Bug 5777

Summary: REGRESSION: ToT crashes applying first-letter pseudo-property
Product: WebKit Reporter: mitz
Component: Layout and RenderingAssignee: Dave Hyatt <hyatt>
Status: VERIFIED FIXED    
Severity: Blocker CC: eric, webkit-bugs
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
testcase for first-letter regression
none
Hyatt's original patch. none

Description mitz 2005-11-19 16:18:52 PST
Safari and DumpRenderTree crash when opening the css1/pseudo/firstletter.html layout test.

This is a very fresh regression (probably <48h).

Backtrace (from DRT):

0   com.apple.WebCore        	0x013c4ae4 khtml::RenderStyle::isFloating() const + 20 (render_style.h:
1175)
1   com.apple.WebCore        	0x0125e384 khtml::RenderBlock::updateFirstLetter() + 1096 
(render_block.cpp:3339)
2   com.apple.WebCore        	0x011c9398 khtml::RenderObject::recalcMinMaxWidths() + 260 
(render_object.cpp:2286)
3   com.apple.WebCore        	0x011c9494 khtml::RenderObject::recalcMinMaxWidths() + 512 
(render_object.cpp:2298)
4   com.apple.WebCore        	0x011c9494 khtml::RenderObject::recalcMinMaxWidths() + 512 
(render_object.cpp:2298)
5   com.apple.WebCore        	0x011c9494 khtml::RenderObject::recalcMinMaxWidths() + 512 
(render_object.cpp:2298)
6   com.apple.WebCore        	0x0126c464 khtml::RenderCanvas::layout() + 412 (render_canvas.cpp:
156)
7   com.apple.WebCore        	0x010a8458 KHTMLView::layout() + 1660 (khtmlview.cpp:689)
8   com.apple.WebCore        	0x011f7b50 DOM::DocumentImpl::implicitClose() + 1316 
(dom_docimpl.cpp:1468)
9   com.apple.WebCore        	0x010a30b4 KHTMLPart::checkEmitLoadEvent() + 916 (khtml_part.cpp:
2027)
10  com.apple.WebCore        	0x010a32d0 KHTMLPart::checkCompleted() + 520 (khtml_part.cpp:
1950)
11  com.apple.WebCore        	0x010a47dc KHTMLPart::slotLoaderRequestDone(khtml::DocLoader*, 
khtml::CachedObject*) + 60 (khtml_part.cpp:1864)
12  com.apple.WebCore        	0x012342c0 KWQSlot::call(khtml::DocLoader*, khtml::CachedObject*) 
const + 128 (KWQSlot.mm:353)
13  com.apple.WebCore        	0x0123354c KWQSignal::call(khtml::DocLoader*, khtml::CachedObject*) 
const + 232 (KWQSignal.mm:147)
14  com.apple.WebCore        	0x010670e4 khtml::Loader::requestDone(khtml::DocLoader*, 
khtml::CachedObject*) + 60 (KWQSignalStubs.mm:45)
15  com.apple.WebCore        	0x0118a390 khtml::Loader::slotFinished(KIO::Job*, NSData*) + 712 
(loader.cpp:1674)
16  com.apple.WebCore        	0x01234674 KWQSlot::callWithData(KIO::Job*, NSData*) const + 108 
(KWQSlot.mm:323)
17  com.apple.WebCore        	0x01233184 KWQSignal::callWithData(KIO::Job*, NSData*) const + 232 
(KWQSignal.mm:183)
18  com.apple.WebCore        	0x01038e60 KIO::TransferJob::emitResult(NSData*) + 72 
(KWQKJobClasses.mm:243)
19  com.apple.WebCore        	0x0123fff8 -[KWQResourceLoader finishJobAndHandle:] + 124 
(KWQResourceLoader.mm:95)
20  com.apple.WebCore        	0x01240294 -[KWQResourceLoader finishWithData:] + 196 
(KWQResourceLoader.mm:126)
21  com.apple.WebKit         	0x002425ec -[WebSubresourceLoader didFinishLoading] + 132 
(WebSubresourceLoader.m:218)
22  com.apple.WebKit         	0x00251124 -[WebLoader connectionDidFinishLoading:] + 184 
(WebLoader.m:663)
23  com.apple.Foundation     	0x92910cdc -[NSURLConnection(NSURLConnectionInternal) 
_sendDidFinishLoadingCallback] + 188
24  com.apple.Foundation     	0x9290ef48 -[NSURLConnection(NSURLConnectionInternal) 
_sendCallbacks] + 556
25  com.apple.Foundation     	0x9290eca0 _sendCallbacks + 156
26  com.apple.CoreFoundation 	0x9075da5c __CFRunLoopDoSources0 + 384
27  com.apple.CoreFoundation 	0x9075cf8c __CFRunLoopRun + 452
28  com.apple.CoreFoundation 	0x9075ca0c CFRunLoopRunSpecific + 268
29  com.apple.Foundation     	0x928ed664 -[NSRunLoop runMode:beforeDate:] + 172
30  DumpRenderTree           	0x00006094 dumpRenderTree + 740 (DumpRenderTree.m:567)
31  DumpRenderTree           	0x00003a60 main + 2244 (DumpRenderTree.m:171)
32  DumpRenderTree           	0x000029f4 _start + 340 (crt.c:272)
33  DumpRenderTree           	0x0000289c start + 60
Comment 1 Daniel Udey 2005-11-19 16:35:19 PST
Created attachment 4737 [details]
testcase for first-letter regression

