[Webkit-unassigned] [Bug 53316] NULL pointer crash when using :empty and :first-line pseudoclass selectors together

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 3 21:24:09 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=53316


Alice Boxhall <aboxhall at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aboxhall at chromium.org,
                   |                            |dglazkov at chromium.org,
                   |                            |jamesr at chromium.org,
                   |                            |ojan at chromium.org




--- Comment #5 from Alice Boxhall <aboxhall at chromium.org>  2011-03-03 21:24:09 PST ---
I've been looking into this with Ojan.

>From what we can gather, when the body element gets attached, the :empty:first-line selector matches it (since nothing has been attached to it yet).

Then, when the button focus happens, the styles are not recalculated, so the hasPseudoStyle(FIRST_LINE) method returns true, but no style is matched, so a null pointer is returned to the findNextLineBreak (http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp?rev=80288#L1655) method.

(The original stack trace breaks in a different point, but I think it's likely to be the same cause.)

The new stack, from attach():

#0    0x10173ec94 in WTF::RefPtr<WebCore::StyleRareNonInheritedData>::get at RefPtr.h:60
#1    0x10169627d in WebCore::DataRef<WebCore::StyleRareNonInheritedData>::get at DataRef.h:33
#2    0x101696295 in WebCore::DataRef<WebCore::StyleRareNonInheritedData>::operator-> at DataRef.h:36
#3    0x10173ed95 in WebCore::RenderStyle::textCombine at RenderStyle.h:735
#4    0x101f8b071 in WebCore::RenderStyle::hasTextCombine at RenderStyle.h:736
#5    0x101f8309c in WebCore::RenderBlock::findNextLineBreak at RenderBlockLineLayout.cpp:1672
#6    0x101f882bd in WebCore::RenderBlock::layoutInlineChildren at RenderBlockLineLayout.cpp:692
#7    0x101f69527 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:1224
#8    0x101f63ad8 in WebCore::RenderBlock::layout at RenderBlock.cpp:1122
#9    0x101f62bfc in WebCore::RenderBlock::layoutBlockChild at RenderBlock.cpp:1961
#10    0x101f68ecb in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1899
#11    0x101f69540 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:1226
#12    0x101f63ad8 in WebCore::RenderBlock::layout at RenderBlock.cpp:1122
#13    0x101f62bfc in WebCore::RenderBlock::layoutBlockChild at RenderBlock.cpp:1961
#14    0x101f68ecb in WebCore::RenderBlock::layoutBlockChildren at RenderBlock.cpp:1899
#15    0x101f69540 in WebCore::RenderBlock::layoutBlock at RenderBlock.cpp:1226
#16    0x101f63ad8 in WebCore::RenderBlock::layout at RenderBlock.cpp:1122
#17    0x1020bd3a5 in WebCore::RenderView::layout at RenderView.cpp:130
#18    0x10196a1c6 in WebCore::FrameView::layout at FrameView.cpp:906
#19    0x1017a9a15 in WebCore::Document::updateLayout at Document.cpp:1588
#20    0x1018d0d1a in WebCore::Element::focus at Element.cpp:1498
#21    0x101a3ca93 in WebCore::HTMLFormControlElement::attach at HTMLFormControlElement.cpp:144

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list