RESOLVED FIXED 105393
::first-letter { overflow: -webkit-paged-y } causes crash 
https://bugs.webkit.org/show_bug.cgi?id=105393
Summary ::first-letter { overflow: -webkit-paged-y } causes crash
Takashi Sakamoto
Reported Wednesday, December 19, 2012 7:17:16 AM UTC
Reported by fuzzer: https://cluster-fuzz.appspot.com/testcase?key=102884484 The following is a stack trace in the above report: /mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/debug/asan-linux-debug-154320/DumpRenderTree ASAN:SIGSEGV ================================================================= ==32198== ERROR: AddressSanitizer crashed on unknown address 0x000000000060 (pc 0x7f435c2a3d32 sp 0x7fff95826a80 bp 0x7fff95826bd0 T0) AddressSanitizer can not provide additional info. #0 0x7f435c2a3d31 in WebCore::QualifiedName::matches(WebCore::QualifiedName const&) const third_party/WebKit/Source/WebCore/dom/QualifiedName.h:85 #1 0x7f435c2a3b7e in WebCore::Element::hasTagName(WebCore::QualifiedName const&) const third_party/WebKit/Source/WebCore/dom/Element.h:222 #2 0x7f436690eb52 in WebCore::StyleResolver::adjustRenderStyle(WebCore::RenderStyle*, WebCore::RenderStyle*, WebCore::Element*) third_party/WebKit/Source/WebCore/css/StyleResolver.cpp:2240 #3 0x7f43669259bb in WebCore::StyleResolver::pseudoStyleForElement(WebCore::PseudoId, WebCore::Element*, WebCore::RenderStyle*) third_party/WebKit/Source/WebCore/css/StyleResolver.cpp:1956 #4 0x7f4368e8379e in WebCore::RenderObject::getUncachedPseudoStyle(WebCore::PseudoId, WebCore::RenderStyle*, WebCore::RenderStyle*) const third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2688 #5 0x7f4368e993b8 in WebCore::RenderObject::getCachedPseudoStyle(WebCore::PseudoId, WebCore::RenderStyle*) const third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2659 #6 0x7f4368e98993 in WebCore::RenderObject::firstLineStyleSlowCase() const third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2637 #7 0x7f43684e16c9 in WebCore::RenderObject::firstLineStyle() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:728 #8 0x7f43684df4bc in WebCore::RenderObject::style(bool) const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:729 #9 0x7f4368859392 in WebCore::RenderBlock::LineBreaker::nextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::RenderBlock::RenderTextInfo&, WebCore::RenderBlock::FloatingObject*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:2407 #10 0x7f436884c357 in WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1328 #11 0x7f4368845ec9 in WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1271 #12 0x7f436886a0eb in WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1600 #13 0x7f4368648c8b in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1531 The reason why this crash occurs is that we forget to check whether "e != null" or not before e->hasTagName(...) in StyleResolver::adjustRenderStyle.
Attachments
Patch (5.66 KB, patch)
2012-12-18 23:56 PST, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Takashi Sakamoto
Comment 1 Wednesday, December 19, 2012 7:56:07 AM UTC
Created attachment 180104 [details] Patch
WebKit Review Bot
Comment 2 Tuesday, December 25, 2012 6:17:54 AM UTC
Comment on attachment 180104 [details] Patch Clearing flags on attachment: 180104 Committed r138451: <http://trac.webkit.org/changeset/138451>
WebKit Review Bot
Comment 3 Tuesday, December 25, 2012 6:17:58 AM UTC
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.