[Webkit-unassigned] [Bug 140261] New: Null ptr crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 8 11:26:42 PST 2015 

https://bugs.webkit.org/show_bug.cgi?id=140261

            Bug ID: 140261
           Summary: Null ptr crash in
                    WebCore::LogicalSelectionOffsetCaches::ContainingBlock
                    Info::setBlock
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rhodovan.u-szeged at partner.samsung.com
                CC: hyatt at apple.com, rniwa at webkit.org
            Blocks: 116980

Created attachment 244274
  --> https://bugs.webkit.org/attachment.cgi?id=244274&action=review
Test case

The following test crashes in release/debug WK:

<!DOCTYPE html>
<body contenteditable>
    <div></div>
    <abbr>
        <label>
            <textarea></textarea>
        </label>
        <embed></embed>
    </abbr>
</body>
<script>
    document.execCommand("selectall", false, null);
    document.execCommand("insertorderedlist", false, null);
</script>

The crashing line is:

m_hasFloatsOrFlowThreads = m_hasFloatsOrFlowThreads || m_block->containsFloats() || m_block->flowThreadContainingBlock();

where m_block is null.


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff98984700 (LWP 13967)]
0x00007ffff3874669 in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock (this=0x7fffffffa4b0, 
    block=0x0, cache=0x0) at ../../Source/WebCore/rendering/LogicalSelectionOffsetCaches.h:95
95              m_hasFloatsOrFlowThreads = m_hasFloatsOrFlowThreads || m_block->containsFloats() || m_block->flowThreadContainingBlock();
(gdb) bt
#0  0x00007ffff3874669 in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock (
    this=0x7fffffffa4b0, block=0x0, cache=0x0) at ../../Source/WebCore/rendering/LogicalSelectionOffsetCaches.h:95
#1  0x00007ffff38749e0 in WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches (this=0x7fffffffa4b0, 
    rootBlock=...) at ../../Source/WebCore/rendering/LogicalSelectionOffsetCaches.h:147
#2  0x00007ffff3865b00 in WebCore::RenderBlock::selectionGapRectsForRepaint (this=0x7ffff7f16300, repaintContainer=
    0x0) at ../../Source/WebCore/rendering/RenderBlock.cpp:1772
#3  0x00007ffff3354dc6 in WebCore::RenderBlock::selectionRectForRepaint (this=0x7ffff7f16300, repaintContainer=0x0)
    at ../../Source/WebCore/rendering/RenderBlock.h:462
#4  0x00007ffff3a12170 in WebCore::RenderSelectionInfo::RenderSelectionInfo (this=0x7fff982a92d8, renderer=..., 
    clipToVisibleContent=true) at ../../Source/WebCore/rendering/RenderSelectionInfo.cpp:52
#5  0x00007ffff3a661f1 in std::make_unique<WebCore::RenderSelectionInfo, WebCore::RenderObject&, bool>(WebCore::RenderObject&, bool&&) () at ../../Source/WTF/wtf/StdLibExtras.h:337
#6  0x00007ffff3a61a30 in WebCore::RenderView::clearSubtreeSelection (this=0x7fff88f09480, root=..., 
    blockRepaintMode=WebCore::RenderView::RepaintNewMinusOld, oldSelectionData=...)
    at ../../Source/WebCore/rendering/RenderView.cpp:963
#7  0x00007ffff3a615d1 in WebCore::RenderView::updateSelectionForSubtrees (this=0x7fff88f09480, 
    renderSubtreesMap=..., blockRepaintMode=WebCore::RenderView::RepaintNewMinusOld)
    at ../../Source/WebCore/rendering/RenderView.cpp:927
#8  0x00007ffff3a6105f in WebCore::RenderView::setSelection (this=0x7fff88f09480, start=0x0, startPos=-1, end=0x0, 
    endPos=-1, blockRepaintMode=WebCore::RenderView::RepaintNewMinusOld)
    at ../../Source/WebCore/rendering/RenderView.cpp:873
#9  0x00007ffff3a62b0d in WebCore::RenderView::clearSelection (this=0x7fff88f09480)
    at ../../Source/WebCore/rendering/RenderView.cpp:1097
#10 0x00007ffff31090eb in WebCore::FrameSelection::setNeedsSelectionUpdate (this=0x7ffff7f34c60)
    at ../../Source/WebCore/editing/FrameSelection.cpp:360
#11 0x00007ffff390ac19 in WebCore::RenderElement::removeChildInternal (this=0x7ffff7f26af8, oldChild=..., 
    notifyChildren=WebCore::RenderElement::NotifyChildren) at ../../Source/WebCore/rendering/RenderElement.cpp:623
#12 0x00007ffff395bacd in WebCore::RenderInline::splitInlines (this=0x7ffff7f26af8, fromBlock=0x7ffff7f163c0, 
    toBlock=0x7fff88f18cc0, middleBlock=0x7ffff7f16900, beforeChild=0x7ffff7ed55a0, oldCont=0x0)
    at ../../Source/WebCore/rendering/RenderInline.cpp:367
#13 0x00007ffff395c074 in WebCore::RenderInline::splitFlow (this=0x7ffff7f26af8, beforeChild=0x7ffff7ed55a0, 
    newBlockBox=0x7ffff7f16900, newChild=0x7ffff7f16240, oldCont=0x0)
    at ../../Source/WebCore/rendering/RenderInline.cpp:483
#14 0x00007ffff395b8a9 in WebCore::RenderInline::addChildIgnoringContinuation (this=0x7ffff7f26af8, 
    newChild=0x7ffff7f16240, beforeChild=0x7ffff7ed55a0) at ../../Source/WebCore/rendering/RenderInline.cpp:325
