RESOLVED FIXED 45344
Null deref in InlineBox::height() 
https://bugs.webkit.org/show_bug.cgi?id=45344
Summary Null deref in InlineBox::height()
Cris Neckar
Reported 2010-09-07 17:32:51 PDT
Created attachment 66801 [details] repro When firstline is true the renderers style() method may return null and then be derefed. I hav been hitting this a lot with a fuzzer I am working on and will submit a patch shortly. the attached repro will trigger this.
Attachments
repro (449 bytes, text/html)
2010-09-07 17:32 PDT, Cris Neckar 		no flags
Details
Patch (2.75 KB, patch)
2010-09-07 18:04 PDT, Cris Neckar 		no flags
DetailsFormatted DiffDiff
Patch (3.01 KB, patch)
2010-09-08 11:10 PDT, Cris Neckar 		eric: review-
DetailsFormatted DiffDiff
Set the pseudo style bit on the RenderStyle which is going to supply the first-line style (3.53 KB, patch)
2010-09-25 00:22 PDT, mitz 		sullivan: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Cris Neckar
Comment 1 2010-09-07 18:04:09 PDT
Created attachment 66812 [details] Patch
Cris Neckar
Comment 2 2010-09-07 18:06:06 PDT
+jamesr James can you review this when you get a chance. Thanks!
James Robinson
Comment 3 2010-09-07 18:26:29 PDT
Comment on attachment 66812 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=66812&action=prettypatch > WebCore/rendering/InlineBox.cpp:99 > + if (!renderer()->style(m_firstLine)) > + return 0; > if (renderer()->isText()) > return m_isText ? renderer()->style(m_firstLine)->font().height() : 0; > if (renderer()->isBox() && parent()) There's one very slight behavior change here - if renderer()->isBox() && parent() == true, old code wouldn't call renderer()->style(m_firstLine) at all whereas this patch will. Can you reoranize this so that's still true? I think moving the isBox() && ... branch above the NULL check will suffice.
Cris Neckar
Comment 4 2010-09-08 11:10:24 PDT
Created attachment 66917 [details] Patch
Cris Neckar
Comment 5 2010-09-08 11:11:30 PDT
Good catch. Thank you!
Eric Seidel (no email)
Comment 6 2010-09-15 00:01:36 PDT
Comment on attachment 66917 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=66917&action=prettypatch > WebCore/rendering/InlineBox.cpp:-97 > + if (!renderer()->style(m_firstLine)) > + return 0; > if (renderer()->isText()) > return m_isText ? renderer()->style(m_firstLine)->font().height() : 0; > - if (renderer()->isBox() && parent()) I believe style(m_firstLine) is non-trivial. Shouldn't we cache it in a local variable? RenderStyle* firstLineStyle() const { return document()->usesFirstLineRules() ? firstLineStyleSlowCase() : style(); } RenderStyle* style(bool firstLine) const { return firstLine ? firstLineStyle() : style(); }
mitz
Comment 7 2010-09-15 00:14:22 PDT
Does this still happen with the fix for bug 45574 (r67255 or later)? style() should never return null and if it is, then that should be fixed, not papered over.
Ryosuke Niwa
Comment 8 2010-09-24 11:32:51 PDT
The repro now causes a crash at the line 96 of InlineBox.cpp: if (renderer()->isText()) return m_isText ? renderer()->style(m_firstLine)->font().height() : 0; font() is 0 and crashes inside RefPtr.
mitz
Comment 9 2010-09-24 11:52:40 PDT
(In reply to comment #8) > The repro now causes a crash at the line 96 of InlineBox.cpp: > > if (renderer()->isText()) > return m_isText ? renderer()->style(m_firstLine)->font().height() : 0; > > font() is 0 and crashes inside RefPtr. Seems like style(true) is still null.
mitz
Comment 10 2010-09-24 12:10:16 PDT
I think the issue is that RenderObject::firstLineStyleSlowCase() calls setHasPseudoStyle() on the wrong RenderStyle, namely the RenderText’s instead of its parent’s.
mitz
Comment 11 2010-09-25 00:12:12 PDT
<rdar://problem/8478160>
mitz
Comment 12 2010-09-25 00:22:03 PDT
Created attachment 68814 [details] Set the pseudo style bit on the RenderStyle which is going to supply the first-line style
mitz
Comment 13 2010-09-25 10:34:37 PDT
Fixed in <http://trac.webkit.org/projects/webkit/changeset/68335>.
Note You need to log in before you can comment on or make changes to this bug.