WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WORKSFORME
151032
Segmentation fault (NULL dereference) in WebCore::RenderStyle::fontMetrics
https://bugs.webkit.org/show_bug.cgi?id=151032
Summary
Segmentation fault (NULL dereference) in WebCore::RenderStyle::fontMetrics
Renata Hodovan
Reported
2015-11-09 09:18:20 PST
Created
attachment 265059
[details]
Test Load the attached test with debug MiniBrowser: <style> * { font-size: calc( 1432 * -1239% - 4595ch / -63 ); font-family: monospace; } </style> OS: Ubuntu 15.04 x86_64 Checked build: debug EFL Checked version: 009fb33 Backtrace: ASSERTION FAILED: m_fonts ../../Source/WebCore/platform/graphics/FontCascade.h(351) : const WebCore::Font& WebCore::FontCascade::primaryFont() const 1 0x7f37475eff97 WTFCrash 2 0x7f374da1f415 WebCore::FontCascade::primaryFont() const 3 0x7f374da1f3c6 WebCore::FontCascade::fontMetrics() const 4 0x7f374e14f9bc WebCore::RenderStyle::fontMetrics() const 5 0x7f374e92024a WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble(WebCore::CSSToLengthConversionData const&, unsigned short, double) 6 0x7f374e91ffad WebCore::CSSPrimitiveValue::computeLengthDouble(WebCore::CSSToLengthConversionData const&) const 7 0x7f374e91ff03 float WebCore::CSSPrimitiveValue::computeLength<float>(WebCore::CSSToLengthConversionData const&) const 8 0x7f374f04f106 WebCore::CSSCalcPrimitiveValue::createCalcExpression(WebCore::CSSToLengthConversionData const&) const 9 0x7f374f0500dd WebCore::CSSCalcBinaryOperation::createCalcExpression(WebCore::CSSToLengthConversionData const&) const 10 0x7f374e9a1fa1 WebCore::CSSCalcValue::createCalculationValue(WebCore::CSSToLengthConversionData const&) const 11 0x7f374ed7cfba WebCore::StyleBuilderCustom::applyValueFontSize(WebCore::StyleResolver&, WebCore::CSSValue&) 12 0x7f374ed60694 WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool) 13 0x7f374e9790f4 WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*, WebCore::SelectorChecker::LinkMatchMask, WebCore::StyleResolver::MatchResult const*) 14 0x7f374e97ce1e WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&, WebCore::StyleResolver::MatchResult const*) 15 0x7f374e97d0a7 WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int, WebCore::StyleResolver::MatchResult const*) 16 0x7f374e977fe7 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) 17 0x7f374e9734e7 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) 18 0x7f374d793459 WebCore::Element::resolveStyle(WebCore::RenderStyle*) 19 0x7f374e1badb3 20 0x7f374e1baf78 21 0x7f374e1bc536 22 0x7f374e1bcf7a 23 0x7f374e1bdb56 24 0x7f374e1bdf18 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) 25 0x7f374d7223d2 WebCore::Document::recalcStyle(WebCore::Style::Change) 26 0x7f374d722713 WebCore::Document::updateStyleIfNeeded() 27 0x7f374d72f5cc WebCore::Document::finishedParsing() 28 0x7f374ea96799 WebCore::HTMLConstructionSite::finishedParsing() 29 0x7f374da82210 WebCore::HTMLTreeBuilder::finished() 30 0x7f374da528b4 WebCore::HTMLDocumentParser::end() 31 0x7f374da5298d WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() Aborted (core dumped) Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f37475eff9c in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; #0 0x00007f37475eff9c in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007f374da1f415 in WebCore::FontCascade::primaryFont (this=0x7f372ebe76a8) at ../../Source/WebCore/platform/graphics/FontCascade.h:351 #2 0x00007f374da1f3c6 in WebCore::FontCascade::fontMetrics (this=0x7f372ebe76a8) at ../../Source/WebCore/platform/graphics/FontCascade.h:174 #3 0x00007f374e14f9bc in WebCore::RenderStyle::fontMetrics (this=0x7f372ebe5a20) at ../../Source/WebCore/rendering/style/RenderStyle.cpp:1411 #4 0x00007f374e92024a in WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble (conversionData=..., primitiveType=109, value=-72.936507936507937) at ../../Source/WebCore/css/CSSPrimitiveValue.cpp:633 #5 0x00007f374e91ffad in WebCore::CSSPrimitiveValue::computeLengthDouble (this=0x7f372ebb5960, conversionData=...) at ../../Source/WebCore/css/CSSPrimitiveValue.cpp:603 #6 0x00007f374e91ff03 in WebCore::CSSPrimitiveValue::computeLength<float> (this=0x7f372ebb5960, conversionData=...) at ../../Source/WebCore/css/CSSPrimitiveValue.cpp:589 #7 0x00007f374f04f106 in WebCore::CSSCalcPrimitiveValue::createCalcExpression (this=0x7f372ebbce80, conversionData=...) at ../../Source/WebCore/css/CSSCalculationValue.cpp:231 #8 0x00007f374f0500dd in WebCore::CSSCalcBinaryOperation::createCalcExpression (this=0x7f372ebc1cf0, conversionData=...) at ../../Source/WebCore/css/CSSCalculationValue.cpp:434 #9 0x00007f374e9a1fa1 in WebCore::CSSCalcValue::createCalculationValue (this=0x7f372ebbcea0, conversionData=...) at ../../Source/WebCore/css/CSSCalculationValue.h:124 #10 0x00007f374ed7cfba in WebCore::StyleBuilderCustom::applyValueFontSize (styleResolver=..., value=...) at ../../Source/WebCore/css/StyleBuilderCustom.h:1588 #11 0x00007f374ed60694 in WebCore::StyleBuilder::applyProperty (property=WebCore::CSSPropertyFontSize, styleResolver=..., value=..., isInitial=false, isInherit=false) at DerivedSources/WebCore/StyleBuilder.cpp:5731 #12 0x00007f374e9790f4 in WebCore::StyleResolver::applyProperty (this=0x7f372ead7760, id=WebCore::CSSPropertyFontSize, value=0x7f372ebb5978, linkMatchMask=WebCore::SelectorChecker::MatchDefault, matchResult=0x7ffc35160c08) at ../../Source/WebCore/css/StyleResolver.cpp:1990 #13 0x00007f374e97ce1e in WebCore::StyleResolver::CascadedProperties::Property::apply (this=0x7ffc3515ce80, resolver=..., matchResult=0x7ffc35160c08) at ../../Source/WebCore/css/StyleResolver.cpp:2748 #14 0x00007f374e97d0a7 in WebCore::StyleResolver::applyCascadedProperties (this=0x7f372ead7760, cascade=..., firstProperty=2, lastProperty=25, matchResult=0x7ffc35160c08) at ../../Source/WebCore/css/StyleResolver.cpp:2784 #15 0x00007f374e977fe7 in WebCore::StyleResolver::applyMatchedProperties (this=0x7f372ead7760, matchResult=..., element=0x7f372ebe33a8, shouldUseMatchedPropertiesCache=WebCore::StyleResolver::UseMatchedPropertiesCache) at ../../Source/WebCore/css/StyleResolver.cpp:1699 #16 0x00007f374e9734e7 in WebCore::StyleResolver::styleForElement (this=0x7f372ead7760, element=0x7f372ebe33a8, defaultParent=0x7f372ebe5960, sharingBehavior=WebCore::AllowStyleSharing, matchingBehavior=WebCore::MatchAllRules, regionForStyling=0x0) at ../../Source/WebCore/css/StyleResolver.cpp:785 #17 0x00007f374d793459 in WebCore::Element::resolveStyle (this=0x7f372ebe33a8, parentStyle=0x7f372ebe5960) at ../../Source/WebCore/dom/Element.cpp:1405 #18 0x00007f374e1badb3 in WebCore::Style::styleForElement (element=..., inheritedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:146 #19 0x00007f374e1baf78 in WebCore::Style::createRendererIfNeeded (element=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:172 #20 0x00007f374e1bc536 in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:480 #21 0x00007f374e1bcf7a in WebCore::Style::resolveLocal (current=..., inheritedStyle=..., renderTreePosition=..., inheritedChange=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:629 #22 0x00007f374e1bdb56 in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:850 #23 0x00007f374e1bdf18 in WebCore::Style::resolveTree (document=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:910 #24 0x00007f374d7223d2 in WebCore::Document::recalcStyle (this=0x7f372e826a40, change=WebCore::Style::Force) at ../../Source/WebCore/dom/Document.cpp:1841 #25 0x00007f374d722713 in WebCore::Document::updateStyleIfNeeded (this=0x7f372e826a40) at ../../Source/WebCore/dom/Document.cpp:1892 #26 0x00007f374d72f5cc in WebCore::Document::finishedParsing (this=0x7f372e826a40) at ../../Source/WebCore/dom/Document.cpp:4895 #27 0x00007f374ea96799 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7f372eafe6e0) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:403 #28 0x00007f374da82210 in WebCore::HTMLTreeBuilder::finished (this=0x7f372eafe6c0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2937 #29 0x00007f374da528b4 in WebCore::HTMLDocumentParser::end (this=0x7f372e848cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:393 #30 0x00007f374da5298d in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7f372e848cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:402 #31 0x00007f374da5166f in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7f372e848cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:132 #32 0x00007f374da529d0 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7f372e848cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:414 #33 0x00007f374da52a87 in WebCore::HTMLDocumentParser::finish (this=0x7f372e848cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:442 #34 0x00007f374db739f6 in WebCore::DocumentWriter::end (this=0x7f372e8249e0) at ../../Source/WebCore/loader/DocumentWriter.cpp:247 #35 0x00007f374db5d2cc in WebCore::DocumentLoader::finishedLoading (this=0x7f372e824940, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:437 #36 0x00007f374db5d02a in WebCore::DocumentLoader::notifyFinished (this=0x7f372e824940, resource=0x7f372e836000) at ../../Source/WebCore/loader/DocumentLoader.cpp:384 #37 0x00007f374dc08437 in WebCore::CachedResource::checkNotify (this=0x7f372e836000) at ../../Source/WebCore/loader/cache/CachedResource.cpp:297 #38 0x00007f374dc08546 in WebCore::CachedResource::finishLoading (this=0x7f372e836000) at ../../Source/WebCore/loader/cache/CachedResource.cpp:313 #39 0x00007f374dc0473a in WebCore::CachedRawResource::finishLoading (this=0x7f372e836000, data=0x7f372ebbb780) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:103 #40 0x00007f374dbcd168 in WebCore::SubresourceLoader::didFinishLoading (this=0x7f372e82fa80, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:372 #41 0x00007f374dbc7c47 in WebCore::ResourceLoader::didFinishLoading (this=0x7f372e82fa80, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:638 #42 0x00007f374e3b9560 in WebCore::readCallback (asyncResult=0x16f61c0, data=0x7f372ebbc660) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1341 #43 0x00007f3743bdf5b6 in async_ready_callback_wrapper (source_object=0x16445b0, res=0x16f61c0, user_data=0x7f372ebbc660) at ginputstream.c:523 #44 0x00007f3743c05b84 in g_task_return_now (task=0x16f61c0) at gtask.c:1077 #45 0x00007f3743c05ba9 in complete_in_idle_cb (task=0x16f61c0) at gtask.c:1086 #46 0x00007f374363dadd in g_main_dispatch (context=0x163e8d0) at gmain.c:3064 #47 g_main_context_dispatch (context=context@entry=0x163e8d0) at gmain.c:3663 #48 0x00007f3744fa9e58 in _ecore_glib_select__locked (ecore_timeout=<optimized out>, efds=0x7ffc35161df0, wfds=0x7ffc35161d70, rfds=0x7ffc35161cf0, ecore_fds=<optimized out>, ctx=<optimized out>) at lib/ecore/ecore_glib.c:172 #49 _ecore_glib_select (ecore_fds=<optimized out>, rfds=0x7ffc35161cf0, wfds=0x7ffc35161d70, efds=0x7ffc35161df0, ecore_timeout=<optimized out>) at lib/ecore/ecore_glib.c:204 #50 0x00007f3744fad4a4 in _ecore_main_select (timeout=9.532824124368238e-130) at lib/ecore/ecore_main.c:1459 #51 0x00007f3744faded4 in _ecore_main_loop_iterate_internal (once_only=once_only@entry=0) at lib/ecore/ecore_main.c:1893 #52 0x00007f3744fadfc7 in ecore_main_loop_begin () at lib/ecore/ecore_main.c:983 #53 0x00007f374764ae8d in WTF::RunLoop::run () at ../../Source/WTF/wtf/efl/RunLoopEfl.cpp:49 #54 0x00007f374d4aae1b in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7ffc35162228) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #55 0x00007f374d4aaa29 in WebKit::WebProcessMainUnix (argc=2, argv=0x7ffc35162228) at ../../Source/WebKit2/WebProcess/efl/WebProcessMainEfl.cpp:161 #56 0x00000000004008ea in main (argc=2, argv=0x7ffc35162228) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44
Attachments
Test
(103 bytes, text/html)
2015-11-09 09:18 PST
,
Renata Hodovan
no flags
Details
Release trace
(6.51 KB, text/plain)
2015-11-10 01:00 PST
,
Renata Hodovan
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Renata Hodovan
Comment 1
2015-11-10 01:00:26 PST
Created
attachment 265153
[details]
Release trace The test crashes in release with the attached backtrace.
Brent Fulgham
Comment 2
2016-08-04 17:46:56 PDT
This is a null dereference in release mode, and therefore not likely to be a security concern. Reproduces in
r204037
.
Radar WebKit Bug Importer
Comment 3
2016-08-04 17:47:24 PDT
<
rdar://problem/27711212
>
Martin Robinson
Comment 4
2022-04-14 23:30:28 PDT
The EFL port doesn't exist any longer and I cannot reproduce this with WebKitGTK. Going to close this one.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug