RESOLVED FIXED 60028
Null dereference in WebCore::RenderBlock::splitFlow regarding use of multicol, inline-block, and spanning elements 
https://bugs.webkit.org/show_bug.cgi?id=60028
Summary Null dereference in WebCore::RenderBlock::splitFlow regarding use of multicol...
Berend-Jan Wever
Reported 2011-05-03 08:17:56 PDT
Created attachment 92077 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=74876 Two repros have been found that appear to trigger the same crash: Repro1: <canvas><ins><p></p></ins></canvas> Triggers a crash on linux in older versions of Chrome Repro2 (attached): <header style="-webkit-columns:5pc auto"><marquee><legend style="-webkit-column-span:all;"> id: chrome.dll!WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8) description: Attempt to read from unallocated NULL pointer+0x8 in chrome.dll!WebCore::RenderBlock::deleteLineBoxTree stack: chrome.dll!WebCore::RenderBlock::deleteLineBoxTree chrome.dll!WebCore::RenderBlock::splitFlow chrome.dll!WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks chrome.dll!WebCore::RenderBlock::addChildIgnoringContinuation chrome.dll!WebCore::RenderBlock::addChild chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::HTMLFormControlElement::attach chrome.dll!WebCore::HTMLConstructionSite::attach<...> chrome.dll!WebCore::HTMLConstructionSite::attachToCurrent chrome.dll!WebCore::HTMLConstructionSite::insertHTMLElement chrome.dll!WebCore::HTMLTreeBuilder::processStartTagForInBody chrome.dll!WebCore::HTMLTreeBuilder::processStartTag chrome.dll!WebCore::HTMLTreeBuilder::processToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible chrome.dll!WebCore::HTMLDocumentParser::insert chrome.dll!WebCore::Document::write chrome.dll!WebCore::V8HTMLDocument::writeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Attachments
Repro (91 bytes, text/html)
2011-05-03 08:17 PDT, Berend-Jan Wever 		no flags
Details
Patch (34.69 KB, patch)
2011-06-08 15:46 PDT, Vicki Pfau 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ec2-cq-03 (1.42 MB, application/zip)
2011-06-10 13:42 PDT, WebKit Review Bot 		no flags
Details
Patch (35.49 KB, patch)
2011-06-10 18:19 PDT, Vicki Pfau 		no flags
DetailsFormatted DiffDiff
Patch (35.54 KB, patch)
2011-06-14 12:01 PDT, Vicki Pfau 		no flags
DetailsFormatted DiffDiff
Patch (35.55 KB, patch)
2011-06-14 14:08 PDT, Vicki Pfau 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Vicki Pfau
Comment 1 2011-06-08 15:46:41 PDT
Created attachment 96496 [details] Patch
Dave Hyatt
Comment 2 2011-06-09 13:40:42 PDT
Comment on attachment 96496 [details] Patch r=me
WebKit Review Bot
Comment 3 2011-06-10 13:42:23 PDT
Comment on attachment 96496 [details] Patch Rejecting attachment 96496 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-03', '--port..." exit_code: 2 Last 500 characters of output: Tests to be fixed (1221): 6 DumpRenderTree crashes ( 0.5%) 4 tests timed out ( 0.3%) 55 text diff mismatch ( 4.5%) 325 skipped (26.6%) => Tests that will only be fixed if they crash (WONTFIX) (8107): 1 test timed out ( 0.0%) 109 text diff mismatch ( 1.3%) 7948 skipped (98.0%) Regressions: Unexpected text diff mismatch : (1) fast/multicol/span/span-as-nested-inline-block-child.html = TEXT Full output: http://queues.webkit.org/results/8825461
WebKit Review Bot
Comment 4 2011-06-10 13:42:28 PDT
Created attachment 96776 [details] Archive of layout-test-results from ec2-cq-03 The attached test failures were seen while running run-webkit-tests on the commit-queue. Bot: ec2-cq-03 Port: Chromium Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
Vicki Pfau
Comment 5 2011-06-10 18:19:41 PDT
Created attachment 96832 [details] Patch
Kent Tamura
Comment 6 2011-06-10 20:33:38 PDT
Comment on attachment 96832 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=96832&action=review > LayoutTests/ChangeLog:5 > + WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8) This summary line is meaningless. "ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)" is not understandable for everyone. > LayoutTests/ChangeLog:13 > + * fast/multicol/span/span-as-nested-inline-block-child.html: Added. > + * platform/chromium/test_expectations.txt: > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.png: Added. > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.txt: Added. This is a test for crash, right? So, dumpAsText() is enough. We don't need the render tree and the image.
Vicki Pfau
Comment 7 2011-06-13 10:41:59 PDT
(In reply to comment #6) > (From update of attachment 96832 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=96832&action=review > > > LayoutTests/ChangeLog:5 > > + WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8) > > This summary line is meaningless. "ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)" is not understandable for everyone. I changed the title of the bug to something more descriptive, I'll change the summary line with the next iteration of the patch. > > LayoutTests/ChangeLog:13 > > + * fast/multicol/span/span-as-nested-inline-block-child.html: Added. > > + * platform/chromium/test_expectations.txt: > > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.png: Added. > > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.txt: Added. > > This is a test for crash, right? > So, dumpAsText() is enough. We don't need the render tree and the image. It prevents a crash, but it also tests a specific behavior for how spanning elements should behave in specific cases. The case is not defined in the W3C standard. Given a discussion I had with I believe Dave Hyatt, it seemed like the case was well defined in WebKit, and this test also tests the specified behavior. This might be more appropriate for another test case, however, and I can simplify the test to just be a crashing test.
Vicki Pfau
Comment 8 2011-06-13 11:08:30 PDT
<rdar://problem/9030928>
Dave Hyatt
Comment 9 2011-06-14 11:54:19 PDT
This isn't just about a crash. It's testing the behavior of a spanning element inside an inline-block. I want a pixel test for this (like we have with other column spanning tests). I agree the ChangeLog should make it more clear what the patch is about (that it's not just fixing a crash but is making sure our behavior is correct as well).
Vicki Pfau
Comment 10 2011-06-14 12:01:07 PDT
Created attachment 97151 [details] Patch
WebKit Review Bot
Comment 11 2011-06-14 12:17:48 PDT
Comment on attachment 97151 [details] Patch Rejecting attachment 97151 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-01', '--port..." exit_code: 1 Last 500 characters of output: f6acd52cadfb5acdddff4ce589229df2e78c11a2 r88841 = ebf7685ad816b854d59abe81da5acf6eb7a15e51 Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc First, rewinding head to replay your work on top of it... Fast-forwarded master to refs/remotes/origin/master. Updating chromium port dependencies using gclient... ________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' Updating webkit projects from gyp files... Full output: http://queues.webkit.org/results/8843272
Dave Hyatt
Comment 12 2011-06-14 12:28:43 PDT
Comment on attachment 97151 [details] Patch r=me
WebKit Review Bot
Comment 13 2011-06-14 13:09:36 PDT
Comment on attachment 97151 [details] Patch Rejecting attachment 97151 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-03', '--port..." exit_code: 1 Last 500 characters of output: 127714e485617c54f40567829327a2b27d46365b r88844 = 5a589ccf5f21d1b83d2d5023a101500e1d149ae7 Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc First, rewinding head to replay your work on top of it... Fast-forwarded master to refs/remotes/origin/master. Updating chromium port dependencies using gclient... ________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' Updating webkit projects from gyp files... Full output: http://queues.webkit.org/results/8787117
Vicki Pfau
Comment 14 2011-06-14 14:08:58 PDT
Created attachment 97165 [details] Patch
Dave Hyatt
Comment 15 2011-06-14 14:11:06 PDT
Comment on attachment 97165 [details] Patch r=me
WebKit Review Bot
Comment 16 2011-06-14 14:51:42 PDT
Comment on attachment 97165 [details] Patch Clearing flags on attachment: 97165 Committed r88854: <http://trac.webkit.org/changeset/88854>
WebKit Review Bot
Comment 17 2011-06-14 14:51:50 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.