Bug 98993

Summary: WebCore::RenderBlock::determineStartPosition crash
Product: WebKit Reporter: Mike Lawther <mikelawther>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: cabanier, eric, mitz, tasak, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Mike Lawther
Reported 2012-10-10 22:19:55 PDT
As reported in http://crbug.com/123440. Repro: ----- <body style="position:absolute;"> <foo style="white-space:pre-wrap;"> <ul style="zoom:1866;"></ul> <sup> <foo id="root"> a<foo style="position:fixed;"></foo><foo><label id="node"> a</label> </foo> </foo></sup></foo> </body> <script type="text/javascript"> document.body.offsetTop; root.appendChild(node); </script> ----- Crashes with NULL deref at: 0012ec24 030380b5 chrome_1c30000!WebCore::RenderBlock::determineStartPosition(class WebCore::LineLayoutState * layoutState = 0x0012ed88, class WebCore::BidiResolver<WebCore::InlineIterator,WebCore::BidiRun> * resolver = 0x0012ec68)+0x18b [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1632] 0012ed6c 0303869c chrome_1c30000!WebCore::RenderBlock::layoutRunsAndFloats(class WebCore::LineLayoutState * layoutState = 0x0012ed88, bool hasInlineChild = true)+0x35 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1162] [....]
Attachments
Patch (4.70 KB, patch)
2012-10-16 02:15 PDT, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
Patch (4.67 KB, patch)
2012-10-16 20:27 PDT, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-10-11 13:28:47 PDT
Affects Safari 6.0.1 and ToT.
Takashi Sakamoto
Comment 2 2012-10-16 02:15:02 PDT
Created attachment 168896 [details] Patch
mitz
Comment 3 2012-10-16 08:10:29 PDT
Comment on attachment 168896 [details] Patch Shouldn't removing the line break object in the scenario you're describing dirty the line? Can you simplify the test? It is not clear which style properties are significant to the bug and whether the node has to be moved or merely removed.
Takashi Sakamoto
Comment 4 2012-10-16 20:27:29 PDT
Created attachment 169080 [details] Patch
Takashi Sakamoto
Comment 5 2012-10-16 20:57:02 PDT
(In reply to comment #3) Thank you for reviewing. I updated the condition, because the comment says: // The previous line didn't break cleanly or broke at a newline // that has been deleted, so treat it as dirty too. I think, this would match the case:"The previous line broke at a newline that has been deleted." > (From update of attachment 168896 [details]) > Shouldn't removing the line break object in the scenario you're describing dirty the line? Removing the line break object is caused by Node::detach(). So, I think, it is a little difficult to avoid removing, because render objects related to the line break might be destroyed. #0 WebCore::RootInlineBox::childRemoved (this=0x7fffeaa96a98, box=0x7fffea924b58) #1 0x0000000001ea359c in WebCore::InlineFlowBox::removeChild (this=0x7fffea924a38, child=0x7fffea924b58) #2 0x0000000001ea0b73 in WebCore::InlineBox::remove (this=0x7fffea924b58) #3 0x0000000001f8c85d in WebCore::RenderInline::willBeDestroyed (this=0x7fffea8fdeb8) #4 0x0000000001ffce75 in WebCore::RenderObject::destroy (this=0x7fffea8fdeb8) #5 0x0000000001ffcd7d in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers (this=0x7fffea8fdeb8) #6 0x00000000010acaa2 in WebCore::Node::detach (this=0x7fffeaa05200) > Can you simplify the test? It is not clear which style properties are significant to the bug and whether the node has to be moved or merely removed. I see. I updated the test. Best regards, Takashi Sakamoto
Brent Fulgham
Comment 6 2012-11-25 23:38:12 PST
Comment on attachment 169080 [details] Patch Looks good. R=me.
WebKit Review Bot
Comment 7 2012-11-25 23:46:25 PST
Comment on attachment 169080 [details] Patch Clearing flags on attachment: 169080 Committed r135684: <http://trac.webkit.org/changeset/135684>
WebKit Review Bot
Comment 8 2012-11-25 23:46:29 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.