Bug 221378

Summary:

Nullptr crash in Node::renderStyle() via CSSLinearGradientValue::createGradient

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

CSS

Assignee:

Rob Buis <rbuis>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, bfulgham, cgarcia, ews-feeder, fred.wang, gpoo, koivisto, product-security, rbuis, simon.fraser, svillar, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Test	none
Patch	none
Patch	none

Description Ryosuke Niwa 2021-02-03 20:15:10 PST

e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010d33c39c WebCore::Node::renderStyle() const + 0 (NodeRenderStyle.h:36) [inlined]
1   com.apple.WebCore             	0x000000010d33c39c WebCore::CSSLinearGradientValue::createGradient(WebCore::RenderElement&, WebCore::FloatSize const&) + 76 (CSSGradientValue.cpp:809)
2   com.apple.WebCore             	0x000000010d33b360 WebCore::createGradient(WebCore::CSSGradientValue&, WebCore::RenderElement&, WebCore::FloatSize) + 49 (CSSGradientValue.cpp:46) [inlined]
3   com.apple.WebCore             	0x000000010d33b360 WebCore::CSSGradientValue::image(WebCore::RenderElement&, WebCore::FloatSize const&) + 144 (CSSGradientValue.cpp:63)
4   com.apple.WebCore             	0x000000010d34cad0 WebCore::CSSImageGeneratorValue::image(WebCore::RenderElement&, WebCore::FloatSize const&) + 48
5   com.apple.WebCore             	0x000000010df24512 WebCore::StyleGeneratedImage::image(WebCore::RenderElement*, WebCore::FloatSize const&) const + 18 (StyleGeneratedImage.cpp:104)
6   com.apple.WebCore             	0x000000010dda89b8 WebCore::RenderBoxModelObject::paintFillLayerExtended(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const&, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::InlineFlowBox*, WebCore::LayoutSize const&, WebCore::CompositeOperator, WebCore::RenderElement*, WebCore::BaseBackgroundColorUsage) + 6424 (RenderBoxModelObject.cpp:966)
7   com.apple.WebCore             	0x000000010dda07f4 WebCore::RenderBox::paintFillLayer(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const&, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderElement*, WebCore::BaseBackgroundColorUsage) + 43 (RenderBox.cpp:1790) [inlined]
8   com.apple.WebCore             	0x000000010dda07f4 WebCore::RenderBox::paintFillLayers(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const&, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderElement*) + 596 (RenderBox.cpp:1781)
9   com.apple.WebCore             	0x000000010dda3fca WebCore::RenderBox::paintBackground(WebCore::PaintInfo const&, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance) + 314 (RenderBox.cpp:1504)
10  com.apple.WebCore             	0x000000010dda13b0 WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1024 (RenderBox.cpp:1459)
11  com.apple.WebCore             	0x000000010dd730ad WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 77 (RenderBlock.cpp:1231)
12  com.apple.WebCore             	0x000000010dd7296d WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 285 (RenderBlock.cpp:1108)
13  com.apple.WebCore             	0x000000010de7f524 WebCore::RenderScrollbarPart::paintIntoRect(WebCore::GraphicsContext&, WebCore::LayoutPoint const&, WebCore::LayoutRect const&) + 548 (RenderScrollbarPart.cpp:180)
14  com.apple.WebCore             	0x000000010de7f2f1 WebCore::RenderScrollbar::paintPart(WebCore::GraphicsContext&, WebCore::ScrollbarPart, WebCore::IntRect const&) + 481 (RenderScrollbar.cpp:267)
15  com.apple.WebCore             	0x000000010de83275 WebCore::RenderScrollbarTheme::paintScrollbarBackground(WebCore::GraphicsContext&, WebCore::Scrollbar&) + 53 (RenderScrollbarTheme.cpp:136)
16  com.apple.WebCore             	0x000000010db16cb9 WebCore::ScrollbarThemeComposite::paint(WebCore::Scrollbar&, WebCore::GraphicsContext&, WebCore::IntRect const&) + 617 (ScrollbarThemeComposite.cpp:79)
17  com.apple.WebCore             	0x000000010db15f2d WebCore::Scrollbar::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 173 (Scrollbar.cpp:153)
18  com.apple.WebCore             	0x000000010de37a60 WebCore::paintScrollbar(WebCore::Scrollbar*, WebCore::GraphicsContext&, WebCore::IntRect const&) + 160 (RenderLayerCompositor.cpp:3562)
19  com.apple.WebCore             	0x000000010de45a85 WebCore::RenderLayerCompositor::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) + 325
20  com.apple.WebCore             	0x000000010db939b6 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) + 182 (GraphicsLayer.cpp:530)
21  com.apple.WebCore             	0x000000010dbdb0f7 WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) + 231 (GraphicsLayerCA.cpp:1715)

<rdar://problem/72995309>

Comment 1 Ryosuke Niwa 2021-02-03 20:15:22 PST

Created attachment 419222 [details]
Test

Comment 2 Rob Buis 2021-02-05 07:33:35 PST

Created attachment 419403 [details]
Patch

Comment 3 Rob Buis 2021-02-05 07:34:31 PST

Created attachment 419405 [details]
Patch

Comment 4 EWS 2021-02-08 09:36:25 PST

Committed r272497: <https://commits.webkit.org/r272497>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 419405 [details].