[Webkit-unassigned] [Bug 53316] New: NULL pointer crash when using :empty and :first-line pseudoclass selectors together

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 28 11:44:33 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=53316

           Summary: NULL pointer crash when using :empty and :first-line
                    pseudoclass selectors together
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tsepez at chromium.org


The following example reproduces the crash:
<style> *:empty:first-line { background: red; } </style>
<button autofocus></button>

Crash is at:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000024
[Switching to process 7834]
0x025ccff5 in WTF::RefPtr<WebCore::StyleInheritedData>::get (this=0x24) at RefPtr.h:60
60            T* get() const { return m_ptr; }
(gdb) where
#0  0x025ccff5 in WTF::RefPtr<WebCore::StyleInheritedData>::get (this=0x24) at RefPtr.h:60
#1  0x025f9155 in WebCore::DataRef<WebCore::StyleInheritedData>::get (this=0x24) at DataRef.h:33
#2  0x025f9169 in WebCore::DataRef<WebCore::StyleInheritedData>::operator-> (this=0x24) at DataRef.h:36
#3  0x025334a8 in WebCore::RenderStyle::lineHeight (this=0x0) at RenderStyle.h:484
#4  0x0295bea9 in WebCore::RenderStyle::computedLineHeight (this=0x0) at RenderStyle.h:487
#5  0x0293f1fc in WebCore::RenderBlock::lineHeight (this=0x9ef7e6c, firstLine=true, direction=WebCore::HorizontalLine, linePositionMode=WebCore::PositionOfInteriorLineBoxes) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/Source/WebCore/WebCore.gyp/../rendering/RenderBlock.cpp:5028
#6  0x02a52eea in WebCore::RootInlineBox::lineHeight (this=0x9ee7f4c) at RootInlineBox.h:92
#7  0x029272d9 in WebCore::InlineFlowBox::computeLogicalBoxHeights (this=0x9ee7f4c, maxPositionTop=@0xb49b6264, maxPositionBottom=@0xb49b6260, maxAscent=@0xb49b625c, maxDescent=@0xb49b6258, setMaxAscent=@0xb49b626f, setMaxDescent=@0xb49b626e, strictMode=false, textBoxDataMap=@0xb49b66e8, baselineType=WebCore::AlphabeticBaseline, verticalPositionCache=@0xb49b6660) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/Source/WebCore/WebCore.gyp/../rendering/InlineFlowBox.cpp:460
#8  0x02a52018 in WebCore::RootInlineBox::alignBoxesInBlockDirection (this=0x9ee7f4c, heightOfBlock=0, textBoxDataMap=@0xb49b66e8, verticalPositionCache=@0xb49b6660) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/Source/WebCore/WebCore.gyp/../rendering/RootInlineBox.cpp:242
#9  0x0296b30e in WebCore::RenderBlock::computeBlockDirectionPositionsForLine (this=0x9ef7e6c, lineBox=0x9ee7f4c, firstRun=0x9ef24bc, textBoxDataMap=@0xb49b66e8, verticalPositionCache=@0xb49b6660) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/Source/WebCore/WebCore.gyp/../rendering/RenderBlockLineLayout.cpp:480
#10 0x0296dfe1 in WebCore::RenderBlock::layoutInlineChildren (this=0x9ef7e6c, relayoutChildren=true, repaintLogicalTop=@0xb49b6878, repaintLogicalBottom=@0xb49b6874) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/Source/WebCore/WebCore.gyp/../rendering/RenderBlockLineLayout.cpp:756
#11 0x0294e164 in WebCore::RenderBlock::layoutBlock (this=0x9ef7e6c, relayoutChildren=true, pageLogicalHeight=0) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/Source/WebCore/WebCore.gyp/../rendering/RenderBlock.cpp:1221
#12 0x0294ce18 in WebCore::RenderBlock::layout (this=0x9ef7e6c) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/Source/WebCore/WebCore.gyp/../rendering/RenderBlock.cpp:1119
#13 0x0294bf03 in WebCore::RenderBlock::layoutBlockChild (this=0x9eec33c, child=0x9ef7e6c, marginInfo=@0xb49b6a2c, previousFloatLogicalBottom=@0xb49b6a54, maxFloatLogicalBottom=@0xb49b6ba0) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/Source/WebCore/WebCore.gyp/../rendering/RenderBlock.cpp:1958
#14 0x0294db28 in WebCore::RenderBlock::layoutBlockChildren (this=0x9eec33c, relayoutChildren=true, maxFloatLogicalBottom=@0xb49b6ba0) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/Source/WebCore/WebCore.gyp/../rendering/RenderBlock.cpp:1896

...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list