Bug 48983

Summary: REGRESSION: multicol crashes with positioned elements
Product: WebKit Reporter: Shinichiro Hamaji <hamaji>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: fred.wang, hyatt, mitz, phanna
Priority: P1 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
Bug Depends on:    
Bug Blocks: 84012    
Attachments:
Description Flags
Test case
none
Test case for the first assertion failure
none
Update the logic in {paint,hitTest}PaginatedChildLayer() after r68069 darin: review+

Shinichiro Hamaji
Reported 2010-11-04 02:45:35 PDT
Created attachment 72919 [details] Test case Recent WebKit crashes with attached HTML. This doesn't happen with Safari 4.0.5. I'm guessing this issue was introduced by dhyatt's recent multicol changes. Corresponding chromium bug: http://code.google.com/p/chromium/issues/detail?id=58101
Attachments
Test case (389 bytes, text/html)
2010-11-04 02:45 PDT, Shinichiro Hamaji 		no flags
Details
Test case for the first assertion failure (212 bytes, text/html)
2010-11-04 02:50 PDT, Shinichiro Hamaji 		no flags
Details
Update the logic in {paint,hitTest}PaginatedChildLayer() after r68069 (4.37 KB, patch)
2011-03-28 14:15 PDT, mitz 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Shinichiro Hamaji
Comment 1 2010-11-04 02:50:27 PDT
Created attachment 72920 [details] Test case for the first assertion failure Note that there are two assertion violations in RenderLayer::paintPaginatedChildLayer: ASSERT(!renderer()->isPositioned()); ASSERT(columnLayers.size()); The former assertion failure happens even with a simpler HTML I'm attaching now. The latter assertion failure causes the crash. I'm guessing m_isPaginated should be false for this kind of cases, but I'm not sure. I didn't look into this bug closely at all.
Alexey Proskuryakov
Comment 2 2010-11-04 12:41:56 PDT
> This doesn't happen with Safari 4.0.5 Not crashing with 5.0.2 either.
Berend-Jan Wever
Comment 3 2010-12-29 00:50:24 PST
This causes one of two NULL ptrs, depending on whether your mouse is hovering over the page or not while reproducing the crash. Reduced repro: <body style="position: absolute; -webkit-column-count: 2;"> <div style="overflow: hidden;"> <img style="position: relative; width: 180px;"> </div> </body> id: chrome.dll!WebCore::RenderLayer::paintChildLayerIntoColumns ReadAV@NULL (3e28197c414363f3d6c613777e35f7b0) description: Attempt to read from unallocated NULL pointer-0x4 in chrome.dll!WebCore::RenderLayer::paintChildLayerIntoColumns application: Chromium 10.0.623.0 stack: chrome.dll!WebCore::RenderLayer::paintChildLayerIntoColumns chrome.dll!WebCore::RenderLayer::paintPaginatedChildLayer chrome.dll!WebCore::RenderLayer::paintList chrome.dll!WebCore::RenderLayer::paintLayer chrome.dll!WebCore::RenderLayer::paintList chrome.dll!WebCore::RenderLayer::paintLayer chrome.dll!WebCore::RenderLayer::paint chrome.dll!WebCore::FrameView::paintContents chrome.dll!WebCore::ScrollView::paint chrome.dll!WebKit::WebFrameImpl::paintWithContext chrome.dll!WebKit::WebFrameImpl::paint chrome.dll!RenderWidget::PaintRect chrome.dll!RenderWidget::DoDeferredUpdate chrome.dll!RenderWidget::CallDoDeferredUpdate chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run ... http://trac.webkit.org/browser/trunk/WebCore/rendering/RenderLayer.cpp#L2599 id: chrome.dll!WebCore::RenderLayer::hitTestChildLayerColumns ReadAV@NULL (190d37d7e428d0f0eb541dd4c90591a6) description: Attempt to read from unallocated NULL pointer-0x4 in chrome.dll!WebCore::RenderLayer::hitTestChildLayerColumns application: Chromium 10.0.623.0 stack: chrome.dll!WebCore::RenderLayer::hitTestChildLayerColumns chrome.dll!WebCore::RenderLayer::hitTestPaginatedChildLayer chrome.dll!WebCore::RenderLayer::hitTestList chrome.dll!WebCore::RenderLayer::hitTestLayer chrome.dll!WebCore::RenderLayer::hitTestList chrome.dll!WebCore::RenderLayer::hitTestLayer chrome.dll!WebCore::RenderLayer::hitTest chrome.dll!WebCore::Document::prepareMouseEvent chrome.dll!WebCore::EventHandler::prepareMouseEvent chrome.dll!WebCore::EventHandler::handleMouseMoveEvent chrome.dll!WebCore::EventHandler::mouseMoved chrome.dll!WebKit::WebViewImpl::mouseMove chrome.dll!WebKit::WebViewImpl::handleInputEvent chrome.dll!RenderWidget::OnHandleInputEvent chrome.dll!IPC::Message::Dispatch<...> chrome.dll!RenderWidget::OnMessageReceived chrome.dll!(unknown) chrome.dll!MessageRouter::RouteMessage chrome.dll!MessageRouter::OnMessageReceived chrome.dll!ChildThread::OnMessageReceived chrome.dll!RunnableMethod<ProfileWriter,void chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run ... http://trac.webkit.org/browser/trunk/WebCore/rendering/RenderLayer.cpp#L3064
Alexey Proskuryakov
Comment 4 2011-01-20 16:59:20 PST
<rdar://problem/8895977>
mitz
Comment 5 2011-03-28 14:15:53 PDT
Created attachment 87204 [details] Update the logic in {paint,hitTest}PaginatedChildLayer() after r68069
mitz
Comment 6 2011-03-28 14:33:25 PDT
Fixed in r82158. <http://trac.webkit.org/changeset/82158>
Steve Block
Comment 7 2011-06-02 10:19:39 PDT
*** Bug 56107 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.