Bug 48218

Summary: Two null ptr when trying to split anonymous blocks
Product: WebKit Reporter: Abhishek Arya <inferno>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Minor CC: hyatt, mitz
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Testcase1
none
Testcase2 none

Abhishek Arya
Reported 2010-10-24 19:11:26 PDT
Created attachment 71706 [details] Testcase1 I have two null ptr crashes in RenderBlock::splitBlocks because we try to create the clone of an anonymous block. in first testcase, i crash on line 408, RenderBlock* cloneBlock = clone(); and in second testcase, i hit assert on line 427 ASSERT(curr->isRenderBlock() && !curr->isAnonymousBlock());. anonymous blocks return null nodes, which causes crash. Filing low severity security bug since it crashes safari. don't need a chromium bug since it just crashes that tab.
Attachments
Testcase1 (106 bytes, text/html)
2010-10-24 19:11 PDT, Abhishek Arya 		no flags
Details
Testcase2 (24.60 KB, text/html)
2010-10-24 19:11 PDT, Abhishek Arya 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Abhishek Arya
Comment 1 2010-10-24 19:11:57 PDT
Created attachment 71708 [details] Testcase2
Abhishek Arya
Comment 2 2010-10-24 19:14:08 PDT
Stacktrace: WebCore::Node::document() Line 341 + 0x3 bytes WebCore::RenderObject::RenderObject(WebCore::Node * node=0x00000000) Line 218 + 0x101 bytes WebCore::RenderBoxModelObject::RenderBoxModelObject(WebCore::Node * node=0x00000000) Line 194 + 0x1a bytes WebCore::RenderBox::RenderBox(WebCore::Node * node=0x00000000) Line 78 + 0x1a bytes WebCore::RenderBlock::RenderBlock(WebCore::Node * node=0x00000000) Line 120 + 0x1a bytes WebCore::RenderBlock::clone() Line 397 + 0x30 bytes WebCore::RenderBlock::splitBlocks(WebCore::RenderBlock * fromBlock=0x04fc22dc, WebCore::RenderBlock * toBlock=0x0776fbdc, WebCore::RenderBlock * middleBlock=0x04fc236c, WebCore::RenderObject * beforeChild=0x00000000, WebCore::RenderBoxModelObject * oldCont=0x00000000) Line 433 + 0x8 bytes WebCore::RenderBlock::splitFlow(WebCore::RenderObject * beforeChild=0x00000000, WebCore::RenderBlock * newBlockBox=0x04fc236c, WebCore::RenderObject * newChild=0x0776ff3c, WebCore::RenderBoxModelObject * oldCont=0x00000000) Line 511 WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks(WebCore::RenderObject * newChild=0x0776ff3c, WebCore::RenderObject * beforeChild=0x00000000) Line 654 WebCore::RenderBlock::addChildIgnoringContinuation(WebCore::RenderObject * newChild=0x0776ff3c, WebCore::RenderObject * beforeChild=0x00000000) Line 752 + 0x1a bytes WebCore::RenderBlock::addChild(WebCore::RenderObject * newChild=0x0776ff3c, WebCore::RenderObject * beforeChild=0x00000000) Line 745 + 0x17 bytes WebCore::Node::createRendererIfNeeded() Line 1337 + 0x21 bytes WebCore::Element::attach() Line 852 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 942 + 0x12 bytes WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1005 + 0x16 bytes WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1005 + 0x16 bytes WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1005 + 0x16 bytes WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1005 + 0x16 bytes WebCore::Document::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1492 + 0x16 bytes WebCore::Document::updateStyleIfNeeded() Line 1533 + 0x14 bytes WebCore::Document::finishedParsing() Line 4148 + 0x12 bytes WebCore::HTMLTreeBuilder::finished() Line 2766 + 0x1a bytes WebCore::HTMLDocumentParser::end() Line 324 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() Line 333 WebCore::HTMLDocumentParser::prepareToStopParsing() Line 151 WebCore::HTMLDocumentParser::attemptToEnd() Line 344 + 0xf bytes WebCore::HTMLDocumentParser::finish() Line 373
Lucas Forschler
Comment 3 2010-10-25 10:23:15 PDT
<rdar://problem/8590044>
Abhishek Arya
Comment 4 2010-12-30 22:24:22 PST
This is fixed in http://trac.webkit.org/changeset/73296
Note You need to log in before you can comment on or make changes to this bug.