[Webkit-unassigned] [Bug 77035] New: Use-after-free in InlineFlowBox::deleteLine
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jan 25 12:01:24 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=77035
Summary: Use-after-free in InlineFlowBox::deleteLine
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: rniwa at webkit.org
CC: hyatt at apple.com, mitz at webkit.org, inferno at chromium.org
You can reproduce the crash by running PerformanceTests/Parser/html5-full-render.html
#0 0x101c18383 in WebCore::InlineFlowBox::deleteLine at InlineFlowBox.cpp:207
#1 0x1022feaee in WebCore::RenderLineBoxList::deleteLineBoxTree at RenderLineBoxList.cpp:73
#2 0x10222ec23 in WebCore::RenderBlock::deleteLineBoxTree at RenderBlock.cpp:873
#3 0x10222f043 in WebCore::RenderBlock::collapseAnonymousBoxChild at RenderBlock.cpp:1035
#4 0x10222f5a9 in WebCore::RenderBlock::removeChild at RenderBlock.cpp:1104
#5 0x1023228ab in WebCore::RenderObject::remove at RenderObject.h:834
#6 0x10231aa02 in WebCore::RenderObject::willBeDestroyed at RenderObject.cpp:2246
#7 0x10228c61a in WebCore::RenderBoxModelObject::willBeDestroyed at RenderBoxModelObject.cpp:297
#8 0x10227ee80 in WebCore::RenderBox::willBeDestroyed at RenderBox.cpp:265
#9 0x10222fef2 in WebCore::RenderBlock::willBeDestroyed at RenderBlock.cpp:208
#10 0x10231a89a in WebCore::RenderObject::destroy at RenderObject.cpp:2266
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list