Bug 12416 - REGRESSION: Nightly Safari crashes on a site using the canvas tag & JavaScript
Summary: REGRESSION: Nightly Safari crashes on a site using the canvas tag & JavaScript
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 420+
Hardware: Mac (Intel) OS X 10.4
: P1 Normal
Assignee: Nobody
URL: http://bennolan.com/articles/2007/01/...
Keywords: HasReduction, InRadar, Regression
Depends on:
Blocks:
 
Reported: 2007-01-26 09:06 PST by Thomas Steinacher
Modified: 2007-02-09 14:46 PST (History)
3 users (show)

See Also:

Attachments
the crash log (20.64 KB, text/plain)
2007-01-26 09:07 PST, Thomas Steinacher 		no flags Details
Reduction of this case down to the game (18.30 KB, application/x-gzip)
2007-02-07 20:13 PST, Charles Ying 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Steinacher 2007-01-26 09:06:25 PST 
Go to: http://bennolan.com/articles/2007/01/24/moon-lander-using-the-canvas-tag
Try pressing the arrow keys and/or reloading the page. The current WebKit build (19136) will crash.
Comment 1 Thomas Steinacher 2007-01-26 09:07:48 PST 
Created attachment 12684 [details]
the crash log
Comment 2 Alexey Proskuryakov 2007-01-26 10:24:43 PST 
Confirmed with r19158.

0    WebCore::Node::renderer() const + 20 (Node.h:322)
1    WebCore::SelectionController::xPosForVerticalArrowNavigation(WebCore::SelectionController::EPositionType, bool) const + 644 (SelectionController.cpp:657)
2    WebCore::SelectionController::modifyMovingLeftBackward(WebCore::TextGranularity) + 796 (SelectionController.cpp:386)
3    WebCore::SelectionController::modify(WebCore::SelectionController::EAlteration, WebCore::SelectionController::EDirection, WebCore::TextGranularity, bool) + 600 (SelectionController.cpp:491)
4    WebCore::SelectionController::modify(WebCore::SelectionController::EAlteration, WebCore::SelectionController::EDirection, WebCore::TextGranularity, bool) + 132 (SelectionController.cpp:466)
5    WebCore::execMoveUp(WebCore::Frame*) + 60 (Editor.cpp:920)
6    WebCore::Editor::execCommand(WebCore::String const&) + 280 (Editor.cpp:1167)
7    -[WebHTMLView moveUp:] + 144 (WebHTMLView.mm:3587)
8    -[WebHTMLView(WebNSTextInputSupport) doCommandBySelector:] + 300 (WebHTMLView.mm:5471)
9    -[NSKeyBindingManager(NSKeyBindingManager_MultiClients) interpretEventAsCommand:forClient:] + 1700
Comment 3 Mark Rowe (bdash) 2007-01-28 15:52:37 PST 
<rdar://problem/4960116>
Comment 4 Andrew Wellington 2007-01-29 04:18:53 PST 
I can't reproduce this in r19216.
Comment 5 Mark Rowe (bdash) 2007-01-29 04:25:11 PST 
I can reproduce this with r19208 (debug) and r19216 (release).  I loaded the page, clicked in the canvas area, and mashed the arrow keys for a few seconds.  It worked first time in the debug build and second time in release build, so it may not be completely simple to reproduce.
Comment 6 Justin Garcia 2007-02-06 14:50:41 PST 
To repro reliably with r19136 you must load the URL while Safari is the active application.  Wait for the page to load, then press one of the arrow keys.  I can't reproduce with the latest nightly (r19418+).  Closing.
Comment 7 Mark Rowe (bdash) 2007-02-06 16:02:24 PST 
This still reproduces very easily with r19445.  Steps as follows:
1. Load http://bennolan.com/articles/2007/01/24/moon-lander-using-the-canvas-tag and wait for it to complete.
2. Hit reload.
3. As the page loads, click in the white space where the canvas element will appear.
4. Press and hold the down arrow key.
Comment 8 Charles Ying 2007-02-07 20:13:24 PST 
Created attachment 13039 [details]
Reduction of this case down to the game

I couldn't get it to automatically trigger the bug, so I suspect the down arrow is holding up some event queue and colliding with some other code.
Comment 9 Charles Ying 2007-02-07 20:16:57 PST 
Reduction attached! woot!
Comment 10 Justin Garcia 2007-02-09 14:46:18 PST 
Fixed in r19543.