[Webkit-unassigned] [Bug 98993] New: WebCore::RenderBlock::determineStartPosition crash
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 10 22:19:15 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=98993
Summary: WebCore::RenderBlock::determineStartPosition crash
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: mikelawther at chromium.org
As reported in http://crbug.com/123440.
Repro:
-----
<body style="position:absolute;">
<foo style="white-space:pre-wrap;">
<ul style="zoom:1866;"></ul>
<sup>
<foo id="root">
a<foo style="position:fixed;"></foo><foo><label id="node">
a</label>
</foo>
</foo></sup></foo>
</body>
<script type="text/javascript">
document.body.offsetTop;
root.appendChild(node);
</script>
-----
Crashes with NULL deref at:
0012ec24 030380b5 chrome_1c30000!WebCore::RenderBlock::determineStartPosition(class WebCore::LineLayoutState * layoutState = 0x0012ed88, class WebCore::BidiResolver<WebCore::InlineIterator,WebCore::BidiRun> * resolver = 0x0012ec68)+0x18b [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1632]
0012ed6c 0303869c chrome_1c30000!WebCore::RenderBlock::layoutRunsAndFloats(class WebCore::LineLayoutState * layoutState = 0x0012ed88, bool hasInlineChild = true)+0x35 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1162]
[....]
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list