#15 0x00007ffff395b5aa in WebCore::RenderInline::addChild (this=0x7ffff7f26af8, newChild=0x7ffff7f16240, 
    beforeChild=0x7ffff7ed55a0) at ../../Source/WebCore/rendering/RenderInline.cpp:267
#16 0x00007ffff3b5a086 in WebCore::Style::RenderTreePosition::insert (this=0x7fffffffad00, renderer=...)
    at ../../Source/WebCore/style/StyleResolveTree.cpp:222
#17 0x00007ffff3b5a810 in WebCore::Style::createRendererIfNeeded (element=..., inheritedStyle=..., 
    renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:334
#18 0x00007ffff3b5bb09 in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., 
    renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:615
#19 0x00007ffff3b5c3fc in WebCore::Style::resolveLocal (current=..., inheritedStyle=..., renderTreePosition=..., 
    inheritedChange=WebCore::Style::NoChange) at ../../Source/WebCore/style/StyleResolveTree.cpp:756
#20 0x00007ffff3b5cb93 in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., 
    change=WebCore::Style::NoChange) at ../../Source/WebCore/style/StyleResolveTree.cpp:918
#21 0x00007ffff3b5ce02 in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., 
    change=WebCore::Style::NoChange) at ../../Source/WebCore/style/StyleResolveTree.cpp:955
#22 0x00007ffff3b5ce02 in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., 
    change=WebCore::Style::NoChange) at ../../Source/WebCore/style/StyleResolveTree.cpp:955
#23 0x00007ffff3b5ce02 in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., 
    change=WebCore::Style::NoChange) at ../../Source/WebCore/style/StyleResolveTree.cpp:955
#24 0x00007ffff3b5d0a3 in WebCore::Style::resolveTree (document=..., change=WebCore::Style::NoChange)
    at ../../Source/WebCore/style/StyleResolveTree.cpp:995
#25 0x00007ffff2f85e58 in WebCore::Document::recalcStyle (this=0x7fff88f0b000, change=WebCore::Style::NoChange)
    at ../../Source/WebCore/dom/Document.cpp:1771
#26 0x00007ffff2f8614f in WebCore::Document::updateStyleIfNeeded (this=0x7fff88f0b000)
    at ../../Source/WebCore/dom/Document.cpp:1819
#27 0x00007ffff2f86242 in WebCore::Document::updateLayout (this=0x7fff88f0b000)
    at ../../Source/WebCore/dom/Document.cpp:1838
#28 0x00007ffff2f863b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x7fff88f0b000, 
    runPostLayoutTasks=WebCore::Document::Asynchronously) at ../../Source/WebCore/dom/Document.cpp:1876
#29 0x00007ffff3159969 in WebCore::VisiblePosition::canonicalPosition (this=0x7fffffffb740, passedPosition=...)
    at ../../Source/WebCore/editing/VisiblePosition.cpp:519
#30 0x00007ffff3157529 in WebCore::VisiblePosition::init (this=0x7fffffffb740, position=..., 
    affinity=WebCore::DOWNSTREAM) at ../../Source/WebCore/editing/VisiblePosition.cpp:58
#31 0x00007ffff31574ce in WebCore::VisiblePosition::VisiblePosition (this=0x7fffffffb740, pos=..., 
    affinity=WebCore::DOWNSTREAM) at ../../Source/WebCore/editing/VisiblePosition.cpp:51
#32 0x00007ffff311d51e in WebCore::InsertListCommand::listifyParagraph (this=0x7fff88f1cf00, originalStart=..., 
    listTag=...) at ../../Source/WebCore/editing/InsertListCommand.cpp:393
#33 0x00007ffff311bc17 in WebCore::InsertListCommand::doApplyForSingleParagraph (this=0x7fff88f1cf00, 
    forceCreateList=false, listTag=..., currentSelection=0x7fff982a52c0)
    at ../../Source/WebCore/editing/InsertListCommand.cpp:256
#34 0x00007ffff311aff2 in WebCore::InsertListCommand::doApply (this=0x7fff88f1cf00)
    at ../../Source/WebCore/editing/InsertListCommand.cpp:192
#35 0x00007ffff30bbd9b in WebCore::CompositeEditCommand::apply (this=0x7fff88f1cf00)
    at ../../Source/WebCore/editing/CompositeEditCommand.cpp:207
#36 0x00007ffff30bbb51 in WebCore::applyCommand (command=...)
    at ../../Source/WebCore/editing/CompositeEditCommand.cpp:167
#37 0x00007ffff3100164 in WebCore::executeInsertOrderedList (frame=...)
    at ../../Source/WebCore/editing/EditorCommand.cpp:549
#38 0x00007ffff310389d in WebCore::Editor::Command::execute (this=0x7fffffffbed0, parameter=..., triggeringEvent=
    0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1726
#39 0x00007ffff2f90206 in WebCore::Document::execCommand (this=0x7fff88f0b000, commandName=..., 
    userInterface=false, value=...) at ../../Source/WebCore/dom/Document.cpp:4357
#40 0x00007ffff3fd71f0 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffffffbfd0)
    at DerivedSources/WebCore/JSDocument.cpp:4545
#41 0x00007fff99c7b0b4 in ?? ()
#42 0x00007fffffffc030 in ?? ()
#43 0x00007fffed8d2fa7 in llint_entry ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150108/d4ffc15e/attachment-0002.html>

More information about the webkit-unassigned mailing list