125924 – Null-pointer dereference in WebCore::RootInlineBox::prevRootBox

RESOLVED FIXED 125924

Null-pointer dereference in WebCore::RootInlineBox::prevRootBox

https://bugs.webkit.org/show_bug.cgi?id=125924

Summary Null-pointer dereference in WebCore::RootInlineBox::prevRootBox

Renata Hodovan

Reported 2013-12-18 05:34:34 PST

The failing test: <html> <head> <style> html{ orphans:-988; widows:435; -webkit-columns:1in auto ; width: 0; } </style> </head> <body contenteditable="true"> This test requires DumpRenderTree to see the log of what resources are loaded. It verifies that noscript-image1.png is not loaded because it is in a noscript block and noscript-image2.png is loaded because it is not in a noscript block. </html> The backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to LWP 27824] 0x00007ffff324f3c4 in WebCore::RootInlineBox::prevRootBox (this=0x0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RootInlineBox.h:242 242 return toRootInlineBox(m_prevLineBox); (gdb) bt #0 0x00007ffff324f3c4 in WebCore::RootInlineBox::prevRootBox (this=0x0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RootInlineBox.h:242 #1 0x00007ffff38ddb74 in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange (this=0x75e020, layoutState=..., resolver=..., cleanLineStart=..., cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1512 #2 0x00007ffff38db5ee in WebCore::RenderBlockFlow::layoutRunsAndFloats (this=0x75e020, layoutState=..., hasInlineChild=true) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1104 #3 0x00007ffff38dedb0 in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x75e020, relayoutChildren=false, repaintLogicalTop=..., repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1696 #4 0x00007ffff38c24b4 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x75e020, relayoutChildren=false, repaintLogicalTop=..., repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:531 #5 0x00007ffff38c17e5 in WebCore::RenderBlockFlow::layoutBlock (this=0x75e020, relayoutChildren=false, pageLogicalHeight=<incomplete type>) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:356 #6 0x00007ffff389138f in WebCore::RenderBlock::layout (this=0x75e020) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1323 #7 0x00007ffff38c2896 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x8172a0, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:592 #8 0x00007ffff38c23b2 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x8172a0, relayoutChildren=false, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:511 #9 0x00007ffff38c1809 in WebCore::RenderBlockFlow::layoutBlock (this=0x8172a0, relayoutChildren=false, pageLogicalHeight=<incomplete type>) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:358 #10 0x00007ffff389138f in WebCore::RenderBlock::layout (this=0x8172a0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1323 #11 0x00007ffff38c2896 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x66ea10, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:592 #12 0x00007ffff38c23b2 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x66ea10, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:511 #13 0x00007ffff38c1809 in WebCore::RenderBlockFlow::layoutBlock (this=0x66ea10, relayoutChildren=true, pageLogicalHeight=<incomplete type>) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:358 #14 0x00007ffff389138f in WebCore::RenderBlock::layout (this=0x66ea10) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1323 #15 0x00007ffff3a5fa43 in WebCore::RenderView::layoutContent (this=0x66ea10, state=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderView.cpp:153 #16 0x00007ffff3a606a8 in WebCore::RenderView::layout (this=0x66ea10) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderView.cpp:339 #17 0x00007ffff35face9 in WebCore::FrameView::layout (this=0x816d60, allowSubtree=true) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/page/FrameView.cpp:1261 #18 0x00007ffff30be058 in WebCore::Document::implicitClose (this=0x75a690) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Document.cpp:2390 #19 0x00007ffff34f70fb in WebCore::FrameLoader::checkCallImplicitClose (this=0x8254f8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:849 #20 0x00007ffff34f6e8f in WebCore::FrameLoader::checkCompleted (this=0x8254f8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:792 #21 0x00007ffff34f6bea in WebCore::FrameLoader::finishedParsing (this=0x8254f8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:725 #22 0x00007ffff30c5241 in WebCore::Document::finishedParsing (this=0x75a690) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Document.cpp:4357 #23 0x00007ffff337944d in WebCore::HTMLConstructionSite::finishedParsing (this=0x66e908) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLConstructionSite.cpp:347 #24 0x00007ffff33b06ef in WebCore::HTMLTreeBuilder::finished (this=0x66e8f0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2901 #25 0x00007ffff338038c in WebCore::HTMLDocumentParser::end (this=0x816430) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:749 #26 0x00007ffff3380477 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x816430) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:760 #27 0x00007ffff337f0bf in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x816430) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:203 #28 0x00007ffff33804bc in WebCore::HTMLDocumentParser::attemptToEnd (this=0x816430) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:772 #29 0x00007ffff3380575 in WebCore::HTMLDocumentParser::finish (this=0x816430) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:821 #30 0x00007ffff34e9d74 in WebCore::DocumentWriter::end (this=0x838120) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentWriter.cpp:245 ---Type <return> to continue, or q <return> to quit--- #31 0x00007ffff34d7ffe in WebCore::DocumentLoader::finishedLoading (this=0x838080, finishTime=0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:408 #32 0x00007ffff34d7d6c in WebCore::DocumentLoader::notifyFinished (this=0x838080, resource=0x8a90f0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:345 #33 0x00007ffff3568a34 in WebCore::CachedResource::checkNotify (this=0x8a90f0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/cache/CachedResource.cpp:369 #34 0x00007ffff3568b0e in WebCore::CachedResource::finishLoading (this=0x8a90f0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/cache/CachedResource.cpp:385 #35 0x00007ffff35656aa in WebCore::CachedRawResource::finishLoading (this=0x8a90f0, data=0x81acc0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #36 0x00007ffff352a5db in WebCore::SubresourceLoader::didFinishLoading (this=0x81ce30, finishTime=0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/SubresourceLoader.cpp:279 #37 0x00007ffff3526939 in WebCore::ResourceLoader::didFinishLoading (this=0x81ce30, finishTime=0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/ResourceLoader.cpp:487 #38 0x00007ffff41c0b5a in WebCore::readCallback (asyncResult=0x81a1e0, data=0x839df0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1328 #39 0x00007fffeff93bb9 in async_ready_callback_wrapper (source_object=0x81e5e0, res=0x81a1e0, user_data=0x839df0) at ginputstream.c:530 #40 0x00007fffeffb5cbb in g_task_return_now (task=0x81a1e0) at gtask.c:1105 #41 complete_in_idle_cb (task=<optimized out>) at gtask.c:1114 #42 0x00007ffff02d9473 in g_main_dispatch (context=0x611920) at gmain.c:3054 #43 g_main_context_dispatch (context=0x611920) at gmain.c:3630 #44 0x00007ffff02d97b8 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x611920, self=<optimized out>) at gmain.c:3701 #45 g_main_context_iterate (context=0x611920, block=<optimized out>, dispatch=1, self=<optimized out>) at gmain.c:3638 #46 0x00007ffff02d9bfa in g_main_loop_run (loop=0x611a80) at gmain.c:3895 #47 0x00007ffff49fe332 in WTF::RunLoop::run () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/nix/RunLoopNix.cpp:60 #48 0x00007ffff4956b9c in WebKit::WebProcessMainNix (argc=2, argv=0x7fffffffde68) at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/WebProcess/nix/WebProcessMainNix.cpp:84 #49 0x00000000004007b4 in main (argc=2, argv=0x7fffffffde68) at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/nix/MainNix.cpp:30

