Bug 221378

Summary:

Nullptr crash in Node::renderStyle() via CSSLinearGradientValue::createGradient

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

CSS

Assignee:

Rob Buis <rbuis>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, bfulgham, cgarcia, ews-feeder, fred.wang, gpoo, koivisto, product-security, rbuis, simon.fraser, svillar, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Test	none
Patch	none
Patch	none

Ryosuke Niwa

Reported 2021-02-03 20:15:10 PST

e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010d33c39c WebCore::Node::renderStyle() const + 0 (NodeRenderStyle.h:36) [inlined] 1 com.apple.WebCore 0x000000010d33c39c WebCore::CSSLinearGradientValue::createGradient(WebCore::RenderElement&, WebCore::FloatSize const&) + 76 (CSSGradientValue.cpp:809) 2 com.apple.WebCore 0x000000010d33b360 WebCore::createGradient(WebCore::CSSGradientValue&, WebCore::RenderElement&, WebCore::FloatSize) + 49 (CSSGradientValue.cpp:46) [inlined] 3 com.apple.WebCore 0x000000010d33b360 WebCore::CSSGradientValue::image(WebCore::RenderElement&, WebCore::FloatSize const&) + 144 (CSSGradientValue.cpp:63) 4 com.apple.WebCore 0x000000010d34cad0 WebCore::CSSImageGeneratorValue::image(WebCore::RenderElement&, WebCore::FloatSize const&) + 48 5 com.apple.WebCore 0x000000010df24512 WebCore::StyleGeneratedImage::image(WebCore::RenderElement*, WebCore::FloatSize const&) const + 18 (StyleGeneratedImage.cpp:104) 6 com.apple.WebCore 0x000000010dda89b8 WebCore::RenderBoxModelObject::paintFillLayerExtended(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const&, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::InlineFlowBox*, WebCore::LayoutSize const&, WebCore::CompositeOperator, WebCore::RenderElement*, WebCore::BaseBackgroundColorUsage) + 6424 (RenderBoxModelObject.cpp:966) 7 com.apple.WebCore 0x000000010dda07f4 WebCore::RenderBox::paintFillLayer(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const&, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderElement*, WebCore::BaseBackgroundColorUsage) + 43 (RenderBox.cpp:1790) [inlined] 8 com.apple.WebCore 0x000000010dda07f4 WebCore::RenderBox::paintFillLayers(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const&, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderElement*) + 596 (RenderBox.cpp:1781) 9 com.apple.WebCore 0x000000010dda3fca WebCore::RenderBox::paintBackground(WebCore::PaintInfo const&, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance) + 314 (RenderBox.cpp:1504) 10 com.apple.WebCore 0x000000010dda13b0 WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1024 (RenderBox.cpp:1459) 11 com.apple.WebCore 0x000000010dd730ad WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 77 (RenderBlock.cpp:1231) 12 com.apple.WebCore 0x000000010dd7296d WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 285 (RenderBlock.cpp:1108) 13 com.apple.WebCore 0x000000010de7f524 WebCore::RenderScrollbarPart::paintIntoRect(WebCore::GraphicsContext&, WebCore::LayoutPoint const&, WebCore::LayoutRect const&) + 548 (RenderScrollbarPart.cpp:180) 14 com.apple.WebCore 0x000000010de7f2f1 WebCore::RenderScrollbar::paintPart(WebCore::GraphicsContext&, WebCore::ScrollbarPart, WebCore::IntRect const&) + 481 (RenderScrollbar.cpp:267) 15 com.apple.WebCore 0x000000010de83275 WebCore::RenderScrollbarTheme::paintScrollbarBackground(WebCore::GraphicsContext&, WebCore::Scrollbar&) + 53 (RenderScrollbarTheme.cpp:136) 16 com.apple.WebCore 0x000000010db16cb9 WebCore::ScrollbarThemeComposite::paint(WebCore::Scrollbar&, WebCore::GraphicsContext&, WebCore::IntRect const&) + 617 (ScrollbarThemeComposite.cpp:79) 17 com.apple.WebCore 0x000000010db15f2d WebCore::Scrollbar::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 173 (Scrollbar.cpp:153) 18 com.apple.WebCore 0x000000010de37a60 WebCore::paintScrollbar(WebCore::Scrollbar*, WebCore::GraphicsContext&, WebCore::IntRect const&) + 160 (RenderLayerCompositor.cpp:3562) 19 com.apple.WebCore 0x000000010de45a85 WebCore::RenderLayerCompositor::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) + 325 20 com.apple.WebCore 0x000000010db939b6 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) + 182 (GraphicsLayer.cpp:530) 21 com.apple.WebCore 0x000000010dbdb0f7 WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) + 231 (GraphicsLayerCA.cpp:1715) <rdar://problem/72995309>

Attachments
Test (405 bytes, text/html) 2021-02-03 20:15 PST, Ryosuke Niwa	no flags	Details
Patch (9.75 KB, patch) 2021-02-05 07:33 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (8.42 KB, patch) 2021-02-05 07:34 PST, Rob Buis	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2021-02-03 20:15:22 PST

Created attachment 419222 [details] Test

Rob Buis

Comment 2 2021-02-05 07:33:35 PST

Created attachment 419403 [details] Patch

Rob Buis

Comment 3 2021-02-05 07:34:31 PST

Created attachment 419405 [details] Patch

EWS

Comment 4 2021-02-08 09:36:25 PST

Committed r272497: <https://commits.webkit.org/r272497> All reviewed patches have been landed. Closing bug and clearing flags on attachment 419405 [details].

Note You need to log in before you can comment on or make changes to this bug.