RESOLVED FIXED 120343
Missing null-check of parent renderer in WebCore::HTMLEmbedElement::rendererIsNeeded() 
https://bugs.webkit.org/show_bug.cgi?id=120343
Summary Missing null-check of parent renderer in WebCore::HTMLEmbedElement::rendererI...
Renata Hodovan
Reported 2013-08-27 01:00:00 PDT
The failing test: <html> <div style="-webkit-flow-from:thread;"> <object> <embed width="100"> </object> </div> </html> Backtrace: ASSERTION FAILED: p->renderer() /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLEmbedElement.cpp(186) : virtual bool WebCore::HTMLEmbedElement::rendererIsNeeded(const WebCore::NodeRenderingContext&) Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56f42bc in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff56f42bc in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff4392c9b in WebCore::HTMLEmbedElement::rendererIsNeeded (this=0x8da720, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLEmbedElement.cpp:186 #2 0x00007ffff4258900 in WebCore::NodeRenderingContext::elementInsideRegionNeedsRenderer (this=0x7fffffffc740) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/NodeRenderingContext.cpp:216 #3 0x00007ffff4258b6e in WebCore::NodeRenderingContext::createRendererForElementIfNeeded (this=0x7fffffffc740) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/NodeRenderingContext.cpp:257 #4 0x00007ffff42058eb in WebCore::Element::createRendererIfNeeded (this=0x8da720, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1390 #5 0x00007ffff420594f in WebCore::Element::attach (this=0x8da720, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1399 #6 0x00007ffff43bcb4f in WebCore::HTMLPlugInImageElement::attach (this=0x8da720, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLPlugInImageElement.cpp:244 #7 0x00007ffff4406792 in WebCore::executeTask (task=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:103 #8 0x00007ffff4406ae3 in WebCore::HTMLConstructionSite::executeQueuedTasks (this=0x815bf8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:146 #9 0x00007ffff442fecc in WebCore::HTMLTreeBuilder::constructTree (this=0x815be0, token=0x7fffffffc930) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:382 #10 0x00007ffff440eb06 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x7d2810, rawToken=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:597 #11 0x00007ffff440e73b in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x7d2810, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:551 #12 0x00007ffff440df03 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x7d2810, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:235 #13 0x00007ffff440f0a2 in WebCore::HTMLDocumentParser::append (this=0x7d2810, inputSource=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:747 #14 0x00007ffff41a1e4f in WebCore::DecodedDataDocumentParser::flush (this=0x7d2810, writer=0x6942b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #15 0x00007ffff45a71d9 in WebCore::DocumentWriter::end (this=0x6942b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:245 #16 0x00007ffff4599d52 in WebCore::DocumentLoader::finishedLoading (this=0x694210, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:402 #17 0x00007ffff4599ac0 in WebCore::DocumentLoader::notifyFinished (this=0x694210, resource=0x775da0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344 #18 0x00007ffff4580db6 in WebCore::CachedResource::checkNotify (this=0x775da0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 #19 0x00007ffff4580e8c in WebCore::CachedResource::finishLoading (this=0x775da0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #20 0x00007ffff457d5de in WebCore::CachedRawResource::finishLoading (this=0x775da0, data=0x7b8d30) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #21 0x00007ffff45e3c41 in WebCore::SubresourceLoader::didFinishLoading (this=0x76d4a0, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282 #22 0x00007ffff45da52b in WebCore::ResourceLoader::didFinishLoading (this=0x76d4a0, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488 #23 0x00007ffff4a85729 in WebCore::QNetworkReplyHandler::finish (this=0x788850) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #24 0x00007ffff4a84448 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x788888) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #25 0x00007ffff4a84145 in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x788888, method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4a8556e <WebCore::QNetworkReplyHandler::finish()>) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216 #26 0x00007ffff4a85092 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7ab800) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409 #27 0x00007ffff4a87a24 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7ab800, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffcf70) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176 ---Type <return> to continue, or q <return> to quit--- #28 0x00007ffff220f5cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #29 0x00007ffff221084e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #30 0x00007ffff3056dbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #31 0x00007ffff305a075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #32 0x00007ffff21eadbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #33 0x00007ffff21eca76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #34 0x00007ffff2232333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #35 0x00007fffee3732d6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3065 #36 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3641 #37 0x00007fffee373628 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3712 #38 0x00007fffee3736cc in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3773 #39 0x00007ffff22324bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #40 0x00007ffff21e9d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #41 0x00007ffff21ed120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #42 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 #43 0x0000000000423680 in main (argc=2, argv=0x7fffffffdc48) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
Attachments
Test case (137 bytes, text/html)
2013-08-27 01:00 PDT, Renata Hodovan 		no flags
Details
Proposed patch (4.03 KB, patch)
2013-08-27 01:03 PDT, Renata Hodovan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2013-08-27 01:00:25 PDT
Created attachment 209720 [details] Test case
Renata Hodovan
Comment 2 2013-08-27 01:03:39 PDT
Created attachment 209721 [details] Proposed patch
zalan
Comment 3 2013-08-27 02:03:35 PDT
Not sure about the early return. This changes the functionality when useFallbackContent==true, though the same time the non-existing parent renderer might indicate that we dont need the fallback content either. It does, however, end up returning false, when the parent is <object> as opposed to when the parent is something else with the same non-renderer status. CCed Andy, he might have some insights as he added the fallback check.
WebKit Commit Bot
Comment 4 2013-08-27 10:19:23 PDT
Comment on attachment 209721 [details] Proposed patch Clearing flags on attachment: 209721 Committed r154698: <http://trac.webkit.org/changeset/154698>
WebKit Commit Bot
Comment 5 2013-08-27 10:19:25 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.