122163 – Null-pointer dereference in WebCore::BidiRun::next

Bug 122163 - Null-pointer dereference in WebCore::BidiRun::next

Summary: Null-pointer dereference in WebCore::BidiRun::next

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2013-10-01 10:25 PDT by Renata Hodovan
Modified:	2013-11-04 09:57 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Test case (96 bytes, text/html) 2013-10-01 10:26 PDT, Renata Hodovan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2013-10-01 10:25:01 PDT

The following tests crashes both on debug and on release wk builds:

<html dir="RTL">
    <meta charset="ISO-8859-8">sdf
    <input>
    <i dir="">
    <tt dir="auto"></tt>
</html>

The debug build fails on an assertion check and the release dies on a null-pointer dereference issue a few lines later.
By the release version the m_next variable will be null in WebCore::BidiRun::next (WebCore/rendering/BidiRun.h:58) and by the debug the (end < m_runCount) condition fails in WebCore::BidiRunList<Run>::reverseRuns (WebCore/platform/text/BidiRunList.h:207).

The debug backtrace:

ASSERTION FAILED: end < m_runCount
/home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/text/BidiRunList.h(207) : void WebCore::BidiRunList<Run>::reverseRuns(unsigned int, unsigned int) [with Run = WebCore::BidiRun]
1   0x7ffff56134c1 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(WTFCrash+0x1e) [0x7ffff56134c1]
2   0x7ffff47724d4 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x14414d4) [0x7ffff47724d4]
3   0x7ffff476f201 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x143e201) [0x7ffff476f201]
4   0x7ffff47615ef /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x14305ef) [0x7ffff47615ef]
5   0x7ffff4761968 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1430968) [0x7ffff4761968]
6   0x7ffff4763c9c /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1432c9c) [0x7ffff4763c9c]
7   0x7ffff4762260 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1431260) [0x7ffff4762260]
8   0x7ffff4765abc /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1434abc) [0x7ffff4765abc]
9   0x7ffff4752d40 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1421d40) [0x7ffff4752d40]
10  0x7ffff4720d3f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x13efd3f) [0x7ffff4720d3f]
11  0x7ffff4753d54 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422d54) [0x7ffff4753d54]
12  0x7ffff4753915 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422915) [0x7ffff4753915]
13  0x7ffff4752d61 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1421d61) [0x7ffff4752d61]
14  0x7ffff4720d3f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x13efd3f) [0x7ffff4720d3f]
15  0x7ffff4753d54 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422d54) [0x7ffff4753d54]
16  0x7ffff4753915 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422915) [0x7ffff4753915]
17  0x7ffff4752d61 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1421d61) [0x7ffff4752d61]
18  0x7ffff4720d3f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x13efd3f) [0x7ffff4720d3f]
19  0x7ffff48d3f51 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x15a2f51) [0x7ffff48d3f51]
20  0x7ffff48d4b0a /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x15a3b0a) [0x7ffff48d4b0a]
21  0x7ffff456af61 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1239f61) [0x7ffff456af61]
22  0x7ffff409863a /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xd6763a) [0x7ffff409863a]
23  0x7ffff44a9053 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1178053) [0x7ffff44a9053]
24  0x7ffff44a8de7 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1177de7) [0x7ffff44a8de7]
25  0x7ffff44a8b42 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1177b42) [0x7ffff44a8b42]
26  0x7ffff409f62b /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xd6e62b) [0x7ffff409f62b]
27  0x7ffff42fcd9b /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfcbd9b) [0x7ffff42fcd9b]
28  0x7ffff43338f3 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x10028f3) [0x7ffff43338f3]
29  0x7ffff43046ec /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfd36ec) [0x7ffff43046ec]
30  0x7ffff43047d7 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfd37d7) [0x7ffff43047d7]
31  0x7ffff430341f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfd241f) [0x7ffff430341f]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff47724d4 in WebCore::BidiRunList<WebCore::BidiRun>::reverseRuns (this=0x7fffffffb6d0, start=0, end=4294967295)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/text/BidiRunList.h:207
#2  0x00007ffff476f201 in WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::createBidiRunsForLine (this=0x7fffffffb610, end=..., 
    override=WebCore::VisualRightToLeftOverride, hardLineBreak=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/text/BidiResolver.h:550
#3  0x00007ffff47615ef in WebCore::constructBidiRunsForSegment (topResolver=..., bidiRuns=..., endOfRuns=..., override=WebCore::VisualRightToLeftOverride, 
    previousLineBrokeCleanly=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1096
#4  0x00007ffff4761968 in WebCore::constructBidiRunsForLine (block=0x8c0938, topResolver=..., bidiRuns=..., endOfLine=..., 
    override=WebCore::VisualRightToLeftOverride, previousLineBrokeCleanly=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1162
#5  0x00007ffff4763c9c in WebCore::RenderBlock::layoutRunsAndFloatsInRange (this=0x8c0938, layoutState=..., resolver=..., cleanLineStart=..., 
    cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1579
#6  0x00007ffff4762260 in WebCore::RenderBlock::layoutRunsAndFloats (this=0x8c0938, layoutState=..., hasInlineChild=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1314
#7  0x00007ffff4765abc in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x8c0938, relayoutChildren=true, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1895
#8  0x00007ffff4752d40 in WebCore::RenderBlockFlow::layoutBlock (this=0x8c0938, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:281
#9  0x00007ffff4720d3f in WebCore::RenderBlock::layout (this=0x8c0938) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1388
#10 0x00007ffff4753d54 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x8bd398, child=0x8c0938, marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:502
#11 0x00007ffff4753915 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x8bd398, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:436
#12 0x00007ffff4752d61 in WebCore::RenderBlockFlow::layoutBlock (this=0x8bd398, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:283
