[Webkit-unassigned] [Bug 88395] Null-pointer crash in InlineFlowBox::computeOverAnnotationAdjustment during rendering/reload race

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 6 17:10:57 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=88395





--- Comment #6 from dstockwell at chromium.org  2012-06-06 17:10:57 PST ---
(In reply to comment #5)
> (From update of attachment 145948 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=145948&action=review
> 
> > Source/WebCore/rendering/InlineFlowBox.cpp:1446
> > -            if (style->textEmphasisMark() != TextEmphasisMarkNone && toInlineTextBox(curr)->getEmphasisMarkPosition(style, emphasisMarkPosition) && emphasisMarkPosition == TextEmphasisPositionOver) {
> > +            if (style && style->textEmphasisMark() != TextEmphasisMarkNone && toInlineTextBox(curr)->getEmphasisMarkPosition(style, emphasisMarkPosition) && emphasisMarkPosition == TextEmphasisPositionOver) {
> 
> Do we know why style is null?  We should try to figure that out and add the explanation to the changelog.

The style appears to be null because the first-line style has been removed from the document, but a render object tagged as first-line still exists. I don't have enough knowledge of the rendering process to understand how this can happen, it appears to be some sort of race condition between rendering and reload.

A bisect pointed to http://trac.webkit.org/changeset/74326 -- attempting to reverse that change (which simply changes some layout bounds) also appears to avoid the specific problem in the repro.

> > LayoutTests/fast/text/firstline/crash-firstline-detach-reload.html:34
> > +        location.reload();
> 
> We don't want the test to be non-deterministic.  You might be able to further reduce the test case, which might help to understand the crash.  I'd be surprised if everything in the test case is necessary (an embed, a bdo, a different writing mode, a cursor and old flexbox?)

Agreed, but I have not been successful in reducing any further.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list