Bug 57487 - chrome.dll!WebCore::RenderBlock::findNextLineBreak ReadAV@NULL (bb0085b7cdfcb99eb1362265d1fea9f0)
Summary: chrome.dll!WebCore::RenderBlock::findNextLineBreak ReadAV@NULL (bb0085b7cdfcb...
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords:
: 57751 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-03-30 11:39 PDT by Berend-Jan Wever
Modified: 2011-07-28 01:13 PDT (History)
4 users (show)

See Also:


Attachments
Repro (68 bytes, text/html)
2011-03-30 11:39 PDT, Berend-Jan Wever
no flags Details
Patch (2.53 KB, patch)
2011-04-04 05:58 PDT, Emil A Eklund
mitz: review-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2011-03-30 11:39:55 PDT
Created attachment 87583 [details]
Repro

Chromium: http://code.google.com/p/chromium/issues/detail?id=77933
Repro:
<details><style>:first-line{ -webkit-perspective-origin:3;}</style>

webcore\rendering\renderblocklinelayout.cpp:
InlineIterator RenderBlock::findNextLineBreak(InlineBidiResolver& resolver, bool firstLine, bool& isLineEmpty, LineBreakIteratorInfo& lineBreakIteratorInfo, bool& previousLineBrokeCleanly, 
                                              bool& hyphenated, EClear* clear, FloatingObject* lastFloatFromPreviousLine, Vector<RenderBox*>& positionedBoxes)
{
<snip>
            RenderStyle* style = t->style(firstLine);
            if (style->hasTextCombine() && o->isCombineText())
style is NULL, causing a NULL ptr read accessv violation:

id:             chrome.dll!WebCore::RenderBlock::findNextLineBreak ReadAV@NULL (bb0085b7cdfcb99eb1362265d1fea9f0)
description:    Attempt to read from unallocated NULL pointer+0x1C in chrome.dll!WebCore::RenderBlock::findNextLineBreak
stack:          chrome.dll!WebCore::RenderBlock::findNextLineBreak
                chrome.dll!WebCore::RenderBlock::layoutInlineChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderDetails::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderView::layout
                chrome.dll!WebCore::FrameView::layout
                chrome.dll!WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive
                chrome.dll!RenderWidget::DoDeferredUpdate
                chrome.dll!RenderWidget::CallDoDeferredUpdate
                chrome.dll!MessageLoop::RunTask
                chrome.dll!MessageLoop::DoWork
                chrome.dll!base::MessagePumpDefault::Run
                chrome.dll!MessageLoop::RunInternal
                chrome.dll!MessageLoop::Run
                chrome.dll!RendererMain
Comment 1 Emil A Eklund 2011-04-04 05:58:06 PDT
Created attachment 88052 [details]
Patch
Comment 2 Levi Weintraub 2011-04-04 06:04:07 PDT
Comment on attachment 88052 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=88052&action=review

> Source/WebCore/rendering/RenderObject.cpp:2375
> +    return style ? style : m_style.get();

Yup, this was my fix too, but I'd set style to 0 on 2361 to start. We don't need to set it to reference m_style.get() twice.
Comment 3 Levi Weintraub 2011-04-04 06:28:39 PDT
*** Bug 57751 has been marked as a duplicate of this bug. ***
Comment 4 mitz 2011-04-04 08:14:38 PDT
Comment on attachment 88052 [details]
Patch

Whatever is causing this, which is most likely a bug in <details> needs to be fixed.
Comment 5 Emil A Eklund 2011-04-04 08:16:57 PDT
Comment on attachment 88052 [details]
Patch

Good point, I'll see if I can track down the root cause.
Comment 6 Berend-Jan Wever 2011-07-28 01:13:33 PDT
This appears to have been fixed by now.