Attachments
Proposed patch (3.95 KB, patch) 2013-12-18 05:50 PST, Dániel Bátyai	kling: review+ kling: commit-queue-	Details Formatted Diff Diff
Proposed patch (3.94 KB, patch) 2013-12-18 06:55 PST, Dániel Bátyai	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Dániel Bátyai

Comment 1 2013-12-18 05:50:05 PST

Created attachment 219529 [details] Proposed patch

Andreas Kling

Comment 2 2013-12-18 06:27:29 PST

Comment on attachment 219529 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=219529&action=review Code change looks fine, but we need to remove the "nobreak" comment. > LayoutTests/ChangeLog:3 > + Null-pointer dereference in WebCore::RootInlineBox::prevRootBox This is a bad bug/patch title and we should avoid them. It describes the symptom and not the cause. I would call it something like "CSS: Null-pointer dereference with negative 'orphans' value." > Source/WebCore/css/CSSParser.cpp:2225 > /* nobreak */ This idiosyncratic comment is no longer valid since you're removing the fall-through.

Dániel Bátyai

Comment 3 2013-12-18 06:55:07 PST

Created attachment 219532 [details] Proposed patch Corrected according to review

WebKit Commit Bot

Comment 4 2013-12-18 07:48:39 PST

Comment on attachment 219532 [details] Proposed patch Clearing flags on attachment: 219532 Committed r160766: <http://trac.webkit.org/changeset/160766>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component CSS

Assignee

Nobody

Reported

2013-12-18 05:34 PST

Modified

2013-12-18 09:22 PST History

CC List

8 users Show

URL

Keywords

Depends on

Blocks

116980

Dependencies

tree graph