[Webkit-unassigned] [Bug 84774] New: NULL-deref in RenderBox::clippedOverflowRectForRepaint

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 24 14:18:37 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=84774

           Summary: NULL-deref in RenderBox::clippedOverflowRectForRepaint
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jchaffraix at webkit.org


Created an attachment (id=138641)
 --> (https://bugs.webkit.org/attachment.cgi?id=138641&action=review)
test case

Backtrace:

        WebCore::RenderLayer::hasVisibleContent() [0x18f5490]
        WebCore::RenderBox::clippedOverflowRectForRepaint() [0x192f6f5]
        WebCore::RenderObject::rectWithOutlineForRepaint() [0x19d8e1f]
        WebCore::RenderBlock::rectWithOutlineForRepaint() [0x18ecd85]
        WebCore::RenderInline::clippedOverflowRectForRepaint() [0x1981d36]
        WebCore::RenderText::clippedOverflowRectForRepaint() [0x1a1d7d5]
        WebCore::RenderObject::repaint() [0x19d7b5b]
        WebCore::RenderObjectChildList::removeChildNode() [0x19df707]
        WebCore::RenderObject::removeChild() [0x19d2ba9]
        WebCore::RenderObject::remove() [0x197778a]
        WebCore::RenderObject::willBeDestroyed() [0x19dc231]
        WebCore::RenderText::willBeDestroyed() [0x1a180d8]
        WebCore::RenderTextFragment::willBeDestroyed() [0x1a26872]
        WebCore::RenderObject::destroy() [0x19dc5a7]
        WebCore::RenderObjectChildList::destroyLeftoverChildren() [0x19df560]
        WebCore::RenderInline::willBeDestroyed() [0x197c417]
        WebCore::RenderObject::destroy() [0x19dc5a7]
        WebCore::RenderObjectChildList::updateBeforeAfterContent() [0x19e12cc]
        WebCore::RenderInline::addChildIgnoringContinuation() [0x197d2db]
        WebCore::RenderInline::addChild() [0x197cf52]
        WebCore::NodeRendererFactory::createRendererIfNeeded() [0x77be2c]
        WebCore::Node::createRendererIfNeeded() [0x75d563]
        WebCore::Element::attach() [0x73479d]
        WebCore::Node::reattach() [0x7395b2]
        WebCore::Element::recalcStyle() [0x735054]
        WebCore::Element::recalcStyle() [0x7356eb]

The issue is at the following line:

    if (style()->visibility() != VISIBLE && !enclosingLayer()->hasVisibleContent())

enclosingLayer() returns 0 as we are called on a not-yet-inserted RenderObject (it's a newly created continuation, see test case).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list