884c357 in WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1328 #11 0x7f4368845ec9 in WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1271 #12 0x7f436886a0eb in WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1600 #13 0x7f4368648c8b in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1531 The reason why this crash occurs is that we forget to check whether "e != null" or not before e->hasTagName(...) in StyleResolver::adjustRenderStyle.
Attachments
Patch (5.66 KB, patch)
2012-12-18 23:56 PST, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Takashi Sakamoto
Comment 1 2012-12-18 23:56:07 PST
Created attachment 180104 [details] Patch
WebKit Review Bot
Comment 2 2012-12-24 22:17:54 PST
Comment on attachment 180104 [details] Patch Clearing flags on attachment: 180104 Committed r138451: <http://trac.webkit.org/changeset/138451>
WebKit Review Bot
Comment 3 2012-12-24 22:17:58 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.