125924 – Null-pointer dereference in WebCore::RootInlineBox::prevRootBox

Bug 125924 - Null-pointer dereference in WebCore::RootInlineBox::prevRootBox

Summary: Null-pointer dereference in WebCore::RootInlineBox::prevRootBox

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2013-12-18 05:34 PST by Renata Hodovan
Modified:	2013-12-18 09:22 PST (History)
CC List:	8 users (show)

See Also:

Attachments
Proposed patch (3.95 KB, patch) 2013-12-18 05:50 PST, Dániel Bátyai	kling: review+ kling: commit-queue-	Details \| Formatted Diff \| Diff
Proposed patch (3.94 KB, patch) 2013-12-18 06:55 PST, Dániel Bátyai	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2013-12-18 05:34:34 PST

The failing test:

<html> 
<head>
	<style>

		html{
		 orphans:-988;
		 widows:435;
		 -webkit-columns:1in auto ;
		 width: 0;
		} 

	</style>
</head>
<body contenteditable="true"> 
This test requires DumpRenderTree to see the log of what resources are loaded. It verifies that noscript-image1.png is not loaded because it is in a noscript block and noscript-image2.png is loaded because it is not in a noscript block. 
 </html>


The backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 27824]
0x00007ffff324f3c4 in WebCore::RootInlineBox::prevRootBox (this=0x0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RootInlineBox.h:242
242	    return toRootInlineBox(m_prevLineBox);
(gdb) bt
#0  0x00007ffff324f3c4 in WebCore::RootInlineBox::prevRootBox (this=0x0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RootInlineBox.h:242
#1  0x00007ffff38ddb74 in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange (this=0x75e020, layoutState=..., resolver=..., cleanLineStart=..., 
    cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1512
#2  0x00007ffff38db5ee in WebCore::RenderBlockFlow::layoutRunsAndFloats (this=0x75e020, layoutState=..., hasInlineChild=true)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1104
#3  0x00007ffff38dedb0 in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x75e020, relayoutChildren=false, repaintLogicalTop=..., repaintLogicalBottom=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1696
#4  0x00007ffff38c24b4 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x75e020, relayoutChildren=false, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:531
#5  0x00007ffff38c17e5 in WebCore::RenderBlockFlow::layoutBlock (this=0x75e020, relayoutChildren=false, pageLogicalHeight=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:356
#6  0x00007ffff389138f in WebCore::RenderBlock::layout (this=0x75e020) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1323
#7  0x00007ffff38c2896 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x8172a0, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:592
#8  0x00007ffff38c23b2 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x8172a0, relayoutChildren=false, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:511
#9  0x00007ffff38c1809 in WebCore::RenderBlockFlow::layoutBlock (this=0x8172a0, relayoutChildren=false, pageLogicalHeight=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:358
#10 0x00007ffff389138f in WebCore::RenderBlock::layout (this=0x8172a0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1323
#11 0x00007ffff38c2896 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x66ea10, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:592
#12 0x00007ffff38c23b2 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x66ea10, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:511
#13 0x00007ffff38c1809 in WebCore::RenderBlockFlow::layoutBlock (this=0x66ea10, relayoutChildren=true, pageLogicalHeight=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:358
#14 0x00007ffff389138f in WebCore::RenderBlock::layout (this=0x66ea10) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1323
#15 0x00007ffff3a5fa43 in WebCore::RenderView::layoutContent (this=0x66ea10, state=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderView.cpp:153
#16 0x00007ffff3a606a8 in WebCore::RenderView::layout (this=0x66ea10) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderView.cpp:339
#17 0x00007ffff35face9 in WebCore::FrameView::layout (this=0x816d60, allowSubtree=true)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/page/FrameView.cpp:1261
#18 0x00007ffff30be058 in WebCore::Document::implicitClose (this=0x75a690) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Document.cpp:2390
#19 0x00007ffff34f70fb in WebCore::FrameLoader::checkCallImplicitClose (this=0x8254f8)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:849
#20 0x00007ffff34f6e8f in WebCore::FrameLoader::checkCompleted (this=0x8254f8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:792
#21 0x00007ffff34f6bea in WebCore::FrameLoader::finishedParsing (this=0x8254f8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:725
