124772 – Null-pointer dereference in WebCore::RenderElement::style

RESOLVED WORKSFORME 124772

Null-pointer dereference in WebCore::RenderElement::style

https://bugs.webkit.org/show_bug.cgi?id=124772

Summary Null-pointer dereference in WebCore::RenderElement::style

Renata Hodovan

Reported 2013-11-22 07:15:08 PST

Created attachment 217679 [details] Test case WebKit is crashing on a null pointer with the following test case: <cite dir="auto"> <span> <center></center> </span> <big dir="auto">A<cite dir="ltr"><strike></strike><samp dir="auto">A</samp></cite></bdo><big><iframe>A</iframe><label>AAAAAAAAAAAAAAAAAAAAAAAAAAAAA</label> Its backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff0f18946 in WTF::Ref<WebCore::RenderStyle>::get (this=0x48) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Ref.h:60 60 const T& get() const { return *m_ptr; } (gdb) bt #0 0x00007ffff0f18946 in WTF::Ref<WebCore::RenderStyle>::get (this=0x48) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Ref.h:60 #1 0x00007ffff0f186b2 in WebCore::RenderElement::style (this=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderElement.h:38 #2 0x00007ffff198baa9 in WebCore::constructBidiRunsForSegment (topResolver=..., bidiRuns=..., endOfRuns=..., override=WebCore::NoVisualOverride, previousLineBrokeCleanly=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:902 #3 0x00007ffff198bd9e in WebCore::constructBidiRunsForLine (block=0x122b940, topResolver=..., bidiRuns=..., endOfLine=..., override=WebCore::NoVisualOverride, previousLineBrokeCleanly=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:952 #4 0x00007ffff198e06f in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange (this=0x122b940, layoutState=..., resolver=..., cleanLineStart=..., cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1375 #5 0x00007ffff198c68e in WebCore::RenderBlockFlow::layoutRunsAndFloats (this=0x122b940, layoutState=..., hasInlineChild=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1104 #6 0x00007ffff198fe50 in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x122b940, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1696 #7 0x00007ffff197305a in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x122b940, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:532 #8 0x00007ffff197238b in WebCore::RenderBlockFlow::layoutBlock (this=0x122b940, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:357 #9 0x00007ffff19418bd in WebCore::RenderBlock::layout (this=0x122b940) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323 #10 0x00007ffff1973461 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x1198da0, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:593 #11 0x00007ffff1972f58 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x1198da0, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:512 #12 0x00007ffff19723af in WebCore::RenderBlockFlow::layoutBlock (this=0x1198da0, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:359 #13 0x00007ffff19418bd in WebCore::RenderBlock::layout (this=0x1198da0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323 #14 0x00007ffff1973461 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x10e7ba0, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:593 #15 0x00007ffff1972f58 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x10e7ba0, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:512 #16 0x00007ffff19723af in WebCore::RenderBlockFlow::layoutBlock (this=0x10e7ba0, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:359 #17 0x00007ffff19418bd in WebCore::RenderBlock::layout (this=0x10e7ba0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323 #18 0x00007ffff1973461 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x959090, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:593 #19 0x00007ffff1972f58 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x959090, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:512 #20 0x00007ffff19723af in WebCore::RenderBlockFlow::layoutBlock (this=0x959090, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:359 #21 0x00007ffff19418bd in WebCore::RenderBlock::layout (this=0x959090) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323 #22 0x00007ffff1b109c5 in WebCore::RenderView::layoutContent (this=0x959090, state=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:153 #23 0x00007ffff1b1162a in WebCore::RenderView::layout (this=0x959090) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:339 #24 0x00007ffff16bdec2 in WebCore::FrameView::layout (this=0x8f6950, allowSubtree=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1261 #25 0x00007ffff112f55f in WebCore::Document::implicitClose (this=0x1207640) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2390 #26 0x00007ffff15a8313 in WebCore::FrameLoader::checkCallImplicitClose (this=0x952988) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:849 #27 0x00007ffff15a80a7 in WebCore::FrameLoader::checkCompleted (this=0x952988) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:792 #28 0x00007ffff15a7e02 in WebCore::FrameLoader::finishedParsing (this=0x952988) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:725 #29 0x00007ffff1136977 in WebCore::Document::finishedParsing (this=0x1207640) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4357 #30 0x00007ffff141a595 in WebCore::HTMLConstructionSite::finishedParsing (this=0x913ce8) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:347 #31 0x00007ffff1452c8e in WebCore::HTMLTreeBuilder::finished (this=0x913cd0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2922 #32 0x00007ffff1421816 in WebCore::HTMLDocumentParser::end (this=0x9139d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:749 #33 0x00007ffff1421901 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x9139d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:760 #34 0x00007ffff1420549 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x9139d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:203 #35 0x00007ffff1421946 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x9139d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:772 #36 0x00007ffff14219ff in WebCore::HTMLDocumentParser::finish (this=0x9139d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:821 #37 0x00007ffff159ac18 in WebCore::DocumentWriter::end (this=0x117a450) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:245 #38 0x00007ffff1587cea in WebCore::DocumentLoader::finishedLoading (this=0x117a3b0, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:408 #39 0x00007ffff1587a58 in WebCore::DocumentLoader::notifyFinished (this=0x117a3b0, resource=0x1190540) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:345 #40 0x00007ffff162181e in WebCore::CachedResource::checkNotify (this=0x1190540) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 #41 0x00007ffff16218f8 in WebCore::CachedResource::finishLoading (this=0x1190540) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #42 0x00007ffff161e3fa in WebCore::CachedRawResource::finishLoading (this=0x1190540, data=0x119bf10) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #43 0x00007ffff15dbc53 in WebCore::SubresourceLoader::didFinishLoading (this=0x1190ab0, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:279 #44 0x00007ffff15d7f29 in WebCore::ResourceLoader::didFinishLoading (this=0x1190ab0, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:487 #45 0x00007ffff22dc0f2 in WebCore::readCallback (asyncResult=0x11959b0, data=0x1188ee0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1328 #46 0x00007fffe8521bc9 in async_ready_callback_wrapper (source_object=0x69e580, res=0x11959b0, user_data=0x1188ee0) at ginputstream.c:530 #47 0x00007fffe8543ccb in g_task_return_now (task=0x11959b0) at gtask.c:1105 #48 complete_in_idle_cb (task=<optimized out>) at gtask.c:1114 #49 0x00007fffedc31473 in g_main_dispatch (context=0x1195630) at gmain.c:3054 #50 g_main_context_dispatch (context=0x1195630) at gmain.c:3630 #51 0x00007ffff7575aee in _ecore_glib_select__locked (ecore_timeout=0x1195630, efds=<optimized out>, wfds=<optimized out>, rfds=<optimized out>, ecore_fds=1, ctx=<optimized out>) at ecore_glib.c:171 #52 _ecore_glib_select (ecore_fds=1, rfds=<optimized out>, wfds=<optimized out>, efds=<optimized out>, ecore_timeout=0x1195630) at ecore_glib.c:205 #53 0x00007ffff756fcb9 in _ecore_main_select (timeout=<optimized out>) at ecore_main.c:1466 #54 0x00007ffff7570789 in _ecore_main_loop_iterate_internal (once_only=0) at ecore_main.c:1860 #55 0x00007ffff7570b47 in ecore_main_loop_begin () at ecore_main.c:956 #56 0x0000000000406dfa in main (argc=2, argv=0x7fffffffde78) at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:1044

Attachments
Test case (207 bytes, text/html) 2013-11-22 07:15 PST, Renata Hodovan	no flags	Details
View All Add attachment proposed patch, testcase, etc.

zalan

Comment 1 2016-01-14 13:59:57 PST

Works fine with 195071.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WORKSFORME

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2013-11-22 07:15 PST

Modified

2016-01-14 13:59 PST History

CC List

3 users Show

URL

Keywords

Depends on

Blocks

116980

Dependencies

tree graph