[Webkit-unassigned] [Bug 122163] New: Null-pointer dereference in WebCore::BidiRun::next

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 1 10:26:04 PDT 2013


https://bugs.webkit.org/show_bug.cgi?id=122163

           Summary: Null-pointer dereference in WebCore::BidiRun::next
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Text
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
            Blocks: 116980


The following tests crashes both on debug and on release wk builds:

<html dir="RTL">
    <meta charset="ISO-8859-8">sdf
    <input>
    <i dir="">
    <tt dir="auto"></tt>
</html>

The debug build fails on an assertion check and the release dies on a null-pointer dereference issue a few lines later.
By the release version the m_next variable will be null in WebCore::BidiRun::next (WebCore/rendering/BidiRun.h:58) and by the debug the (end < m_runCount) condition fails in WebCore::BidiRunList<Run>::reverseRuns (WebCore/platform/text/BidiRunList.h:207).

The debug backtrace:

ASSERTION FAILED: end < m_runCount
/home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/text/BidiRunList.h(207) : void WebCore::BidiRunList<Run>::reverseRuns(unsigned int, unsigned int) [with Run = WebCore::BidiRun]
1   0x7ffff56134c1 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(WTFCrash+0x1e) [0x7ffff56134c1]
2   0x7ffff47724d4 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x14414d4) [0x7ffff47724d4]
3   0x7ffff476f201 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x143e201) [0x7ffff476f201]
4   0x7ffff47615ef /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x14305ef) [0x7ffff47615ef]
5   0x7ffff4761968 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1430968) [0x7ffff4761968]
6   0x7ffff4763c9c /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1432c9c) [0x7ffff4763c9c]
7   0x7ffff4762260 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1431260) [0x7ffff4762260]
8   0x7ffff4765abc /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1434abc) [0x7ffff4765abc]
9   0x7ffff4752d40 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1421d40) [0x7ffff4752d40]
10  0x7ffff4720d3f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x13efd3f) [0x7ffff4720d3f]
11  0x7ffff4753d54 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422d54) [0x7ffff4753d54]
12  0x7ffff4753915 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422915) [0x7ffff4753915]
13  0x7ffff4752d61 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1421d61) [0x7ffff4752d61]
14  0x7ffff4720d3f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x13efd3f) [0x7ffff4720d3f]
15  0x7ffff4753d54 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422d54) [0x7ffff4753d54]
16  0x7ffff4753915 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1422915) [0x7ffff4753915]
17  0x7ffff4752d61 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1421d61) [0x7ffff4752d61]
18  0x7ffff4720d3f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x13efd3f) [0x7ffff4720d3f]
19  0x7ffff48d3f51 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x15a2f51) [0x7ffff48d3f51]
20  0x7ffff48d4b0a /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x15a3b0a) [0x7ffff48d4b0a]
21  0x7ffff456af61 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1239f61) [0x7ffff456af61]
22  0x7ffff409863a /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xd6763a) [0x7ffff409863a]
23  0x7ffff44a9053 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1178053) [0x7ffff44a9053]
24  0x7ffff44a8de7 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1177de7) [0x7ffff44a8de7]
25  0x7ffff44a8b42 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1177b42) [0x7ffff44a8b42]
26  0x7ffff409f62b /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xd6e62b) [0x7ffff409f62b]
27  0x7ffff42fcd9b /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfcbd9b) [0x7ffff42fcd9b]
28  0x7ffff43338f3 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x10028f3) [0x7ffff43338f3]
29  0x7ffff43046ec /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfd36ec) [0x7ffff43046ec]
30  0x7ffff43047d7 /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfd37d7) [0x7ffff43047d7]
31  0x7ffff430341f /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xfd241f) [0x7ffff430341f]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff47724d4 in WebCore::BidiRunList<WebCore::BidiRun>::reverseRuns (this=0x7fffffffb6d0, start=0, end=4294967295)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/text/BidiRunList.h:207
#2  0x00007ffff476f201 in WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::createBidiRunsForLine (this=0x7fffffffb610, end=..., 
    override=WebCore::VisualRightToLeftOverride, hardLineBreak=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/text/BidiResolver.h:550
#3  0x00007ffff47615ef in WebCore::constructBidiRunsForSegment (topResolver=..., bidiRuns=..., endOfRuns=..., override=WebCore::VisualRightToLeftOverride, 
    previousLineBrokeCleanly=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1096
#4  0x00007ffff4761968 in WebCore::constructBidiRunsForLine (block=0x8c0938, topResolver=..., bidiRuns=..., endOfLine=..., 
    override=WebCore::VisualRightToLeftOverride, previousLineBrokeCleanly=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1162
#5  0x00007ffff4763c9c in WebCore::RenderBlock::layoutRunsAndFloatsInRange (this=0x8c0938, layoutState=..., resolver=..., cleanLineStart=..., 
    cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1579
#6  0x00007ffff4762260 in WebCore::RenderBlock::layoutRunsAndFloats (this=0x8c0938, layoutState=..., hasInlineChild=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1314
#7  0x00007ffff4765abc in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x8c0938, relayoutChildren=true, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1895
#8  0x00007ffff4752d40 in WebCore::RenderBlockFlow::layoutBlock (this=0x8c0938, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:281
#9  0x00007ffff4720d3f in WebCore::RenderBlock::layout (this=0x8c0938) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1388
#10 0x00007ffff4753d54 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x8bd398, child=0x8c0938, marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:502
#11 0x00007ffff4753915 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x8bd398, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:436
#12 0x00007ffff4752d61 in WebCore::RenderBlockFlow::layoutBlock (this=0x8bd398, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:283
