Created attachment 72919 [details] Test case Recent WebKit crashes with attached HTML. This doesn't happen with Safari 4.0.5. I'm guessing this issue was introduced by dhyatt's recent multicol changes. Corresponding chromium bug: http://code.google.com/p/chromium/issues/detail?id=58101
Created attachment 72920 [details] Test case for the first assertion failure Note that there are two assertion violations in RenderLayer::paintPaginatedChildLayer: ASSERT(!renderer()->isPositioned()); ASSERT(columnLayers.size()); The former assertion failure happens even with a simpler HTML I'm attaching now. The latter assertion failure causes the crash. I'm guessing m_isPaginated should be false for this kind of cases, but I'm not sure. I didn't look into this bug closely at all.
> This doesn't happen with Safari 4.0.5 Not crashing with 5.0.2 either.
This causes one of two NULL ptrs, depending on whether your mouse is hovering over the page or not while reproducing the crash. Reduced repro: <body style="position: absolute; -webkit-column-count: 2;"> <div style="overflow: hidden;"> <img style="position: relative; width: 180px;"> </div> </body> id: chrome.dll!WebCore::RenderLayer::paintChildLayerIntoColumns ReadAV@NULL (3e28197c414363f3d6c613777e35f7b0) description: Attempt to read from unallocated NULL pointer-0x4 in chrome.dll!WebCore::RenderLayer::paintChildLayerIntoColumns application: Chromium 10.0.623.0 stack: chrome.dll!WebCore::RenderLayer::paintChildLayerIntoColumns chrome.dll!WebCore::RenderLayer::paintPaginatedChildLayer chrome.dll!WebCore::RenderLayer::paintList chrome.dll!WebCore::RenderLayer::paintLayer chrome.dll!WebCore::RenderLayer::paintList chrome.dll!WebCore::RenderLayer::paintLayer chrome.dll!WebCore::RenderLayer::paint chrome.dll!WebCore::FrameView::paintContents chrome.dll!WebCore::ScrollView::paint chrome.dll!WebKit::WebFrameImpl::paintWithContext chrome.dll!WebKit::WebFrameImpl::paint chrome.dll!RenderWidget::PaintRect chrome.dll!RenderWidget::DoDeferredUpdate chrome.dll!RenderWidget::CallDoDeferredUpdate chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run ... http://trac.webkit.org/browser/trunk/WebCore/rendering/RenderLayer.cpp#L2599 id: chrome.dll!WebCore::RenderLayer::hitTestChildLayerColumns ReadAV@NULL (190d37d7e428d0f0eb541dd4c90591a6) description: Attempt to read from unallocated NULL pointer-0x4 in chrome.dll!WebCore::RenderLayer::hitTestChildLayerColumns application: Chromium 10.0.623.0 stack: chrome.dll!WebCore::RenderLayer::hitTestChildLayerColumns chrome.dll!WebCore::RenderLayer::hitTestPaginatedChildLayer chrome.dll!WebCore::RenderLayer::hitTestList chrome.dll!WebCore::RenderLayer::hitTestLayer chrome.dll!WebCore::RenderLayer::hitTestList chrome.dll!WebCore::RenderLayer::hitTestLayer chrome.dll!WebCore::RenderLayer::hitTest chrome.dll!WebCore::Document::prepareMouseEvent chrome.dll!WebCore::EventHandler::prepareMouseEvent chrome.dll!WebCore::EventHandler::handleMouseMoveEvent chrome.dll!WebCore::EventHandler::mouseMoved chrome.dll!WebKit::WebViewImpl::mouseMove chrome.dll!WebKit::WebViewImpl::handleInputEvent chrome.dll!RenderWidget::OnHandleInputEvent chrome.dll!IPC::Message::Dispatch<...> chrome.dll!RenderWidget::OnMessageReceived chrome.dll!(unknown) chrome.dll!MessageRouter::RouteMessage chrome.dll!MessageRouter::OnMessageReceived chrome.dll!ChildThread::OnMessageReceived chrome.dll!RunnableMethod<ProfileWriter,void chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run ... http://trac.webkit.org/browser/trunk/WebCore/rendering/RenderLayer.cpp#L3064
<rdar://problem/8895977>
Created attachment 87204 [details] Update the logic in {paint,hitTest}PaginatedChildLayer() after r68069
Fixed in r82158. <http://trac.webkit.org/changeset/82158>
*** Bug 56107 has been marked as a duplicate of this bug. ***