48218 – Two null ptr when trying to split anonymous blocks

RESOLVED FIXED 48218

Two null ptr when trying to split anonymous blocks

https://bugs.webkit.org/show_bug.cgi?id=48218

Summary Two null ptr when trying to split anonymous blocks

Abhishek Arya

Reported 2010-10-24 19:11:26 PDT

Created attachment 71706 [details] Testcase1 I have two null ptr crashes in RenderBlock::splitBlocks because we try to create the clone of an anonymous block. in first testcase, i crash on line 408, RenderBlock* cloneBlock = clone(); and in second testcase, i hit assert on line 427 ASSERT(curr->isRenderBlock() && !curr->isAnonymousBlock());. anonymous blocks return null nodes, which causes crash. Filing low severity security bug since it crashes safari. don't need a chromium bug since it just crashes that tab.

Attachments
Testcase1 (106 bytes, text/html) 2010-10-24 19:11 PDT, Abhishek Arya	no flags	Details
Testcase2 (24.60 KB, text/html) 2010-10-24 19:11 PDT, Abhishek Arya	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Abhishek Arya

Comment 1 2010-10-24 19:11:57 PDT

Created attachment 71708 [details] Testcase2

Abhishek Arya

Comment 2 2010-10-24 19:14:08 PDT

Stacktrace: WebCore::Node::document() Line 341 + 0x3 bytes WebCore::RenderObject::RenderObject(WebCore::Node * node=0x00000000) Line 218 + 0x101 bytes WebCore::RenderBoxModelObject::RenderBoxModelObject(WebCore::Node * node=0x00000000) Line 194 + 0x1a bytes WebCore::RenderBox::RenderBox(WebCore::Node * node=0x00000000) Line 78 + 0x1a bytes WebCore::RenderBlock::RenderBlock(WebCore::Node * node=0x00000000) Line 120 + 0x1a bytes WebCore::RenderBlock::clone() Line 397 + 0x30 bytes WebCore::RenderBlock::splitBlocks(WebCore::RenderBlock * fromBlock=0x04fc22dc, WebCore::RenderBlock * toBlock=0x0776fbdc, WebCore::RenderBlock * middleBlock=0x04fc236c, WebCore::RenderObject * beforeChild=0x00000000, WebCore::RenderBoxModelObject * oldCont=0x00000000) Line 433 + 0x8 bytes WebCore::RenderBlock::splitFlow(WebCore::RenderObject * beforeChild=0x00000000, WebCore::RenderBlock * newBlockBox=0x04fc236c, WebCore::RenderObject * newChild=0x0776ff3c, WebCore::RenderBoxModelObject * oldCont=0x00000000) Line 511 WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks(WebCore::RenderObject * newChild=0x0776ff3c, WebCore::RenderObject * beforeChild=0x00000000) Line 654 WebCore::RenderBlock::addChildIgnoringContinuation(WebCore::RenderObject * newChild=0x0776ff3c, WebCore::RenderObject * beforeChild=0x00000000) Line 752 + 0x1a bytes WebCore::RenderBlock::addChild(WebCore::RenderObject * newChild=0x0776ff3c, WebCore::RenderObject * beforeChild=0x00000000) Line 745 + 0x17 bytes WebCore::Node::createRendererIfNeeded() Line 1337 + 0x21 bytes WebCore::Element::attach() Line 852 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::ContainerNode::attach() Line 708 + 0x12 bytes WebCore::Element::attach() Line 853 WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 942 + 0x12 bytes WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1005 + 0x16 bytes WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1005 + 0x16 bytes WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1005 + 0x16 bytes WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1005 + 0x16 bytes WebCore::Document::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1492 + 0x16 bytes WebCore::Document::updateStyleIfNeeded() Line 1533 + 0x14 bytes WebCore::Document::finishedParsing() Line 4148 + 0x12 bytes WebCore::HTMLTreeBuilder::finished() Line 2766 + 0x1a bytes WebCore::HTMLDocumentParser::end() Line 324 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() Line 333 WebCore::HTMLDocumentParser::prepareToStopParsing() Line 151 WebCore::HTMLDocumentParser::attemptToEnd() Line 344 + 0xf bytes WebCore::HTMLDocumentParser::finish() Line 373

Lucas Forschler

Comment 3 2010-10-25 10:23:15 PDT

<rdar://problem/8590044>

Abhishek Arya

Comment 4 2010-12-30 22:24:22 PST

This is fixed in http://trac.webkit.org/changeset/73296

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Minor

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS OS X 10.5

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2010-10-24 19:11 PDT

Modified

2010-12-30 22:24 PST History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks