[Webkit-unassigned] [Bug 67669] New: Null ptr crash in RenderScrollbar::updateScrollbarParts

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 6 13:46:31 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=67669

           Summary: Null ptr crash in
                    RenderScrollbar::updateScrollbarParts
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Major
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: inferno at chromium.org


http://code.google.com/p/chromium/issues/detail?id=95552

Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000018 )

0x584150d3     [chrome.dll     - renderobject.h:960]    WebCore::RenderObject::setChildNeedsLayout(bool,bool)
0x5843873f     [chrome.dll     - renderscrollbar.cpp:198]    WebCore::RenderScrollbar::updateScrollbarParts(bool)
0x58438470     [chrome.dll     - renderscrollbar.cpp:93]    WebCore::RenderScrollbar::setEnabled(bool)
0x58579e8a     [chrome.dll     - scrollview.cpp:554]    WebCore::ScrollView::updateScrollbars(WebCore::IntSize const &)
0x58579633     [chrome.dll     - scrollview.cpp:296]    WebCore::ScrollView::setContentsSize(WebCore::IntSize const &)
0x584a4ea9     [chrome.dll     - frameview.cpp:489]    WebCore::FrameView::setContentsSize(WebCore::IntSize const &)
0x584a4f77     [chrome.dll     - frameview.cpp:515]    WebCore::FrameView::adjustViewSize()
0x584a5899     [chrome.dll     - frameview.cpp:1029]    WebCore::FrameView::layout(bool)
0x5861f718     [chrome.dll     - document.cpp:1614]    WebCore::Document::updateLayout()
0x5861f78c     [chrome.dll     - document.cpp:1645]    WebCore::Document::updateLayoutIgnorePendingStylesheets()
0x58627013     [chrome.dll     - element.cpp:402]    WebCore::Element::offsetParent()
0x586c00a3     [chrome.dll     - v8element.cpp:100]    WebCore::ElementInternal::offsetParentAttrGetter

Basically, owning renderer can be cleared in ClearOwningRenderer. we need a null check here.  unfortunately top crasher, but no repro.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list