Bug 60028 - Null dereference in WebCore::RenderBlock::splitFlow regarding use of multicol, inline-block, and spanning elements
: Null dereference in WebCore::RenderBlock::splitFlow regarding use of multicol...
Status: RESOLVED FIXED
Product: WebKit
Classification: Unclassified
Component: HTML DOM
: 528+ (Nightly build)
: PC Windows Vista
: P1 Normal
Assigned To: Jeffrey Pfau
: InRadar
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-03 08:17 PDT by Berend-Jan Wever
Modified: 2011-07-18 22:57 PDT (History)
9 users (show)

See Also:


Attachments
Repro (91 bytes, text/html)
2011-05-03 08:17 PDT, Berend-Jan Wever
no flags Details
Patch (34.69 KB, patch)
2011-06-08 15:46 PDT, Jeffrey Pfau
no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ec2-cq-03 (1.42 MB, application/zip)
2011-06-10 13:42 PDT, WebKit Review Bot
no flags Details
Patch (35.49 KB, patch)
2011-06-10 18:19 PDT, Jeffrey Pfau
no flags Details | Formatted Diff | Diff
Patch (35.54 KB, patch)
2011-06-14 12:01 PDT, Jeffrey Pfau
no flags Details | Formatted Diff | Diff
Patch (35.55 KB, patch)
2011-06-14 14:08 PDT, Jeffrey Pfau
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2011-05-03 08:17:56 PDT
Created attachment 92077 [details]
Repro

Chromium: http://code.google.com/p/chromium/issues/detail?id=74876
Two repros have been found that appear to trigger the same crash:

Repro1:
<canvas><ins><p></p></ins></canvas>
Triggers a crash on linux in older versions of Chrome

Repro2 (attached):
<header style="-webkit-columns:5pc auto"><marquee><legend style="-webkit-column-span:all;">

id:             chrome.dll!WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)
description:    Attempt to read from unallocated NULL pointer+0x8 in chrome.dll!WebCore::RenderBlock::deleteLineBoxTree
stack:          chrome.dll!WebCore::RenderBlock::deleteLineBoxTree
                chrome.dll!WebCore::RenderBlock::splitFlow
                chrome.dll!WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
                chrome.dll!WebCore::RenderBlock::addChildIgnoringContinuation
                chrome.dll!WebCore::RenderBlock::addChild
                chrome.dll!WebCore::Node::createRendererIfNeeded
                chrome.dll!WebCore::Element::attach
                chrome.dll!WebCore::HTMLFormControlElement::attach
                chrome.dll!WebCore::HTMLConstructionSite::attach<...>
                chrome.dll!WebCore::HTMLConstructionSite::attachToCurrent
                chrome.dll!WebCore::HTMLConstructionSite::insertHTMLElement
                chrome.dll!WebCore::HTMLTreeBuilder::processStartTagForInBody
                chrome.dll!WebCore::HTMLTreeBuilder::processStartTag
                chrome.dll!WebCore::HTMLTreeBuilder::processToken
                chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken
                chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer
                chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible
                chrome.dll!WebCore::HTMLDocumentParser::insert
                chrome.dll!WebCore::Document::write
                chrome.dll!WebCore::V8HTMLDocument::writeCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                ...
Comment 1 Jeffrey Pfau 2011-06-08 15:46:41 PDT
Created attachment 96496 [details]
Patch
Comment 2 Dave Hyatt 2011-06-09 13:40:42 PDT
Comment on attachment 96496 [details]
Patch

r=me
Comment 3 WebKit Review Bot 2011-06-10 13:42:23 PDT
Comment on attachment 96496 [details]
Patch

Rejecting attachment 96496 [details] from commit-queue.

Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-03', '--port..." exit_code: 2

Last 500 characters of output:
 Tests to be fixed (1221):
      6 DumpRenderTree crashes   ( 0.5%)
      4 tests timed out          ( 0.3%)
     55 text diff mismatch       ( 4.5%)
    325 skipped                  (26.6%)

=> Tests that will only be fixed if they crash (WONTFIX) (8107):
      1 test timed out           ( 0.0%)
    109 text diff mismatch       ( 1.3%)
   7948 skipped                  (98.0%)


Regressions: Unexpected text diff mismatch : (1)
  fast/multicol/span/span-as-nested-inline-block-child.html = TEXT



Full output: http://queues.webkit.org/results/8825461
Comment 4 WebKit Review Bot 2011-06-10 13:42:28 PDT
Created attachment 96776 [details]
Archive of layout-test-results from ec2-cq-03

The attached test failures were seen while running run-webkit-tests on the commit-queue.
Bot: ec2-cq-03  Port: Chromium  Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
Comment 5 Jeffrey Pfau 2011-06-10 18:19:41 PDT
Created attachment 96832 [details]
Patch
Comment 6 Kent Tamura 2011-06-10 20:33:38 PDT
Comment on attachment 96832 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=96832&action=review

> LayoutTests/ChangeLog:5
> +        WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)

This summary line is meaningless. "ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)" is not understandable for everyone.

