[Webkit-unassigned] [Bug 124772] New: Null-pointer dereference in WebCore::RenderElement::style

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 22 07:16:36 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=124772

           Summary: Null-pointer dereference in
                    WebCore::RenderElement::style
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
            Blocks: 116980


Created an attachment (id=217679)
 --> (https://bugs.webkit.org/attachment.cgi?id=217679&action=review)
Test case

WebKit is crashing on a null pointer with the following test case:

<cite dir="auto">
<span>
    <center></center>
</span>
<big dir="auto">A<cite dir="ltr"><strike></strike><samp dir="auto">A</samp></cite></bdo><big><iframe>A</iframe><label>AAAAAAAAAAAAAAAAAAAAAAAAAAAAA</label>


Its backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff0f18946 in WTF::Ref<WebCore::RenderStyle>::get (this=0x48) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Ref.h:60
60        const T& get() const { return *m_ptr; }
(gdb) bt
#0  0x00007ffff0f18946 in WTF::Ref<WebCore::RenderStyle>::get (this=0x48) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Ref.h:60
#1  0x00007ffff0f186b2 in WebCore::RenderElement::style (this=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderElement.h:38
#2  0x00007ffff198baa9 in WebCore::constructBidiRunsForSegment (topResolver=..., bidiRuns=..., endOfRuns=..., override=WebCore::NoVisualOverride, 
    previousLineBrokeCleanly=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:902
#3  0x00007ffff198bd9e in WebCore::constructBidiRunsForLine (block=0x122b940, topResolver=..., bidiRuns=..., endOfLine=..., 
    override=WebCore::NoVisualOverride, previousLineBrokeCleanly=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:952
#4  0x00007ffff198e06f in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange (this=0x122b940, layoutState=..., resolver=..., cleanLineStart=..., 
    cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1375
#5  0x00007ffff198c68e in WebCore::RenderBlockFlow::layoutRunsAndFloats (this=0x122b940, layoutState=..., hasInlineChild=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1104
#6  0x00007ffff198fe50 in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x122b940, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1696
#7  0x00007ffff197305a in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x122b940, relayoutChildren=true, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:532
#8  0x00007ffff197238b in WebCore::RenderBlockFlow::layoutBlock (this=0x122b940, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:357
#9  0x00007ffff19418bd in WebCore::RenderBlock::layout (this=0x122b940) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323
#10 0x00007ffff1973461 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x1198da0, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:593
#11 0x00007ffff1972f58 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x1198da0, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:512
#12 0x00007ffff19723af in WebCore::RenderBlockFlow::layoutBlock (this=0x1198da0, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:359
#13 0x00007ffff19418bd in WebCore::RenderBlock::layout (this=0x1198da0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323
#14 0x00007ffff1973461 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x10e7ba0, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:593
#15 0x00007ffff1972f58 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x10e7ba0, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:512
#16 0x00007ffff19723af in WebCore::RenderBlockFlow::layoutBlock (this=0x10e7ba0, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:359
#17 0x00007ffff19418bd in WebCore::RenderBlock::layout (this=0x10e7ba0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323
#18 0x00007ffff1973461 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x959090, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:593
#19 0x00007ffff1972f58 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x959090, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:512
#20 0x00007ffff19723af in WebCore::RenderBlockFlow::layoutBlock (this=0x959090, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:359
#21 0x00007ffff19418bd in WebCore::RenderBlock::layout (this=0x959090) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323
#22 0x00007ffff1b109c5 in WebCore::RenderView::layoutContent (this=0x959090, state=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:153
#23 0x00007ffff1b1162a in WebCore::RenderView::layout (this=0x959090) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:339
#24 0x00007ffff16bdec2 in WebCore::FrameView::layout (this=0x8f6950, allowSubtree=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1261
#25 0x00007ffff112f55f in WebCore::Document::implicitClose (this=0x1207640) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2390
#26 0x00007ffff15a8313 in WebCore::FrameLoader::checkCallImplicitClose (this=0x952988)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:849
#27 0x00007ffff15a80a7 in WebCore::FrameLoader::checkCompleted (this=0x952988) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:792
#28 0x00007ffff15a7e02 in WebCore::FrameLoader::finishedParsing (this=0x952988)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:725
#29 0x00007ffff1136977 in WebCore::Document::finishedParsing (this=0x1207640) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4357
#30 0x00007ffff141a595 in WebCore::HTMLConstructionSite::finishedParsing (this=0x913ce8)
---Type <return> to continue, or q <return> to quit---
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:347
#31 0x00007ffff1452c8e in WebCore::HTMLTreeBuilder::finished (this=0x913cd0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2922
#32 0x00007ffff1421816 in WebCore::HTMLDocumentParser::end (this=0x9139d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:749
#33 0x00007ffff1421901 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x9139d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:760
#34 0x00007ffff1420549 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x9139d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:203
#35 0x00007ffff1421946 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x9139d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:772
#36 0x00007ffff14219ff in WebCore::HTMLDocumentParser::finish (this=0x9139d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:821
#37 0x00007ffff159ac18 in WebCore::DocumentWriter::end (this=0x117a450) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:245
#38 0x00007ffff1587cea in WebCore::DocumentLoader::finishedLoading (this=0x117a3b0, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:408
#39 0x00007ffff1587a58 in WebCore::DocumentLoader::notifyFinished (this=0x117a3b0, resource=0x1190540)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:345
#40 0x00007ffff162181e in WebCore::CachedResource::checkNotify (this=0x1190540)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369
#41 0x00007ffff16218f8 in WebCore::CachedResource::finishLoading (this=0x1190540)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385
#42 0x00007ffff161e3fa in WebCore::CachedRawResource::finishLoading (this=0x1190540, data=0x119bf10)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#43 0x00007ffff15dbc53 in WebCore::SubresourceLoader::didFinishLoading (this=0x1190ab0, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:279
#44 0x00007ffff15d7f29 in WebCore::ResourceLoader::didFinishLoading (this=0x1190ab0, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:487
#45 0x00007ffff22dc0f2 in WebCore::readCallback (asyncResult=0x11959b0, data=0x1188ee0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1328
#46 0x00007fffe8521bc9 in async_ready_callback_wrapper (source_object=0x69e580, res=0x11959b0, user_data=0x1188ee0) at ginputstream.c:530
#47 0x00007fffe8543ccb in g_task_return_now (task=0x11959b0) at gtask.c:1105
#48 complete_in_idle_cb (task=<optimized out>) at gtask.c:1114
#49 0x00007fffedc31473 in g_main_dispatch (context=0x1195630) at gmain.c:3054
#50 g_main_context_dispatch (context=0x1195630) at gmain.c:3630
#51 0x00007ffff7575aee in _ecore_glib_select__locked (ecore_timeout=0x1195630, efds=<optimized out>, wfds=<optimized out>, rfds=<optimized out>, 
    ecore_fds=1, ctx=<optimized out>) at ecore_glib.c:171
#52 _ecore_glib_select (ecore_fds=1, rfds=<optimized out>, wfds=<optimized out>, efds=<optimized out>, ecore_timeout=0x1195630) at ecore_glib.c:205
#53 0x00007ffff756fcb9 in _ecore_main_select (timeout=<optimized out>) at ecore_main.c:1466
#54 0x00007ffff7570789 in _ecore_main_loop_iterate_internal (once_only=0) at ecore_main.c:1860
#55 0x00007ffff7570b47 in ecore_main_loop_begin () at ecore_main.c:956
#56 0x0000000000406dfa in main (argc=2, argv=0x7fffffffde78) at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:1044

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list