[Webkit-unassigned] [Bug 87297] New: Null pointer dereference when mixing layers, foreignObjects and SVG hidden containers
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 23 12:31:41 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=87297
Summary: Null pointer dereference when mixing layers,
foreignObjects and SVG hidden containers
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fmalita at chromium.org
CC: zimmermann at kde.org
Created an attachment (id=143617)
--> (https://bugs.webkit.org/attachment.cgi?id=143617&action=review)
Crashes when laying out the <defs> subtree
We are suppressing the creation of layers inside SVGHiddenContainers (in RenderObject::layerCreationAllowedForSubtree), but RenderBlock is riddled with assumptions that positioned elements always have an associated layer (and child->layer() is de-referenced without a NULL check).
For example, an SVG foreignObject in the <defs> section will cause a crash if its content requires layers:
#0 0x00007ffff108f0be in WebCore::RenderLayer::setStaticInlinePosition (this=0x0, position=...)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderLayer.h:530
#1 0x00007ffff1084f85 in WebCore::RenderBlock::setStaticInlinePositionForChild (this=0x7fffe083a6f8, child=
0x7fffe0a9b8d8, blockOffset=..., inlinePosition=...)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:6972
#2 0x00007ffff10b1379 in WebCore::setStaticPositions (block=0x7fffe083a6f8, child=0x7fffe0a9b8d8)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:881
#3 0x00007ffff10b65ad in WebCore::RenderBlock::LineBreaker::skipLeadingWhitespace (this=0x7fffffffa2b0,
resolver=..., lineInfo=..., lastFloatFromPreviousLine=0x0, width=...)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1911
#4 0x00007ffff10b7573 in WebCore::RenderBlock::LineBreaker::nextLineBreak (this=0x7fffffffa2b0, resolver=...,
lineInfo=..., lineBreakIteratorInfo=..., lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:2124
#5 0x00007ffff10b23d6 in WebCore::RenderBlock::layoutRunsAndFloatsInRange (this=0x7fffe083a6f8,
layoutState=..., resolver=..., cleanLineStart=..., cleanLineBidiStatus=..., consecutiveHyphenatedLines=0)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1256
#6 0x00007ffff10b2035 in WebCore::RenderBlock::layoutRunsAndFloats (this=0x7fffe083a6f8, layoutState=...,
hasInlineChild=false) at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1221
#7 0x00007ffff10b41ea in WebCore::RenderBlock::layoutInlineChildren (this=0x7fffe083a6f8,
relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1517
#8 0x00007ffff1062667 in WebCore::RenderBlock::layoutBlock (this=0x7fffe083a6f8, relayoutChildren=true,
pageLogicalHeight=...) at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1478
---Type <return> to continue, or q <return> to quit---
#9 0x00007ffff1061b9c in WebCore::RenderBlock::layout (this=0x7fffe083a6f8)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1339
#10 0x00007ffff1560ea5 in WebCore::RenderSVGForeignObject::layout (this=0x7fffe083a6f8)
at ../../third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGForeignObject.cpp:153
#11 0x00007ffff159e4a8 in WebCore::SVGRenderSupport::layoutChildren (start=0x7fffe0a9b7f8, selfNeedsLayout=true)
at ../../third_party/WebKit/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:212
#12 0x00007ffff155de34 in WebCore::RenderSVGContainer::layout (this=0x7fffe0a9b7f8)
at ../../third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGContainer.cpp:70
#13 0x00007ffff159e4a8 in WebCore::SVGRenderSupport::layoutChildren (start=0x7fffe081a8d8, selfNeedsLayout=true)
at ../../third_party/WebKit/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:212
#14 0x00007ffff1561aa7 in WebCore::RenderSVGHiddenContainer::layout (this=0x7fffe081a8d8)
at ../../third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGHiddenContainer.cpp:38
#15 0x00007ffff159e4a8 in WebCore::SVGRenderSupport::layoutChildren (start=0x7fffe0985618, selfNeedsLayout=true)
at ../../third_party/WebKit/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:212
#16 0x00007ffff15868c4 in WebCore::RenderSVGRoot::layout (this=0x7fffe0985618)
at ../../third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGRoot.cpp:232
#17 0x00007ffff10672c7 in WebCore::RenderBlock::layoutBlockChild (this=0x7fffe43a0498, child=0x7fffe0985618,
marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2330
#18 0x00007ffff1066dbf in WebCore::RenderBlock::layoutBlockChildren (this=0x7fffe43a0498,
relayoutChildren=true, maxFloatLogicalBottom=...)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2266
#19 0x00007ffff1062688 in WebCore::RenderBlock::layoutBlock (this=0x7fffe43a0498, relayoutChildren=true,
---Type <return> to continue, or q <return> to quit---
pageLogicalHeight=...) at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1480
#20 0x00007ffff1061b9c in WebCore::RenderBlock::layout (this=0x7fffe43a0498)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1339
#21 0x00007ffff1213802 in WebCore::RenderView::layout (this=0x7fffe43a0498)
at ../../third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:141
#22 0x00007ffff1f6295f in WebCore::FrameView::layout (this=0x7fffe4412380, allowSubtree=true)
at ../../third_party/WebKit/Source/WebCore/page/FrameView.cpp:1100
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list