WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
122163
Null-pointer dereference in WebCore::BidiRun::next
https://bugs.webkit.org/show_bug.cgi?id=122163
Summary
Null-pointer dereference in WebCore::BidiRun::next
Renata Hodovan
Reported
2013-10-01 10:25:01 PDT
The following tests crashes both on debug and on release wk builds: <html dir="RTL"> <meta charset="ISO-8859-8">sdf <input> <i dir=""> <tt dir="auto"></tt> </html> The debug build fails on an assertion check and the release dies on a null-pointer dereference issue a few lines later. By the release version the m_next variable will be null in WebCore::BidiRun::next (WebCore/rendering/BidiRun.h:58) and by the debug the (end < m_runCount) condition fails in WebCore::BidiRunList<Run>::reverseRuns (WebCore/platform/text/BidiRunList.h:207). The debug backtrace: ASSERTION FAILED: end < m_runCount /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/text/BidiRunList.h(207) : void WebCore::BidiRunList<Run>::reverseRuns(unsigned int, unsigned int) [with Run = WebCore::BidiRun] 1 0x7ffff56134c1 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(WTFCrash+0x1e) [0x7ffff56134c1] 2 0x7ffff47724d4 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x14414d4) [0x7ffff47724d4] 3 0x7ffff476f201 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x143e201) [0x7ffff476f201] 4 0x7ffff47615ef /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x14305ef) [0x7ffff47615ef] 5 0x7ffff4761968 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1430968) [0x7ffff4761968] 6 0x7ffff4763c9c /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1432c9c) [0x7ffff4763c9c] 7 0x7ffff4762260 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1431260) [0x7ffff4762260] 8 0x7ffff4765abc /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1434abc) [0x7ffff4765abc] 9 0x7ffff4752d40 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1421d40) [0x7ffff4752d40] 10 0x7ffff4720d3f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x13efd3f) [0x7ffff4720d3f] 11 0x7ffff4753d54 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422d54) [0x7ffff4753d54] 12 0x7ffff4753915 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422915) [0x7ffff4753915] 13 0x7ffff4752d61 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1421d61) [0x7ffff4752d61] 14 0x7ffff4720d3f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x13efd3f) [0x7ffff4720d3f] 15 0x7ffff4753d54 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422d54) [0x7ffff4753d54] 16 0x7ffff4753915 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422915) [0x7ffff4753915] 17 0x7ffff4752d61 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1421d61) [0x7ffff4752d61] 18 0x7ffff4720d3f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x13efd3f) [0x7ffff4720d3f] 19 0x7ffff48d3f51 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x15a2f51) [0x7ffff48d3f51] 20 0x7ffff48d4b0a /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x15a3b0a) [0x7ffff48d4b0a] 21 0x7ffff456af61 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1239f61) [0x7ffff456af61] 22 0x7ffff409863a /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xd6763a) [0x7ffff409863a] 23 0x7ffff44a9053 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1178053) [0x7ffff44a9053] 24 0x7ffff44a8de7 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1177de7) [0x7ffff44a8de7] 25 0x7ffff44a8b42 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1177b42) [0x7ffff44a8b42] 26 0x7ffff409f62b /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xd6e62b) [0x7ffff409f62b] 27 0x7ffff42fcd9b /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfcbd9b) [0x7ffff42fcd9b] 28 0x7ffff43338f3 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x10028f3) [0x7ffff43338f3] 29 0x7ffff43046ec /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfd36ec) [0x7ffff43046ec] 30 0x7ffff43047d7 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfd37d7) [0x7ffff43047d7] 31 0x7ffff430341f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfd241f) [0x7ffff430341f] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff47724d4 in WebCore::BidiRunList<WebCore::BidiRun>::reverseRuns (this=0x7fffffffb6d0, start=0, end=4294967295) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/text/BidiRunList.h:207 #2 0x00007ffff476f201 in WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::createBidiRunsForLine (this=0x7fffffffb610, end=..., override=WebCore::VisualRightToLeftOverride, hardLineBreak=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/text/BidiResolver.h:550 #3 0x00007ffff47615ef in WebCore::constructBidiRunsForSegment (topResolver=..., bidiRuns=..., endOfRuns=..., override=WebCore::VisualRightToLeftOverride, previousLineBrokeCleanly=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1096 #4 0x00007ffff4761968 in WebCore::constructBidiRunsForLine (block=0x8c0938, topResolver=..., bidiRuns=..., endOfLine=..., override=WebCore::VisualRightToLeftOverride, previousLineBrokeCleanly=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1162 #5 0x00007ffff4763c9c in WebCore::RenderBlock::layoutRunsAndFloatsInRange (this=0x8c0938, layoutState=..., resolver=..., cleanLineStart=..., cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1579 #6 0x00007ffff4762260 in WebCore::RenderBlock::layoutRunsAndFloats (this=0x8c0938, layoutState=..., hasInlineChild=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1314 #7 0x00007ffff4765abc in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x8c0938, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1895 #8 0x00007ffff4752d40 in WebCore::RenderBlockFlow::layoutBlock (this=0x8c0938, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:281 #9 0x00007ffff4720d3f in WebCore::RenderBlock::layout (this=0x8c0938) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1388 #10 0x00007ffff4753d54 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x8bd398, child=0x8c0938, marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:502 #11 0x00007ffff4753915 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x8bd398, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:436 #12 0x00007ffff4752d61 in WebCore::RenderBlockFlow::layoutBlock (this=0x8bd398, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:283 #13 0x00007ffff4720d3f in WebCore::RenderBlock::layout (this=0x8bd398) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1388 #14 0x00007ffff4753d54 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7612b8, child=0x8bd398, marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:502 #15 0x00007ffff4753915 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7612b8, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:436 #16 0x00007ffff4752d61 in WebCore::RenderBlockFlow::layoutBlock (this=0x7612b8, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:283 #17 0x00007ffff4720d3f in WebCore::RenderBlock::layout (this=0x7612b8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1388 #18 0x00007ffff48d3f51 in WebCore::RenderView::layoutContent (this=0x7612b8, state=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:152 #19 0x00007ffff48d4b0a in WebCore::RenderView::layout (this=0x7612b8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:335 #20 0x00007ffff456af61 in WebCore::FrameView::layout (this=0x782070, allowSubtree=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1280 #21 0x00007ffff409863a in WebCore::Document::implicitClose (this=0x8a0680) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2480 #22 0x00007ffff44a9053 in WebCore::FrameLoader::checkCallImplicitClose (this=0x771f80) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:850 #23 0x00007ffff44a8de7 in WebCore::FrameLoader::checkCompleted (this=0x771f80) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:793 #24 0x00007ffff44a8b42 in WebCore::FrameLoader::finishedParsing (this=0x771f80) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:726 #25 0x00007ffff409f62b in WebCore::Document::finishedParsing (this=0x8a0680) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4439 #26 0x00007ffff42fcd9b in WebCore::HTMLConstructionSite::finishedParsing (this=0x77f2f8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:352 #27 0x00007ffff43338f3 in WebCore::HTMLTreeBuilder::finished (this=0x77f2e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2908 #28 0x00007ffff43046ec in WebCore::HTMLDocumentParser::end (this=0x76eab0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:758 #29 0x00007ffff43047d7 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x76eab0) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:769 #30 0x00007ffff430341f in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x76eab0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:212 #31 0x00007ffff430481c in WebCore::HTMLDocumentParser::attemptToEnd (this=0x76eab0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:781 #32 0x00007ffff43048d5 in WebCore::HTMLDocumentParser::finish (this=0x76eab0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:830 #33 0x00007ffff44a0792 in WebCore::DocumentWriter::end (this=0x6e17a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:245 #34 0x00007ffff4492d46 in WebCore::DocumentLoader::finishedLoading (this=0x6e1700, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:408 #35 0x00007ffff4492ab4 in WebCore::DocumentLoader::notifyFinished (this=0x6e1700, resource=0x7835a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:345 #36 0x00007ffff4479bcc in WebCore::CachedResource::checkNotify (this=0x7835a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 #37 0x00007ffff4479ca6 in WebCore::CachedResource::finishLoading (this=0x7835a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #38 0x00007ffff4476360 in WebCore::CachedRawResource::finishLoading (this=0x7835a0, data=0x7a74e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #39 0x00007ffff44dcc2d in WebCore::SubresourceLoader::didFinishLoading (this=0x76c540, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:283 #40 0x00007ffff44d34e7 in WebCore::ResourceLoader::didFinishLoading (this=0x76c540, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:489 #41 0x00007ffff49954b5 in WebCore::QNetworkReplyHandler::finish (this=0x7b2de0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #42 0x00007ffff49940dd in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7b2e18) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #43 0x00007ffff4993ddb in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7b2e18, method= (void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff49952fa <WebCore::QNetworkReplyHandler::finish()>) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216 #44 0x00007ffff4994da8 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7a39c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409 #45 0x00007ffff4997728 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7a39c0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffd160) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:175 #46 0x00007ffff1d9ed71 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #47 0x00007ffff1da033e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #48 0x00007ffff2c6ea24 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5 #49 0x00007ffff2c71eb6 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5 #50 0x00007ffff1d778f4 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #51 0x00007ffff1d7a1a9 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #52 0x00007ffff1dc19c3 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #53 0x00007fffeeb88d53 in g_main_dispatch (context=0x658120) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:2539 #54 g_main_context_dispatch (context=0x658120) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3075 #55 0x00007fffeeb890a0 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x658120, self=<optimized out>) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3146 #56 g_main_context_iterate (context=0x658120, block=<optimized out>, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3083 #57 0x00007fffeeb89164 in g_main_context_iteration (context=0x658120, may_block=1) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3207 #58 0x00007ffff1dc1e04 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #59 0x00007ffff1d7668b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #60 0x00007ffff1d7a6de in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #61 0x0000000000421e9e in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:50 ---Type <return> to continue, or q <return> to quit--- #62 0x0000000000423be5 in main (argc=2, argv=0x7fffffffdea8) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:319
Attachments
Test case
(96 bytes, text/html)
2013-10-01 10:26 PDT
,
Renata Hodovan
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Renata Hodovan
Comment 1
2013-10-01 10:26:16 PDT
Created
attachment 213097
[details]
Test case
Renata Hodovan
Comment 2
2013-11-04 09:57:56 PST
Doesn't seem to ASSERT anymore.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug