Bug 84774

Summary: NULL-deref in RenderBox::clippedOverflowRectForRepaint
Product: WebKit Reporter: Julien Chaffraix <jchaffraix>
Component: Layout and RenderingAssignee: Julien Chaffraix <jchaffraix>
Status: RESOLVED FIXED    
Severity: Normal CC: tony, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
test case
none
Proposed fix 1: Check that we have an attached continuation. none

Julien Chaffraix
Reported 2012-04-24 14:18:37 PDT
Created attachment 138641 [details] test case Backtrace: WebCore::RenderLayer::hasVisibleContent() [0x18f5490] WebCore::RenderBox::clippedOverflowRectForRepaint() [0x192f6f5] WebCore::RenderObject::rectWithOutlineForRepaint() [0x19d8e1f] WebCore::RenderBlock::rectWithOutlineForRepaint() [0x18ecd85] WebCore::RenderInline::clippedOverflowRectForRepaint() [0x1981d36] WebCore::RenderText::clippedOverflowRectForRepaint() [0x1a1d7d5] WebCore::RenderObject::repaint() [0x19d7b5b] WebCore::RenderObjectChildList::removeChildNode() [0x19df707] WebCore::RenderObject::removeChild() [0x19d2ba9] WebCore::RenderObject::remove() [0x197778a] WebCore::RenderObject::willBeDestroyed() [0x19dc231] WebCore::RenderText::willBeDestroyed() [0x1a180d8] WebCore::RenderTextFragment::willBeDestroyed() [0x1a26872] WebCore::RenderObject::destroy() [0x19dc5a7] WebCore::RenderObjectChildList::destroyLeftoverChildren() [0x19df560] WebCore::RenderInline::willBeDestroyed() [0x197c417] WebCore::RenderObject::destroy() [0x19dc5a7] WebCore::RenderObjectChildList::updateBeforeAfterContent() [0x19e12cc] WebCore::RenderInline::addChildIgnoringContinuation() [0x197d2db] WebCore::RenderInline::addChild() [0x197cf52] WebCore::NodeRendererFactory::createRendererIfNeeded() [0x77be2c] WebCore::Node::createRendererIfNeeded() [0x75d563] WebCore::Element::attach() [0x73479d] WebCore::Node::reattach() [0x7395b2] WebCore::Element::recalcStyle() [0x735054] WebCore::Element::recalcStyle() [0x7356eb] The issue is at the following line: if (style()->visibility() != VISIBLE && !enclosingLayer()->hasVisibleContent()) enclosingLayer() returns 0 as we are called on a not-yet-inserted RenderObject (it's a newly created continuation, see test case).
Attachments
test case (554 bytes, text/html)
2012-04-24 14:18 PDT, Julien Chaffraix 		no flags
Details
Proposed fix 1: Check that we have an attached continuation. (4.49 KB, patch)
2012-04-24 14:34 PDT, Julien Chaffraix 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Julien Chaffraix
Comment 1 2012-04-24 14:34:58 PDT
Created attachment 138647 [details] Proposed fix 1: Check that we have an attached continuation.
WebKit Review Bot
Comment 2 2012-04-27 11:43:18 PDT
Comment on attachment 138647 [details] Proposed fix 1: Check that we have an attached continuation. Clearing flags on attachment: 138647 Committed r115458: <http://trac.webkit.org/changeset/115458>
WebKit Review Bot
Comment 3 2012-04-27 11:43:22 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.