[Webkit-unassigned] [Bug 32009] New: Crash in RenderBlock::startDelayUpdateScrollInfo

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 30 23:17:21 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=32009

           Summary: Crash in RenderBlock::startDelayUpdateScrollInfo
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: hamaji at chromium.org


After Bug 15135 (this was my change, sorry), the following HTML causes crash or
assertion failure.

<style>
.test {
    overflow-x: overlay;
    width: 50;
    display: -webkit-box;
}
</style>

<script>
if (window.layoutTestController)
    layoutTestController.dumpAsText();
</script>

<body>
  <div class="test">
    <input type=file class="test">
  </div>
  No crash means PASS
</body>

This is the stacktrace:

(gdb) bt
#0  0x0000000001dd7401 in WebCore::RenderBlock::startDelayUpdateScrollInfo ()
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp:605
#1  0x0000000001e1fdf9 in WebCore::RenderFlexibleBox::layoutHorizontalBox (
    this=0x7fffe8062f08, relayoutChildren=false)
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderFlexibleBox.cpp:336
#2  0x0000000001e2131c in WebCore::RenderFlexibleBox::layoutBlock (
    this=0x7fffe8062f08, relayoutChildren=false)
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderFlexibleBox.cpp:242
#3  0x0000000001de0f25 in WebCore::RenderBlock::layout (this=0x7fffe8062f08)
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp:648
#4  0x0000000001de4c4f in WebCore::RenderObject::layoutIfNeeded (
    this=0x7fffe8062f08)
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderObject.h:496
#5  0x0000000001dfdf11 in WebCore::RenderBlock::layoutInlineChildren (
    this=0x7fffe8062788, relayoutChildren=true, repaintTop=@0x438249cc,
    repaintBottom=@0x438249c8)
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/---Type
<return> to continue, or q <return> to quit---
RenderBlockLineLayout.cpp:865
#6  0x0000000001de15a9 in WebCore::RenderBlock::layoutBlock (
    this=0x7fffe8062788, relayoutChildren=true)
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp:722
#7  0x0000000001e3b523 in WebCore::RenderLayer::updateScrollInfoAfterLayout (
    this=0x7fffe80628c8)
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderLayer.cpp:1872
#8  0x0000000001de1cd8 in WebCore::RenderBlock::finishDelayUpdateScrollInfo ()
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp:622
#9  0x0000000001e20cb4 in WebCore::RenderFlexibleBox::layoutHorizontalBox (
    this=0x7fffe805f318, relayoutChildren=false)
    at
/usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderFlexibleBox.cpp:558
...

This crash happens because finishDelayUpdateScrollInfo() triggers layout of
another flexible box and it calls startDelayUpdateScrollInfo(). This function
modifies a global variable gDelayUpdateScrollInfoSet before
finishDelayUpdateScrollInfo() finalize the global variable. This bug can be
easily fixed by evacuating the global variable into local variable before we
trigger other layouts.

Chromium side: http://code.google.com/p/chromium/issues/detail?id=27085

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list