RESOLVED FIXED 206610
Crash in RenderBlockFlow::adjustLinePositionForPagination() with complex line without root box 
https://bugs.webkit.org/show_bug.cgi?id=206610
Summary Crash in RenderBlockFlow::adjustLinePositionForPagination() with complex line...
Doug Kelly
Reported 2020-01-22 13:51:18 PST
If RenderBlockFlow::adjustLinePositionForPagination() encounters a line with no root box, the result will be a crash with a null pointer dereference.
Attachments
Patch (5.94 KB, patch)
2020-01-22 14:38 PST, Doug Kelly 		no flags
DetailsFormatted DiffDiff
Test reduction (356 bytes, text/html)
2020-01-23 11:20 PST, zalan 		no flags
Details
Patch (3.97 KB, patch)
2020-01-24 15:24 PST, Doug Kelly 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Doug Kelly
Comment 1 2020-01-22 13:51:56 PST
<rdar://problem/57073037>
Doug Kelly
Comment 2 2020-01-22 14:38:38 PST
Created attachment 388472 [details] Patch
Sam Weinig
Comment 3 2020-01-22 20:35:15 PST
Comment on attachment 388472 [details] Patch Is everything in that test case needed to trigger the crash (there is a lot of craziness in there)? Seems like it can probably be reduced further?
Doug Kelly
Comment 4 2020-01-23 10:05:53 PST
(In reply to Sam Weinig from comment #3) > Comment on attachment 388472 [details] > Patch > > Is everything in that test case needed to trigger the crash (there is a lot > of craziness in there)? Seems like it can probably be reduced further? Yeah, I tried to reduce the number of "strange" things in the test case that would still trigger the crash, and this was what I came up with. If someone more familiar with the code knows a more direct means to trigger the same state/crash, I can't say how happy I'd be to replace this test case. :)
zalan
Comment 5 2020-01-23 11:20:15 PST
Created attachment 388565 [details] Test reduction
zalan
Comment 6 2020-01-23 11:37:35 PST
Comment on attachment 388472 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=388472&action=review > Source/WebCore/rendering/RenderBlockFlow.cpp:1813 > + if (!firstRootBox) > + return; I think what we want here is to ignore the firstRootBox when it is nullptr but still call setPaginationStrut() (not that it matters since this is such an edge case) (and please use the attached test reduction)
Sam Weinig
Comment 7 2020-01-24 08:11:55 PST
(In reply to Doug Kelly from comment #4) > (In reply to Sam Weinig from comment #3) > > Comment on attachment 388472 [details] > > Patch > > > > Is everything in that test case needed to trigger the crash (there is a lot > > of craziness in there)? Seems like it can probably be reduced further? > > Yeah, I tried to reduce the number of "strange" things in the test case that > would still trigger the crash, and this was what I came up with. If someone > more familiar with the code knows a more direct means to trigger the same > state/crash, I can't say how happy I'd be to replace this test case. :) Oh drat, looks like Zalan beat me to it. His is good.
Doug Kelly
Comment 8 2020-01-24 15:24:10 PST
Created attachment 388731 [details] Patch
Doug Kelly
Comment 9 2020-01-24 15:39:11 PST
Thanks Zalan/Sam. :) Incorporated the suggestions, and the much simpler test case.
Darin Adler
Comment 10 2020-01-25 09:05:15 PST
Comment on attachment 388731 [details] Patch Would be even better if the test covered correct behavior as well as the lack of a crash.
Doug Kelly
Comment 11 2020-01-25 15:38:40 PST
(In reply to Darin Adler from comment #10) > Comment on attachment 388731 [details] > Patch > > Would be even better if the test covered correct behavior as well as the > lack of a crash. I agree — testing the behavior here would be best, but I’ll need help from someone (Sam or Zalan?) to understand what the correct behavior in this case is. Thanks!
WebKit Commit Bot
Comment 12 2020-01-30 10:07:15 PST
Comment on attachment 388731 [details] Patch Clearing flags on attachment: 388731 Committed r255437: <https://trac.webkit.org/changeset/255437>
WebKit Commit Bot
Comment 13 2020-01-30 10:07:17 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.