#13 0x00007ffff4720d3f in WebCore::RenderBlock::layout (this=0x8bd398) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1388
#14 0x00007ffff4753d54 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7612b8, child=0x8bd398, marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:502
#15 0x00007ffff4753915 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7612b8, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:436
#16 0x00007ffff4752d61 in WebCore::RenderBlockFlow::layoutBlock (this=0x7612b8, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:283
#17 0x00007ffff4720d3f in WebCore::RenderBlock::layout (this=0x7612b8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1388
#18 0x00007ffff48d3f51 in WebCore::RenderView::layoutContent (this=0x7612b8, state=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:152
#19 0x00007ffff48d4b0a in WebCore::RenderView::layout (this=0x7612b8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:335
#20 0x00007ffff456af61 in WebCore::FrameView::layout (this=0x782070, allowSubtree=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1280
#21 0x00007ffff409863a in WebCore::Document::implicitClose (this=0x8a0680) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2480
#22 0x00007ffff44a9053 in WebCore::FrameLoader::checkCallImplicitClose (this=0x771f80)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:850
#23 0x00007ffff44a8de7 in WebCore::FrameLoader::checkCompleted (this=0x771f80) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:793
#24 0x00007ffff44a8b42 in WebCore::FrameLoader::finishedParsing (this=0x771f80)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:726
#25 0x00007ffff409f62b in WebCore::Document::finishedParsing (this=0x8a0680) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4439
#26 0x00007ffff42fcd9b in WebCore::HTMLConstructionSite::finishedParsing (this=0x77f2f8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:352
#27 0x00007ffff43338f3 in WebCore::HTMLTreeBuilder::finished (this=0x77f2e0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2908
#28 0x00007ffff43046ec in WebCore::HTMLDocumentParser::end (this=0x76eab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:758
#29 0x00007ffff43047d7 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x76eab0)
---Type <return> to continue, or q <return> to quit---
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:769
#30 0x00007ffff430341f in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x76eab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:212
#31 0x00007ffff430481c in WebCore::HTMLDocumentParser::attemptToEnd (this=0x76eab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:781
#32 0x00007ffff43048d5 in WebCore::HTMLDocumentParser::finish (this=0x76eab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:830
#33 0x00007ffff44a0792 in WebCore::DocumentWriter::end (this=0x6e17a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:245
#34 0x00007ffff4492d46 in WebCore::DocumentLoader::finishedLoading (this=0x6e1700, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:408
#35 0x00007ffff4492ab4 in WebCore::DocumentLoader::notifyFinished (this=0x6e1700, resource=0x7835a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:345
#36 0x00007ffff4479bcc in WebCore::CachedResource::checkNotify (this=0x7835a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369
#37 0x00007ffff4479ca6 in WebCore::CachedResource::finishLoading (this=0x7835a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385
#38 0x00007ffff4476360 in WebCore::CachedRawResource::finishLoading (this=0x7835a0, data=0x7a74e0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#39 0x00007ffff44dcc2d in WebCore::SubresourceLoader::didFinishLoading (this=0x76c540, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:283
#40 0x00007ffff44d34e7 in WebCore::ResourceLoader::didFinishLoading (this=0x76c540, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:489
#41 0x00007ffff49954b5 in WebCore::QNetworkReplyHandler::finish (this=0x7b2de0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516
#42 0x00007ffff49940dd in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7b2e18)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250
#43 0x00007ffff4993ddb in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7b2e18, method=
    (void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff49952fa <WebCore::QNetworkReplyHandler::finish()>)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216
#44 0x00007ffff4994da8 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7a39c0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409
#45 0x00007ffff4997728 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7a39c0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffd160)
    at .moc/release-shared/moc_QNetworkReplyHandler.cpp:175
#46 0x00007ffff1d9ed71 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#47 0x00007ffff1da033e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#48 0x00007ffff2c6ea24 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5
#49 0x00007ffff2c71eb6 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5
#50 0x00007ffff1d778f4 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#51 0x00007ffff1d7a1a9 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#52 0x00007ffff1dc19c3 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#53 0x00007fffeeb88d53 in g_main_dispatch (context=0x658120) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:2539
#54 g_main_context_dispatch (context=0x658120) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3075
#55 0x00007fffeeb890a0 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x658120, self=<optimized out>)
    at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3146
#56 g_main_context_iterate (context=0x658120, block=<optimized out>, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3083
#57 0x00007fffeeb89164 in g_main_context_iteration (context=0x658120, may_block=1) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3207
#58 0x00007ffff1dc1e04 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#59 0x00007ffff1d7668b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#60 0x00007ffff1d7a6de in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#61 0x0000000000421e9e in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:50
---Type <return> to continue, or q <return> to quit---
#62 0x0000000000423be5 in main (argc=2, argv=0x7fffffffdea8) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:319

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list