ToT crashes when applying styles to the first-letter pseudo-property of an
element. This example uses a paragraph tag, but the result is the same with any
tag tested.
Comment 2 mitz 2005-11-20 08:55:19 PST
*** Bug 5780 has been marked as a duplicate of this bug. ***
Comment 3 mitz 2005-11-20 09:16:48 PST
Looks like a regression from

2005-11-17  David Hyatt  <hyatt@apple.com>

	Add support for getMatchedCSSRules, an API that can be used to
	inspect the set of rules that match on an element.  From Obj-C
	you see all rules (user agent, author, user).  From JS you just
	see author rules.

(Rolling out the patch eliminates this bug).
Comment 4 mitz 2005-11-20 10:00:09 PST
This is the culprit (from that patch):

  --- cssstyleselector.cpp	2 Nov 2005 08:52:40 -0000	1.220
  +++ cssstyleselector.cpp	17 Nov 2005 21:28:10 -0000	1.221
  @@ -377,8 +378,16 @@
       sortMatchedRules(0, m_matchedRuleCount);
       
       // Now transfer the set of matched rules over to our list of decls.
  -    for (unsigned i = 0; i < m_matchedRuleCount; i++)
  -        addMatchedDeclaration(m_matchedRules[i]->rule()->declaration());
  +    if (style) {
  +        for (unsigned i = 0; i < m_matchedRuleCount; i++)
  +            addMatchedDeclaration(m_matchedRules[i]->rule()->declaration());
  +    } else {
  +        for (unsigned i = 0; i < m_matchedRuleCount; i++) {
  +            if (!m_ruleList)
  +                m_ruleList = new CSSRuleListImpl();
  +            m_ruleList->append(m_matchedRules[i]->rule());
  +        }
  +    }
   }
   
Comment 5 Rosyna 2005-11-20 11:58:23 PST
*** Bug 5781 has been marked as a duplicate of this bug. ***
Comment 6 Eric Seidel (no email) 2005-11-20 13:42:16 PST
Created attachment 4750 [details]
Hyatt's original patch.
Comment 7 Eric Seidel (no email) 2005-11-20 13:42:38 PST
I rolled out hyatt's patch (which I have attached).
Comment 8 Joost de Valk (AlthA) 2006-01-22 04:51:56 PST
Removing keyword(s) cause bug is fixed.
Comment 9 Joost de Valk (AlthA) 2006-01-22 04:54:30 PST
Removing keyword(s) since bug is fixed.
Comment 10 Joost de Valk (AlthA) 2006-01-22 05:00:00 PST
Removing keyword(s) since bug is fixed.
Comment 11 Eric Seidel (no email) 2006-01-31 21:20:51 PST
Removing Regression keyword from bugs already fixed.