[Webkit-unassigned] [Bug 51647] chrome.dll!WebCore::RenderBox::paintBoxDecorationsWithSize ReadAV at NULL (214b527fa4dab86d8d344b0220263689)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 28 06:58:25 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=51647





--- Comment #2 from SkyLined <skylined at chromium.org>  2010-12-28 06:58:25 PST ---
http://trac.webkit.org/browser/trunk/WebCore/rendering/RenderBox.cpp#L814
797    void RenderBox::paintBoxDecorationsWithSize(PaintInfo& paintInfo, int tx, int ty, int width, int height)
798    {
799        // border-fit can adjust where we paint our border and background.  If set, we snugly fit our line box descendants.  (The iChat
800        // balloon layout is an example of this).
801        borderFitAdjust(tx, width);
802    
803        // FIXME: Should eventually give the theme control over whether the box shadow should paint, since controls could have
804        // custom shadows of their own.
805        paintBoxShadow(paintInfo.context, tx, ty, width, height, style(), Normal);
806    
807        // If we have a native theme appearance, paint that before painting our background.
808        // The theme will tell us whether or not we should also paint the CSS background.
809        bool themePainted = style()->hasAppearance() && !theme()->paint(this, paintInfo, IntRect(tx, ty, width, height));
810        if (!themePainted) {
811            // The <body> only paints its background if the root element has defined a background
812            // independent of the body.  Go through the DOM to get to the root element's render object,
813            // since the root could be inline and wrapped in an anonymous block.
814            if (!isBody() || document()->documentElement()->renderer()->hasBackground())
815                paintFillLayers(paintInfo, style()->visitedDependentColor(CSSPropertyBackgroundColor), style()->backgroundLayers(), tx, ty, width, height);
816            if (style()->hasAppearance())
817                theme()->paintDecorations(this, paintInfo, IntRect(tx, ty, width, height));
818        }
819        paintBoxShadow(paintInfo.context, tx, ty, width, height, style(), Inset);
820    
821        // The theme will tell us whether or not we should also paint the CSS border.
822        if ((!style()->hasAppearance() || (!themePainted && theme()->paintBorderOnly(this, paintInfo, IntRect(tx, ty, width, height)))) && style()->hasBorder())
823            paintBorder(paintInfo.context, tx, ty, width, height, style());
824    }
"document()->documentElement()->renderer()" returns NULL, so "(NULL)->hasBackground()" causes a NULL deref.

chrome_639d0000!WebCore::RenderBox::paintBoxDecorationsWithSize+0x9a [c:\b\build\slave\win\build\src\third_party\webkit\webcore\rendering\renderbox.cpp @ 814]:
6431292a 3400            xor     al,0
6431292c e8af6ff8ff      call    chrome_639d0000!WebCore::RenderObject::isBody (642998e0)
64312931 84c0            test    al,al
64312933 7431            je      chrome_639d0000!WebCore::RenderBox::paintBoxDecorationsWithSize+0xd6 (64312966)
64312935 8b4e08          mov     ecx,dword ptr [esi+8]
64312938 8b4914          mov     ecx,dword ptr [ecx+14h]
6431293b 83b98c02000000  cmp     dword ptr [ecx+28Ch],0
64312942 894c242c        mov     dword ptr [esp+2Ch],ecx
64312946 7509            jne     chrome_639d0000!WebCore::RenderBox::paintBoxDecorationsWithSize+0xc1 (64312951)
64312948 e833acf3ff      call    chrome_639d0000!WebCore::Document::cacheDocumentElement (6424d580)
6431294d 8b4c242c        mov     ecx,dword ptr [esp+2Ch]
64312951 8b918c020000    mov     edx,dword ptr [ecx+28Ch]
64312957 8b4220          mov     eax,dword ptr [edx+20h]
chrome_639d0000!WebCore::RenderBox::paintBoxDecorationsWithSize+0xca [c:\b\build\slave\win\build\src\third_party\webkit\webcore\rendering\renderbox.cpp @ 814]:
  eax=00000000 ebx=0037e9c8 ecx=0187e900
  edx=0412fec0 esi=00ab82f8 edi=00000299
  eip=6431295a esp=0037e8f4 ebp=00000008
6431295a 8b4804          mov     ecx,dword ptr [eax+4]
6431295d e80e8efbff      call    chrome_639d0000!WebCore::RenderStyle::hasBackground (642cb770)
64312962 84c0            test    al,al
64312964 7432            je      chrome_639d0000!WebCore::RenderBox::paintBoxDecorationsWithSize+0x108 (64312998)
64312966 8b542430        mov     edx,dword ptr [esp+30h]
6431296a 8b4e04          mov     ecx,dword ptr [esi+4]
6431296d 8b4114          mov     eax,dword ptr [ecx+14h]
64312970 6a00            push    0
64312972 6a02            push    2
64312974 57              push    edi
64312975 52              push    edx
64312976 8b542438        mov     edx,dword ptr [esp+38h]
6431297a 55              push    ebp
6431297b 52              push    edx
6431297c 83c004          add     eax,4
6431297f 50              push    eax
64312980 68fb030000      push    3FBh
64312985 8d442430        lea     eax,[esp+30h]
64312989 50              push    eax

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list