> LayoutTests/ChangeLog:13
> +        * fast/multicol/span/span-as-nested-inline-block-child.html: Added.
> +        * platform/chromium/test_expectations.txt:
> +        * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.png: Added.
> +        * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.txt: Added.

This is a test for crash, right?
So, dumpAsText() is enough.  We don't need the render tree and the image.
Comment 7 Jeffrey Pfau 2011-06-13 10:41:59 PDT
(In reply to comment #6)
> (From update of attachment 96832 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=96832&action=review
> 
> > LayoutTests/ChangeLog:5
> > +        WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)
> 
> This summary line is meaningless. "ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)" is not understandable for everyone.

I changed the title of the bug to something more descriptive, I'll change the summary line with the next iteration of the patch.

> > LayoutTests/ChangeLog:13
> > +        * fast/multicol/span/span-as-nested-inline-block-child.html: Added.
> > +        * platform/chromium/test_expectations.txt:
> > +        * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.png: Added.
> > +        * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.txt: Added.
> 
> This is a test for crash, right?
> So, dumpAsText() is enough.  We don't need the render tree and the image.

It prevents a crash, but it also tests a specific behavior for how spanning elements should behave in specific cases. The case is not defined in the W3C standard. Given a discussion I had with I believe Dave Hyatt, it seemed like the case was well defined in WebKit, and this test also tests the specified behavior. This might be more appropriate for another test case, however, and I can simplify the test to just be a crashing test.
Comment 8 Jeffrey Pfau 2011-06-13 11:08:30 PDT
<rdar://problem/9030928>
Comment 9 Dave Hyatt 2011-06-14 11:54:19 PDT
This isn't just about a crash. It's testing the behavior of a spanning element inside an inline-block. I want a pixel test for this (like we have with other column spanning tests). I agree the ChangeLog should make it more clear what the patch is about (that it's not just fixing a crash but is making sure our behavior is correct as well).
Comment 10 Jeffrey Pfau 2011-06-14 12:01:07 PDT
Created attachment 97151 [details]
Patch
Comment 11 WebKit Review Bot 2011-06-14 12:17:48 PDT
Comment on attachment 97151 [details]
Patch

Rejecting attachment 97151 [details] from commit-queue.

Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-01', '--port..." exit_code: 1

Last 500 characters of output:
f6acd52cadfb5acdddff4ce589229df2e78c11a2
r88841 = ebf7685ad816b854d59abe81da5acf6eb7a15e51
Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc
First, rewinding head to replay your work on top of it...
Fast-forwarded master to refs/remotes/origin/master.
Updating chromium port dependencies using gclient...

________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium'
Updating webkit projects from gyp files...

Full output: http://queues.webkit.org/results/8843272
Comment 12 Dave Hyatt 2011-06-14 12:28:43 PDT
Comment on attachment 97151 [details]
Patch

r=me
Comment 13 WebKit Review Bot 2011-06-14 13:09:36 PDT
Comment on attachment 97151 [details]
Patch

Rejecting attachment 97151 [details] from commit-queue.

Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-03', '--port..." exit_code: 1

Last 500 characters of output:
127714e485617c54f40567829327a2b27d46365b
r88844 = 5a589ccf5f21d1b83d2d5023a101500e1d149ae7
Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc
First, rewinding head to replay your work on top of it...
Fast-forwarded master to refs/remotes/origin/master.
Updating chromium port dependencies using gclient...

________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium'
Updating webkit projects from gyp files...

Full output: http://queues.webkit.org/results/8787117
Comment 14 Jeffrey Pfau 2011-06-14 14:08:58 PDT
Created attachment 97165 [details]
Patch
Comment 15 Dave Hyatt 2011-06-14 14:11:06 PDT
Comment on attachment 97165 [details]
Patch

r=me
Comment 16 WebKit Review Bot 2011-06-14 14:51:42 PDT
Comment on attachment 97165 [details]
Patch

Clearing flags on attachment: 97165

Committed r88854: <http://trac.webkit.org/changeset/88854>
Comment 17 WebKit Review Bot 2011-06-14 14:51:50 PDT
All reviewed patches have been landed.  Closing bug.