Bug 108084 - Crash inside RenderBlock::layoutRunsAndFloatsInRange in the widow code
Summary: Crash inside RenderBlock::layoutRunsAndFloatsInRange in the widow code
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Julien Chaffraix
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-28 08:16 PST by Julien Chaffraix
Modified: 2013-01-28 14:29 PST (History)
5 users (show)

See Also:

Attachments
Proposed blind fix. (1.76 KB, patch)
2013-01-28 08:41 PST, Julien Chaffraix 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julien Chaffraix 2013-01-28 08:16:49 PST 
We are getting bug reports for a crasher in the widow code. I tried several times to see if I could get a reproduction but unfortunately couldn't.

Here is the code involved (line 1663 in RenderBlockLineLayout.cpp):

int numLinesHanging = 1;
while (lineBox && lineBox != firstLineInBlock && !lineBox->isFirstAfterPageBreak()) {
    ...
}

// If there were no breaks in the block, we didn't create any widows.
if (!lineBox->isFirstAfterPageBreak() || lineBox == firstLineInBlock)
    return;

The crash is a NULL dereference that happens in the 'if'. The 'while' NULL-checks |lineBox| but the following 'if' doesn't, which makes me think that this is the bug.
Comment 1 Julien Chaffraix 2013-01-28 08:41:56 PST 
Created attachment 184991 [details]
Proposed blind fix.
Comment 2 WebKit Review Bot 2013-01-28 14:29:52 PST 
Comment on attachment 184991 [details]
Proposed blind fix.

Clearing flags on attachment: 184991

Committed r141009: <http://trac.webkit.org/changeset/141009>
Comment 3 WebKit Review Bot 2013-01-28 14:29:55 PST 
All reviewed patches have been landed.  Closing bug.