Location: WebCore/css/PropertySetCSSStyleDeclaration.cpp:92 It appears possible that m_nextObject can be NULL. In this event, the function commitLineBreakAtCurrentWidth(...) is an illegal call because it requires a reference. Note that even when m_nextObject is NULL, commitLineBreakAtCurrentWidth(...) still needs to be called.
Created attachment 285969 [details] Patch
Note that this change aimed for minimum impact on existing code. Investigation of commitLineBreakAtCurrentWidth(...) indicates that the code path called by this function handles and expects NULL pointers for RenderObjects, and one notable caller of commitLineBreakAtCurrentWidth(...) passes NULL RenderObjects in certain circmstances.
Comment on attachment 285969 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=285969&action=review > Source/WebCore/rendering/line/BreakingContext.h:170 > + void commitLineBreakAtCurrentWidth(RenderObject* object, unsigned offset = 0, int nextBreak = -1) I understand the motivation for changing from a pointer to a reference to fix the compiler warning on line 1228 in BreakingContext::commitAndUpdateLineBreakIfNeeded(), but is this preferred way to allow moving to the end of the iterator (assuming the code in BreakingContext::commitAndUpdateLineBreakIfNeeded() is correct)? Does anyone ever call this function or InlineIterator::moveTo(RenderObject*, unsigned, int) with a null RenderObject and a non-zero offset? What does it mean to support such calls?
Created attachment 286066 [details] Patch
A few note about the underlying architecture: The central issue resolved in this patch is that the iterator can point to nothing (by design) functions which access the WebCore::InlineIterator generally assume the iterator is always pointing to something. Additionally, when assigning this iterator to nothing, calls were made which assume the iterator was being assigned to a reference. This patch attempts to unify assumptions, allowing the iterator to explicitly be assigned to NULL.
Comment on attachment 286066 [details] Patch Please add a rest which causes the bull reference to be created.
(In reply to comment #6) > Comment on attachment 286066 [details] > Patch > > Please add a rest which causes the bull reference to be created. *null reference (Sorry for the typo)
(In reply to comment #7) > (In reply to comment #6) > > Comment on attachment 286066 [details] > > Patch > > > > Please add a rest which causes the bull reference to be created. > > *null reference > > (Sorry for the typo) *test Wow, I am not typing well today....
(In reply to comment #8) > Please add a test which causes the null reference to be created. The tests actually already exist, js/dom/script-start-end-locations.html and js/dom/cross-frame-symbols.html, for example, both cause this to happen (these are by no means an exhaustive list). This bug was caught with Clang's undefined behavior sanitizer, which I am running locally. Currently, for a number of reasons, we cannot run the undefined behavior sanitizer on our build machines. Since this bug was the result of converting a NULL pointer to a reference and then back to a pointer, the above tests did not cause a crash. I'm not sure how to test this, unless the undefined behavior sanitizer is integrated to our testing framework, which is a possible long term plan, but won't happen in the near future.
Comment on attachment 286066 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=286066&action=review > Source/WebCore/rendering/line/BreakingContext.h:546 > + if (m_current.renderer()) if (auto* renderer = m_current.renderer()) commitLineBreakAtCurrentWidth(*renderer);
Created attachment 286199 [details] Patch
Comment on attachment 286199 [details] Patch Rejecting attachment 286199 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'apply-attachment', '--no-update', '--non-interactive', 286199, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Last 500 characters of output: unk #8 succeeded at 944 (offset -1 lines). Hunk #9 succeeded at 1021 (offset -1 lines). Hunk #10 succeeded at 1038 (offset -1 lines). Hunk #11 succeeded at 1098 (offset -1 lines). Hunk #12 succeeded at 1236 (offset -1 lines). Hunk #13 succeeded at 1274 (offset -1 lines). 2 out of 13 hunks FAILED -- saving rejects to file Source/WebCore/rendering/line/BreakingContext.h.rej Failed to run "[u'/Volumes/Data/EWS/WebKit/Tools/Scripts/svn-apply', '--force']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Full output: http://webkit-queues.webkit.org/results/1893939
Created attachment 286383 [details] Patch
Comment on attachment 286383 [details] Patch Offset had been changed to Optional<unsigned> from int, the most recent patch fixes conflicts.
Comment on attachment 286383 [details] Patch Attachment 286383 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/1894581 New failing tests: fast/scrolling/ios/scrollTo-at-page-load.html
Created attachment 286395 [details] Archive of layout-test-results from ews122 for ios-simulator-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-elcapitan-wk2 Platform: Mac OS X 10.11.5
There was a bug in EWS, the first bot timed out while running tests.
Comment on attachment 286383 [details] Patch Clearing flags on attachment: 286383 Committed r204620: <http://trac.webkit.org/changeset/204620>
All reviewed patches have been landed. Closing bug.