#22 0x00007ffff30c5241 in WebCore::Document::finishedParsing (this=0x75a690) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Document.cpp:4357
#23 0x00007ffff337944d in WebCore::HTMLConstructionSite::finishedParsing (this=0x66e908)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLConstructionSite.cpp:347
#24 0x00007ffff33b06ef in WebCore::HTMLTreeBuilder::finished (this=0x66e8f0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2901
#25 0x00007ffff338038c in WebCore::HTMLDocumentParser::end (this=0x816430)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:749
#26 0x00007ffff3380477 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x816430)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:760
#27 0x00007ffff337f0bf in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x816430)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:203
#28 0x00007ffff33804bc in WebCore::HTMLDocumentParser::attemptToEnd (this=0x816430)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:772
#29 0x00007ffff3380575 in WebCore::HTMLDocumentParser::finish (this=0x816430)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/parser/HTMLDocumentParser.cpp:821
#30 0x00007ffff34e9d74 in WebCore::DocumentWriter::end (this=0x838120) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentWriter.cpp:245
---Type <return> to continue, or q <return> to quit---
#31 0x00007ffff34d7ffe in WebCore::DocumentLoader::finishedLoading (this=0x838080, finishTime=0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:408
#32 0x00007ffff34d7d6c in WebCore::DocumentLoader::notifyFinished (this=0x838080, resource=0x8a90f0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:345
#33 0x00007ffff3568a34 in WebCore::CachedResource::checkNotify (this=0x8a90f0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/cache/CachedResource.cpp:369
#34 0x00007ffff3568b0e in WebCore::CachedResource::finishLoading (this=0x8a90f0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/cache/CachedResource.cpp:385
#35 0x00007ffff35656aa in WebCore::CachedRawResource::finishLoading (this=0x8a90f0, data=0x81acc0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#36 0x00007ffff352a5db in WebCore::SubresourceLoader::didFinishLoading (this=0x81ce30, finishTime=0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/SubresourceLoader.cpp:279
#37 0x00007ffff3526939 in WebCore::ResourceLoader::didFinishLoading (this=0x81ce30, finishTime=0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/ResourceLoader.cpp:487
#38 0x00007ffff41c0b5a in WebCore::readCallback (asyncResult=0x81a1e0, data=0x839df0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1328
#39 0x00007fffeff93bb9 in async_ready_callback_wrapper (source_object=0x81e5e0, res=0x81a1e0, user_data=0x839df0) at ginputstream.c:530
#40 0x00007fffeffb5cbb in g_task_return_now (task=0x81a1e0) at gtask.c:1105
#41 complete_in_idle_cb (task=<optimized out>) at gtask.c:1114
#42 0x00007ffff02d9473 in g_main_dispatch (context=0x611920) at gmain.c:3054
#43 g_main_context_dispatch (context=0x611920) at gmain.c:3630
#44 0x00007ffff02d97b8 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x611920, self=<optimized out>) at gmain.c:3701
#45 g_main_context_iterate (context=0x611920, block=<optimized out>, dispatch=1, self=<optimized out>) at gmain.c:3638
#46 0x00007ffff02d9bfa in g_main_loop_run (loop=0x611a80) at gmain.c:3895
#47 0x00007ffff49fe332 in WTF::RunLoop::run () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/nix/RunLoopNix.cpp:60
#48 0x00007ffff4956b9c in WebKit::WebProcessMainNix (argc=2, argv=0x7fffffffde68)
    at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/WebProcess/nix/WebProcessMainNix.cpp:84
#49 0x00000000004007b4 in main (argc=2, argv=0x7fffffffde68) at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/nix/MainNix.cpp:30

Comment 1 Dániel Bátyai 2013-12-18 05:50:05 PST

Created attachment 219529 [details]
Proposed patch

Comment 2 Andreas Kling 2013-12-18 06:27:29 PST

Comment on attachment 219529 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=219529&action=review

Code change looks fine, but we need to remove the "nobreak" comment.

> LayoutTests/ChangeLog:3
> +        Null-pointer dereference in WebCore::RootInlineBox::prevRootBox

This is a bad bug/patch title and we should avoid them. It describes the symptom and not the cause.
I would call it something like "CSS: Null-pointer dereference with negative 'orphans' value."

> Source/WebCore/css/CSSParser.cpp:2225
>          /* nobreak */

This idiosyncratic comment is no longer valid since you're removing the fall-through.

Comment 3 Dániel Bátyai 2013-12-18 06:55:07 PST

Created attachment 219532 [details]
Proposed patch

Corrected according to review

Comment 4 WebKit Commit Bot 2013-12-18 07:48:39 PST

Comment on attachment 219532 [details]
Proposed patch

Clearing flags on attachment: 219532

Committed r160766: <http://trac.webkit.org/changeset/160766>