[Webkit-unassigned] [Bug 105393] New: ::first-letter { overflow: -webkit-page-dx } causes crash
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 18 23:15:00 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=105393
Summary: ::first-letter { overflow: -webkit-page-dx } causes
crash
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: CSS
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: tasak at google.com
Reported by fuzzer: https://cluster-fuzz.appspot.com/testcase?key=102884484
The following is a stack trace in the above report:
/mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/debug/asan-linux-debug-154320/DumpRenderTree
ASAN:SIGSEGV
=================================================================
==32198== ERROR: AddressSanitizer crashed on unknown address 0x000000000060 (pc 0x7f435c2a3d32 sp 0x7fff95826a80 bp 0x7fff95826bd0 T0)
AddressSanitizer can not provide additional info.
#0 0x7f435c2a3d31 in WebCore::QualifiedName::matches(WebCore::QualifiedName const&) const third_party/WebKit/Source/WebCore/dom/QualifiedName.h:85
#1 0x7f435c2a3b7e in WebCore::Element::hasTagName(WebCore::QualifiedName const&) const third_party/WebKit/Source/WebCore/dom/Element.h:222
#2 0x7f436690eb52 in WebCore::StyleResolver::adjustRenderStyle(WebCore::RenderStyle*, WebCore::RenderStyle*, WebCore::Element*) third_party/WebKit/Source/WebCore/css/StyleResolver.cpp:2240
#3 0x7f43669259bb in WebCore::StyleResolver::pseudoStyleForElement(WebCore::PseudoId, WebCore::Element*, WebCore::RenderStyle*) third_party/WebKit/Source/WebCore/css/StyleResolver.cpp:1956
#4 0x7f4368e8379e in WebCore::RenderObject::getUncachedPseudoStyle(WebCore::PseudoId, WebCore::RenderStyle*, WebCore::RenderStyle*) const third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2688
#5 0x7f4368e993b8 in WebCore::RenderObject::getCachedPseudoStyle(WebCore::PseudoId, WebCore::RenderStyle*) const third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2659
#6 0x7f4368e98993 in WebCore::RenderObject::firstLineStyleSlowCase() const third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2637
#7 0x7f43684e16c9 in WebCore::RenderObject::firstLineStyle() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:728
#8 0x7f43684df4bc in WebCore::RenderObject::style(bool) const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:729
#9 0x7f4368859392 in WebCore::RenderBlock::LineBreaker::nextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::RenderBlock::RenderTextInfo&, WebCore::RenderBlock::FloatingObject*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:2407
#10 0x7f436884c357 in WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1328
#11 0x7f4368845ec9 in WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1271
#12 0x7f436886a0eb in WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1600
#13 0x7f4368648c8b in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1531
The reason why this crash occurs is that we forget to check whether "e != null" or not before e->hasTagName(...) in StyleResolver::adjustRenderStyle.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list