RESOLVED WONTFIX 54897
chrome.dll!WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (1dcc16082f96d7624e2b8335a06633d2) 
https://bugs.webkit.org/show_bug.cgi?id=54897
Summary chrome.dll!WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (1dcc16082f96d...
Berend-Jan Wever
Reported 2011-02-21 11:45:06 PST
Created attachment 83199 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=73669 RenderInline::splitFlow calls containingBlock(), which can return NULL. The code does not handle this, leading to a NULL ptr. http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp&q=containingBlock&exact_package=chromium&sa=N&cd=2&ct=rc&l=608 The whole renderer spaghetti is beyond me, so I'm at a loss as to how to fix it. webcore/rendering/renderinline.cpp: void RenderInline::splitFlow(RenderObject* beforeChild, RenderBlock* newBlockBox, RenderObject* newChild, RenderBoxModelObject* oldCont) { RenderBlock* pre = 0; RenderBlock* block = containingBlock(); // Delete our line boxes before we do the inline split into continuations. block->deleteLineBoxTree(); // NULL ptr... <snip> Repro: <html xmlns="http://www.w3.org/1999/xhtml"> <script> window.open('javascript:document.write("&lt;canvas&gt;&lt;d&gt;&lt;section&gt;")'); </script> </html> id: chrome.dll!WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (1dcc16082f96d7624e2b8335a06633d2) description: Attempt to read from unallocated NULL pointer+0x8 in chrome.dll!WebCore::RenderBlock::deleteLineBoxTree application: Chromium 11.0.679.0 stack: chrome.dll!WebCore::RenderBlock::deleteLineBoxTree chrome.dll!WebCore::RenderInline::splitFlow chrome.dll!WebCore::RenderInline::addChildIgnoringContinuation chrome.dll!WebCore::RenderInline::addChild chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::HTMLConstructionSite::attach<...> chrome.dll!WebCore::HTMLConstructionSite::insertHTMLElement chrome.dll!WebCore::HTMLTreeBuilder::processStartTagForInBody chrome.dll!WebCore::HTMLTreeBuilder::processStartTag chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::insert chrome.dll!WebCore::Document::write chrome.dll!WebCore::Document::write chrome.dll!WebCore::V8HTMLDocument::writeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Attachments
Repro (168 bytes, application/xhtml+xml)
2011-02-21 11:45 PST, Berend-Jan Wever 		no flags
Details
Variation repro (282 bytes, application/xhtml+xml)
2011-02-22 01:59 PST, Berend-Jan Wever 		no flags
Details
Another variation (389 bytes, text/html)
2011-02-22 02:05 PST, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2011-02-22 01:59:12 PST
Created attachment 83288 [details] Variation repro I've found a variation: http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp&q=availableLogicalHeightUsing%20renderbox.cpp&exact_package=chromium&sa=N&cd=1&ct=rc&l=1993 int RenderBox::availableLogicalHeightUsing(const Length& h) const <snip> return containingBlock()->availableLogicalHeight(); It might make sense to check all calls to "containingBlock": it's obvious that there are many places in the code that do not expect it to return NULL: http://codesearch.google.com/codesearch?hl=en&vert=chromium&lr=&q=\bcontainingBlock\(\)&sbtn=Search
Berend-Jan Wever
Comment 2 2011-02-22 02:05:44 PST
Created attachment 83289 [details] Another variation http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderBoxModelObject.cpp&q=paddingLeft%20renderboxmodelobject.cpp&exact_package=chromium&l=510 int RenderBoxModelObject::paddingLeft(bool) const { int w = 0; Length padding = style()->paddingLeft(); if (padding.isPercent()) w = containingBlock()->availableLogicalWidth(); return padding.calcMinValue(w); } id: chrome.dll!WebCore::RenderBoxModelObject::paddingLeft ReadAV@NULL (87d8849c6cf0d974ecc4ac5a15b37210) description: Attempt to read from unallocated NULL pointer in chrome.dll!WebCore::RenderBoxModelObject::paddingLeft application: Chromium 11.0.679.0 stack: chrome.dll!WebCore::RenderBoxModelObject::paddingLeft chrome.dll!WebCore::RenderBlock::logicalLeftOffsetForContent chrome.dll!WebCore::RenderBlock::logicalLeftSelectionOffset chrome.dll!WebCore::RenderBlock::selectionGapRectsForRepaint chrome.dll!WebCore::RenderBlock::selectionRectForRepaint chrome.dll!WebCore::RenderSelectionInfo::RenderSelectionInfo chrome.dll!WebCore::RenderView::setSelection chrome.dll!WebCore::SelectionController::updateAppearance chrome.dll!WebCore::SelectionController::setSelection chrome.dll!WebCore::SelectionController::moveTo chrome.dll!WebCore::DOMSelection::setBaseAndExtent chrome.dll!WebCore::DOMSelection::selectAllChildren chrome.dll!WebCore::DOMSelectionInternal::selectAllChildrenCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Anne van Kesteren
Comment 3 2023-12-30 02:13:20 PST
Chromium-specific.
Note You need to log in before you can comment on or make changes to this bug.