Created attachment 87583 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=77933 Repro: <details><style>:first-line{ -webkit-perspective-origin:3;}</style> webcore\rendering\renderblocklinelayout.cpp: InlineIterator RenderBlock::findNextLineBreak(InlineBidiResolver& resolver, bool firstLine, bool& isLineEmpty, LineBreakIteratorInfo& lineBreakIteratorInfo, bool& previousLineBrokeCleanly, bool& hyphenated, EClear* clear, FloatingObject* lastFloatFromPreviousLine, Vector<RenderBox*>& positionedBoxes) { <snip> RenderStyle* style = t->style(firstLine); if (style->hasTextCombine() && o->isCombineText()) style is NULL, causing a NULL ptr read accessv violation: id: chrome.dll!WebCore::RenderBlock::findNextLineBreak ReadAV@NULL (bb0085b7cdfcb99eb1362265d1fea9f0) description: Attempt to read from unallocated NULL pointer+0x1C in chrome.dll!WebCore::RenderBlock::findNextLineBreak stack: chrome.dll!WebCore::RenderBlock::findNextLineBreak chrome.dll!WebCore::RenderBlock::layoutInlineChildren chrome.dll!WebCore::RenderBlock::layoutBlock chrome.dll!WebCore::RenderBlock::layout chrome.dll!WebCore::RenderBlock::layoutBlockChild chrome.dll!WebCore::RenderBlock::layoutBlockChildren chrome.dll!WebCore::RenderBlock::layoutBlock chrome.dll!WebCore::RenderBlock::layout chrome.dll!WebCore::RenderBlock::layoutBlockChild chrome.dll!WebCore::RenderBlock::layoutBlockChildren chrome.dll!WebCore::RenderBlock::layoutBlock chrome.dll!WebCore::RenderBlock::layout chrome.dll!WebCore::RenderDetails::layout chrome.dll!WebCore::RenderBlock::layoutBlockChild chrome.dll!WebCore::RenderBlock::layoutBlockChildren chrome.dll!WebCore::RenderBlock::layoutBlock chrome.dll!WebCore::RenderBlock::layout chrome.dll!WebCore::RenderBlock::layoutBlockChild chrome.dll!WebCore::RenderBlock::layoutBlockChildren chrome.dll!WebCore::RenderBlock::layoutBlock chrome.dll!WebCore::RenderBlock::layout chrome.dll!WebCore::RenderBlock::layoutBlockChild chrome.dll!WebCore::RenderBlock::layoutBlockChildren chrome.dll!WebCore::RenderBlock::layoutBlock chrome.dll!WebCore::RenderBlock::layout chrome.dll!WebCore::RenderView::layout chrome.dll!WebCore::FrameView::layout chrome.dll!WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive chrome.dll!RenderWidget::DoDeferredUpdate chrome.dll!RenderWidget::CallDoDeferredUpdate chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run chrome.dll!RendererMain
Created attachment 88052 [details] Patch
Comment on attachment 88052 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=88052&action=review > Source/WebCore/rendering/RenderObject.cpp:2375 > + return style ? style : m_style.get(); Yup, this was my fix too, but I'd set style to 0 on 2361 to start. We don't need to set it to reference m_style.get() twice.
*** Bug 57751 has been marked as a duplicate of this bug. ***
Comment on attachment 88052 [details] Patch Whatever is causing this, which is most likely a bug in <details> needs to be fixed.
Comment on attachment 88052 [details] Patch Good point, I'll see if I can track down the root cause.
This appears to have been fixed by now.