[Webkit-unassigned] [Bug 66287] New: Element without renderer as documentElement triggers NULL ptr

Tue Aug 16 03:23:15 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=66287

           Summary: Element without renderer as documentElement triggers
                    NULL ptr
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org

Created an attachment (id=104018)
 --> (https://bugs.webkit.org/attachment.cgi?id=104018&action=review)
Repro

<body onload="go()">
<script>
  function go() {
    var oHead = document.documentElement.firstChild;
    document.open();
    document.insertBefore(oHead, null);
    document.writeln("<style>* {border-top: solid 1px;}</style><x>");
  }
</script>
</body>

Any element can be the documentElement, even an element without a renderer such as HEAD. Not all code handles this correctly, eg:

void RenderBox::paintBackground(const PaintInfo& paintInfo, const LayoutRect& paintRect, BackgroundBleedAvoidance bleedAvoidance)
{
    if (isRoot())
        paintRootBoxFillLayers(paintInfo);
    else if (!isBody() || document()->documentElement()->renderer()->hasBackground()) {
        // The <body> only paints its background if the root element has defined a background
        // independent of the body.
        if (!backgroundIsObscured())
            paintFillLayers(paintInfo, style()->visitedDependentColor(CSSPropertyBackgroundColor), style()->backgroundLayers(), paintRect, bleedAvoidance);
    }
}
In the above code "document()->documentElement()->renderer()->..." triggers a NULL ptr if there is no renderer.

id:             chrome.dll!WebCore::RenderBox::paintBackground ReadAV at NULL (10c48e8cc519a140dff53e68ca553272)
description:    Attempt to read from unallocated NULL pointer+0x4 in chrome.dll!WebCore::RenderBox::paintBackground
stack:          chrome.dll!WebCore::RenderBox::paintBackground
                chrome.dll!WebCore::RenderBox::paintBoxDecorations
                chrome.dll!WebCore::RenderBlock::paintObject
                chrome.dll!WebCore::RenderBlock::paint
                chrome.dll!WebCore::RenderBlock::paintChildren
                chrome.dll!WebCore::RenderBlock::paintContents
                chrome.dll!WebCore::RenderBlock::paintObject
                chrome.dll!WebCore::RenderBlock::paint
                chrome.dll!WebCore::RenderBlock::paintChildren
                chrome.dll!WebCore::RenderBlock::paintContents
                chrome.dll!WebCore::RenderBlock::paintObject
                chrome.dll!WebCore::RenderLayer::paintLayer
                chrome.dll!WebCore::RenderLayer::paint
                chrome.dll!WebCore::FrameView::paintContents
                chrome.dll!WebCore::ScrollView::paint
                chrome.dll!WebKit::WebFrameImpl::paintWithContext
                chrome.dll!WebKit::WebFrameImpl::paint
                chrome.dll!WebKit::WebViewImpl::paint
                chrome.dll!RenderWidget::PaintRect
                ...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.