Bug 108084

Summary:

Crash inside RenderBlock::layoutRunsAndFloatsInRange in the widow code

Product:

WebKit

Reporter:

Julien Chaffraix <jchaffraix>

Component:

Layout and Rendering

Assignee:

Julien Chaffraix <jchaffraix>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

darin, dino, eric, ojan.autocc, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Proposed blind fix.	none

Description Julien Chaffraix 2013-01-28 08:16:49 PST

We are getting bug reports for a crasher in the widow code. I tried several times to see if I could get a reproduction but unfortunately couldn't.

Here is the code involved (line 1663 in RenderBlockLineLayout.cpp):

int numLinesHanging = 1;
while (lineBox && lineBox != firstLineInBlock && !lineBox->isFirstAfterPageBreak()) {
    ...
}

// If there were no breaks in the block, we didn't create any widows.
if (!lineBox->isFirstAfterPageBreak() || lineBox == firstLineInBlock)
    return;

The crash is a NULL dereference that happens in the 'if'. The 'while' NULL-checks |lineBox| but the following 'if' doesn't, which makes me think that this is the bug.

Comment 1 Julien Chaffraix 2013-01-28 08:41:56 PST

Created attachment 184991 [details]
Proposed blind fix.

Comment 2 WebKit Review Bot 2013-01-28 14:29:52 PST

Comment on attachment 184991 [details]
Proposed blind fix.

Clearing flags on attachment: 184991

Committed r141009: <http://trac.webkit.org/changeset/141009>

Comment 3 WebKit Review Bot 2013-01-28 14:29:55 PST

All reviewed patches have been landed.  Closing bug.