Bug 98993

Summary: WebCore::RenderBlock::determineStartPosition crash
Product: WebKit Reporter: Mike Lawther <mikelawther>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: cabanier, eric, mitz, tasak, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Mike Lawther 2012-10-10 22:19:55 PDT 
As reported in http://crbug.com/123440.

Repro:
-----
<body style="position:absolute;">
<foo style="white-space:pre-wrap;">
<ul style="zoom:1866;"></ul>
<sup>
<foo id="root">
a<foo style="position:fixed;"></foo><foo><label id="node">
a</label>
</foo>
</foo></sup></foo>
</body>
<script type="text/javascript">
document.body.offsetTop;
root.appendChild(node);
</script>
-----

Crashes with NULL deref at:

0012ec24 030380b5 chrome_1c30000!WebCore::RenderBlock::determineStartPosition(class WebCore::LineLayoutState * layoutState = 0x0012ed88, class WebCore::BidiResolver<WebCore::InlineIterator,WebCore::BidiRun> * resolver = 0x0012ec68)+0x18b [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1632]
0012ed6c 0303869c chrome_1c30000!WebCore::RenderBlock::layoutRunsAndFloats(class WebCore::LineLayoutState * layoutState = 0x0012ed88, bool hasInlineChild = true)+0x35 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1162]
[....]
Comment 1 Alexey Proskuryakov 2012-10-11 13:28:47 PDT 
Affects Safari 6.0.1 and ToT.
Comment 2 Takashi Sakamoto 2012-10-16 02:15:02 PDT 
Created attachment 168896 [details]
Patch
Comment 3 mitz 2012-10-16 08:10:29 PDT 
Comment on attachment 168896 [details]
Patch

Shouldn't removing the line break object in the scenario you're describing dirty the line?

Can you simplify the test? It is not clear which style properties are significant to the bug and whether the node has to be moved or merely removed.
Comment 4 Takashi Sakamoto 2012-10-16 20:27:29 PDT 
Created attachment 169080 [details]
Patch
Comment 5 Takashi Sakamoto 2012-10-16 20:57:02 PDT 
(In reply to comment #3)

Thank you for reviewing.

I updated the condition, because the comment says:

                     // The previous line didn't break cleanly or broke at a newline
                     // that has been deleted, so treat it as dirty too.

I think, this would match the case:"The previous line broke at a newline that has been deleted."

> (From update of attachment 168896 [details])
> Shouldn't removing the line break object in the scenario you're describing dirty the line?

Removing the line break object is caused by Node::detach(). So, I think, it is a little difficult to avoid removing, because render objects related to the line break might be destroyed. 

#0  WebCore::RootInlineBox::childRemoved (this=0x7fffeaa96a98,  box=0x7fffea924b58)
#1  0x0000000001ea359c in WebCore::InlineFlowBox::removeChild (this=0x7fffea924a38, child=0x7fffea924b58)
#2  0x0000000001ea0b73 in WebCore::InlineBox::remove (this=0x7fffea924b58)
#3  0x0000000001f8c85d in WebCore::RenderInline::willBeDestroyed (this=0x7fffea8fdeb8)
#4  0x0000000001ffce75 in WebCore::RenderObject::destroy (this=0x7fffea8fdeb8)
#5  0x0000000001ffcd7d in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers (this=0x7fffea8fdeb8)
#6  0x00000000010acaa2 in WebCore::Node::detach (this=0x7fffeaa05200)


> Can you simplify the test? It is not clear which style properties are significant to the bug and whether the node has to be moved or merely removed.

I see. I updated the test.

Best regards,
Takashi Sakamoto
Comment 6 Brent Fulgham 2012-11-25 23:38:12 PST 
Comment on attachment 169080 [details]
Patch

Looks good. R=me.
Comment 7 WebKit Review Bot 2012-11-25 23:46:25 PST 
Comment on attachment 169080 [details]
Patch

Clearing flags on attachment: 169080

Committed r135684: <http://trac.webkit.org/changeset/135684>
Comment 8 WebKit Review Bot 2012-11-25 23:46:29 PST 
All reviewed patches have been landed.  Closing bug.