[Webkit-unassigned] [Bug 204527] New: Null Ptr Deref @ WebCore::RenderLayoutState::pageLogicalHeight const

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 22 11:10:53 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=204527

            Bug ID: 204527
           Summary: Null Ptr Deref @
                    WebCore::RenderLayoutState::pageLogicalHeight const
           Product: WebKit
           Version: WebKit Local Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: shihchieh_lee at apple.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

Created attachment 384174

  --> https://bugs.webkit.org/attachment.cgi?id=384174&action=review

html for reproducing this bug

run-webkit-tests with a randomly generated html. See attachment.

0   com.apple.WebCore                   0x000000011ffae71c WebCore::RenderLayoutState::pageLogicalHeight() const + 12
1   com.apple.WebCore                   0x00000001201b9302 WebCore::RenderTable::layout() + 4482
2   com.apple.WebCore                   0x000000011ff06b3c WebCore::RenderElement::layoutIfNeeded() + 60
3   com.apple.WebCore                   0x000000012009a24d WebCore::RenderGrid::performGridItemsPreLayout(WebCore::GridTrackSizingAlgorithm const&) const + 269
4   com.apple.WebCore                   0x000000012009aa56 WebCore::RenderGrid::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const + 182
5   com.apple.WebCore                   0x000000011ffba2a3 WebCore::RenderBlock::computePreferredLogicalWidths() + 467
6   com.apple.WebCore                   0x000000011ffe0b21 WebCore::RenderBox::maxPreferredLogicalWidth() const + 81
7   com.apple.WebCore                   0x000000012016bbd9 WebCore::RenderMarquee::computePosition(WebCore::MarqueeDirection, bool) + 233
8   com.apple.WebCore                   0x000000012016c226 WebCore::RenderMarquee::updateMarqueePosition() + 134
9   com.apple.WebCore                   0x00000001200da528 WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsFlag>) + 2184
10  com.apple.WebCore                   0x00000001200da49b WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsFlag>) + 2043
11  com.apple.WebCore                   0x00000001200da49b WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsFlag>) + 2043
12  com.apple.WebCore                   0x00000001200da49b WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsFlag>) + 2043
13  com.apple.WebCore                   0x00000001200da7cf WebCore::RenderLayer::updateLayerPositionsAfterLayout(bool, bool) + 207
14  com.apple.WebCore                   0x000000011f89d8eb WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement>) + 139
15  com.apple.WebCore                   0x000000011f8d7c00 WebCore::FrameViewLayoutContext::layout() + 2800
16  com.apple.WebCore                   0x000000011f891f33 WebCore::FrameView::forceLayout(bool) + 99
17  com.apple.WebKitLegacy              0x000000010f50101e -[WebHTMLView layoutToMinimumPageWidth:height:originalPageWidth:originalPageHeight:maximumShrinkRatio:adjustingViewSize:] + 526
18  com.apple.WebKitLegacy              0x000000010f5010ba -[WebHTMLView layout] + 74
19  com.apple.WebKitLegacy              0x000000010f5ba6da -[WebDynamicScrollBarsView(WebInternal) updateScrollers] + 250
20  com.apple.WebKitLegacy              0x000000010f5bb343 -[WebDynamicScrollBarsView(WebInternal) reflectScrolledClipView:] + 227
21  com.apple.AppKit                    0x00007fff325a1b1a __45-[NSClipView _reflectDocumentViewFrameChange]_block_invoke + 95
22  com.apple.AppKit                    0x00007fff325a1912 -[NSClipView _reflectDocumentViewFrameChange] + 634
23  com.apple.AppKit                    0x00007fff3253cccd -[NSView _postFrameChangeNotification] + 82
24  com.apple.AppKit                    0x00007fff32536ac0 -[NSView setFrameSize:] + 3248
25  com.apple.WebCore                   0x000000011e01516a WebCore::ScrollView::platformSetContentsSize() + 490
26  com.apple.WebCore                   0x000000011faa3de0 WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) + 112
27  com.apple.WebCore                   0x000000011f898d0f WebCore::FrameView::setContentsSize(WebCore::IntSize const&) + 111
28  com.apple.WebCore                   0x000000011f8921f9 WebCore::FrameView::adjustViewSize() + 697
29  com.apple.WebCore                   0x000000011f8d7a79 WebCore::FrameViewLayoutContext::layout() + 2409
30  com.apple.WebCore                   0x000000011f878d8c WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() + 300
31  com.apple.WebCore                   0x000000011f8fadfc WebCore::Page::layoutIfNeeded() + 60
32  com.apple.WebCore                   0x000000011f8faeaa WebCore::Page::updateRendering() + 154
33  com.apple.WebKitLegacy              0x000000010f53deb6 -[WebView(WebPrivate) _viewWillDrawInternal] + 86
34  com.apple.WebKitLegacy              0x000000010f56553c LayerFlushController::flushLayers() + 76
35  com.apple.WebKitLegacy              0x000000010f653849 WebViewLayerFlushScheduler::layerFlushCallback() + 57
36  com.apple.WebKitLegacy              0x000000010f654c08 WebViewLayerFlushScheduler::WebViewLayerFlushScheduler(LayerFlushController*)::$_0::operator()() const + 24
37  com.apple.WebKitLegacy              0x000000010f654bc9 WTF::Detail::CallableWrapper<WebViewLayerFlushScheduler::WebViewLayerFlushScheduler(LayerFlushController*)::$_0, void>::call() + 25
38  com.apple.WebCore                   0x000000011c65d87a WTF::Function<void ()>::operator()() const + 138
39  com.apple.WebCore                   0x000000011fb2a66c WebCore::RunLoopObserver::runLoopObserverFired() + 140
40  com.apple.WebCore                   0x000000011fb2a5d0 WebCore::RunLoopObserver::runLoopObserverFired(__CFRunLoopObserver*, unsigned long, void*) + 32
41  com.apple.CoreFoundation            0x00007fff35327d6c __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
42  com.apple.CoreFoundation            0x00007fff35327c9c __CFRunLoopDoObservers + 457
43  com.apple.CoreFoundation            0x00007fff352cb79b __CFRunLoopRun + 1179
44  com.apple.CoreFoundation            0x00007fff352cb083 CFRunLoopRunSpecific + 466
45  DumpRenderTree                      0x000000010889357d runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 3405 (DumpRenderTree.mm:2103)
46  DumpRenderTree                      0x0000000108891f24 dumpRenderTree(int, char const**) + 708 (DumpRenderTree.mm:1333)
47  DumpRenderTree                      0x0000000108893f7d DumpRenderTreeMain(int, char const**) + 109 (DumpRenderTree.mm:1449)
48  DumpRenderTree                      0x00000001089131b2 main + 34 (DumpRenderTreeMain.mm:34)
49                      0x00007fff6d0622d5 start + 1

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191122/2beef6d2/attachment-0001.htm>

More information about the webkit-unassigned mailing list