Created attachment 48802 [details] Backtrace Original bugreport: http://bugreports.qt.nokia.com/browse/QTBUG-5020 Compiler: Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86 I can't provide you with exact steps to reproduce because bug is very rare and hard to reproduce, but I found a root cause of the bug. We use Qt for developing proprietary application with UI partially written with the JavaScript-rich HTML that intensively uses Qt plugins and webkit HTML5 extensions. In some unforeseen circumstances application unexpectedly crashes in $(Qt)/src/3rdparty/webkit/webcore/dom/mouserelatedevent.cpp, in the MouseRelatedEvent::receivedTarget method. There is a following code in MouseRelatedEvent::receivedTarget: ======================================================== Node* n = targ; while (n && !n->renderer()) n = n->parent(); if (n) { RenderLayer* layer = n->renderer()->enclosingLayer(); layer->updateLayerPosition(); for (; layer; layer = layer->parent()) { m_layerX -= layer->xPos(); m_layerY -= layer->yPos(); } } ======================================================== in some circumstances layer is NULL in call to layer->updateLayerPosition() in the code above. Null pointer check introduced in for loop, I believe that it shall be introduced above the call to updateLayerPosition, in other words code shall be rewritten as follows: Node* n = targ; while (n && !n->renderer()) n = n->parent(); if (n) { RenderLayer* layer = n->renderer()->enclosingLayer(); if (layer) { layer->updateLayerPosition(); // this is to avoid redundant null pointer check in the first iteration do { m_layerX -= layer->xPos(); m_layerY -= layer->yPos(); } while (layer = layer->parent()); } }
Fixed in r82225: <http://trac.webkit.org/changeset/82225>