#13 0x00007ffff4720d3f in WebCore::RenderBlock::layout (this=0x8bd398) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1388
#14 0x00007ffff4753d54 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7612b8, child=0x8bd398, marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:502
#15 0x00007ffff4753915 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7612b8, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:436
#16 0x00007ffff4752d61 in WebCore::RenderBlockFlow::layoutBlock (this=0x7612b8, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:283
#17 0x00007ffff4720d3f in WebCore::RenderBlock::layout (this=0x7612b8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1388
#18 0x00007ffff48d3f51 in WebCore::RenderView::layoutContent (this=0x7612b8, state=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:152
#19 0x00007ffff48d4b0a in WebCore::RenderView::layout (this=0x7612b8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:335
#20 0x00007ffff456af61 in WebCore::FrameView::layout (this=0x782070, allowSubtree=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1280
#21 0x00007ffff409863a in WebCore::Document::implicitClose (this=0x8a0680) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2480
#22 0x00007ffff44a9053 in WebCore::FrameLoader::checkCallImplicitClose (this=0x771f80)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:850
#23 0x00007ffff44a8de7 in WebCore::FrameLoader::checkCompleted (this=0x771f80) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:793
#24 0x00007ffff44a8b42 in WebCore::FrameLoader::finishedParsing (this=0x771f80)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:726
#25 0x00007ffff409f62b in WebCore::Document::finishedParsing (this=0x8a0680) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4439
#26 0x00007ffff42fcd9b in WebCore::HTMLConstructionSite::finishedParsing (this=0x77f2f8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:352
#27 0x00007ffff43338f3 in WebCore::HTMLTreeBuilder::finished (this=0x77f2e0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2908
#28 0x00007ffff43046ec in WebCore::HTMLDocumentParser::end (this=0x76eab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:758
#29 0x00007ffff43047d7 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x76eab0)
---Type <return> to continue, or q <return> to quit---
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:769
#30 0x00007ffff430341f in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x76eab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:212
#31 0x00007ffff430481c in WebCore::HTMLDocumentParser::attemptToEnd (this=0x76eab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:781
#32 0x00007ffff43048d5 in WebCore::HTMLDocumentParser::finish (this=0x76eab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:830
#33 0x00007ffff44a0792 in WebCore::DocumentWriter::end (this=0x6e17a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:245
#34 0x00007ffff4492d46 in WebCore::DocumentLoader::finishedLoading (this=0x6e1700, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:408
#35 0x00007ffff4492ab4 in WebCore::DocumentLoader::notifyFinished (this=0x6e1700, resource=0x7835a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:345
#36 0x00007ffff4479bcc in WebCore::CachedResource::checkNotify (this=0x7835a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369
#37 0x00007ffff4479ca6 in WebCore::CachedResource::finishLoading (this=0x7835a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385
#38 0x00007ffff4476360 in WebCore::CachedRawResource::finishLoading (this=0x7835a0, data=0x7a74e0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#39 0x00007ffff44dcc2d in WebCore::SubresourceLoader::didFinishLoading (this=0x76c540, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:283
#40 0x00007ffff44d34e7 in WebCore::ResourceLoader::didFinishLoading (this=0x76c540, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:489
#41 0x00007ffff49954b5 in WebCore::QNetworkReplyHandler::finish (this=0x7b2de0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516
#42 0x00007ffff49940dd in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7b2e18)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250
#43 0x00007ffff4993ddb in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7b2e18, method=
    (void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff49952fa <WebCore::QNetworkReplyHandler::finish()>)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216
#44 0x00007ffff4994da8 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7a39c0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409
#45 0x00007ffff4997728 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7a39c0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffd160)
    at .moc/release-shared/moc_QNetworkReplyHandler.cpp:175
#46 0x00007ffff1d9ed71 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#47 0x00007ffff1da033e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#48 0x00007ffff2c6ea24 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5
#49 0x00007ffff2c71eb6 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5
#50 0x00007ffff1d778f4 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#51 0x00007ffff1d7a1a9 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#52 0x00007ffff1dc19c3 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#53 0x00007fffeeb88d53 in g_main_dispatch (context=0x658120) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:2539
#54 g_main_context_dispatch (context=0x658120) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3075
#55 0x00007fffeeb890a0 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x658120, self=<optimized out>)
    at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3146
#56 g_main_context_iterate (context=0x658120, block=<optimized out>, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3083
#57 0x00007fffeeb89164 in g_main_context_iteration (context=0x658120, may_block=1) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3207
#58 0x00007ffff1dc1e04 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#59 0x00007ffff1d7668b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#60 0x00007ffff1d7a6de in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#61 0x0000000000421e9e in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:50
---Type <return> to continue, or q <return> to quit---
#62 0x0000000000423be5 in main (argc=2, argv=0x7fffffffdea8) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:319

Comment 1 Renata Hodovan 2013-10-01 10:26:16 PDT

Created attachment 213097 [details]
Test case

Comment 2 Renata Hodovan 2013-11-04 09:57:56 PST

Doesn't seem to ASSERT anymore.