Summary: Opening a page in a background tab (via command-clicking) that opens a pop-under window causes an assertion failure in a debug build of WebKit. Steps to reproduce: 1. Open Safari/WebKit. 2. Make sure the "popunder" cookie for network-drivers.com is NOT set via Safari preferences. 3. Make sure "Block Pop-Up Windows" is NOT set. 4. Command-click on URL: http://www.network-drivers.com/drivers/53/53064.htm Expected results: The page should open without an assertion failure. Actual results: The page causes an assertion failure and Safari/WebKit crashes on a debug build. Regression: Not tested for regression with Safari 2.0.4 yet. Notes: Console output from assertion failure: ASSERTION FAILED: maxWidth >= 0 (/Users/dkilzer/Projects/WebKit/WebCore/platform/StringTruncator.cpp:109 WebCore::String WebCore::truncateString(const WebCore::String&, float, const WebCore::Font&, unsigned int (*)(const WebCore::String&, unsigned int, unsigned int, UChar*))) Segmentation fault Stack trace: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.WebCore 0x013c7cbc WebCore::truncateString(WebCore::String const&, float, WebCore::Font const&, unsigned (*)(WebCore::String const&, unsigned, unsigned, unsigned short*)) + 124 1 com.apple.WebCore 0x013c81c9 WebCore::StringTruncator::centerTruncate(WebCore::String const&, float, WebCore::Font const&) + 57 2 com.apple.WebKit 0x00311149 +[WebStringTruncator centerTruncateString:toWidth:withFont:] + 67 (WebStringTruncator.m:74) 3 com.apple.Safari 0x000108f3 0x1000 + 63731 4 com.apple.AppKit 0x93375246 -[NSView resizeWithOldSuperviewSize:] + 451 5 com.apple.AppKit 0x932b7f45 -[NSView resizeSubviewsWithOldSize:] + 168 6 com.apple.AppKit 0x93296b4d -[NSView setFrameSize:] + 288 7 com.apple.AppKit 0x93374996 -[NSThemeFrame setFrameSize:] + 421 8 com.apple.AppKit 0x932f5d41 -[NSWindow _oldPlaceWindow:] + 1414 9 com.apple.AppKit 0x932f54bb -[NSWindow _setFrameCommon:display:stashSize:] + 418 10 com.apple.AppKit 0x932fa0ea -[NSWindow setFrame:display:] + 77 11 com.apple.Safari 0x000107f3 0x1000 + 63475 12 com.apple.Safari 0x00093cc1 0x1000 + 601281 13 com.apple.Safari 0x00093d7c 0x1000 + 601468 14 com.apple.Safari 0x000a87da 0x1000 + 686042 15 libobjc.A.dylib 0x90a59d76 objc_msgSendv + 54 16 com.apple.Foundation 0x925ff43e -[NSInvocation invoke] + 932 17 com.apple.Foundation 0x92625433 -[NSInvocation invokeWithTarget:] + 67 18 com.apple.WebKit 0x0035f58a -[_WebSafeForwarder forwardInvocation:] + 448 (WebView.mm:1452) 19 com.apple.Foundation 0x925fe4f4 -[NSObject(NSForwardInvocation) forward::] + 469 20 libobjc.A.dylib 0x90a59cc1 _objc_msgForward + 49 21 com.apple.WebKit 0x00397312 WebChromeClient::setWindowRect(WebCore::FloatRect const&) + 202 (WebChromeClient.mm:73) 22 com.apple.WebCore 0x013836b5 WebCore::Chrome::setWindowRect(WebCore::FloatRect const&) const + 37 (Chrome.cpp:51) 23 com.apple.WebCore 0x01373fe2 WebCore::FrameLoader::createWindow(WebCore::FrameLoadRequest const&, WebCore::WindowFeatures const&) + 1410 (FrameLoader.cpp:300) 24 com.apple.WebCore 0x012470c0 KJS::WindowFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 4006 (kjs_window.cpp:1651) 25 com.apple.JavaScriptCore 0x004fc038 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97) 26 com.apple.JavaScriptCore 0x004f1ebf KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 843 (nodes.cpp:780) 27 com.apple.JavaScriptCore 0x004f5779 KJS::AssignResolveNode::evaluate(KJS::ExecState*) + 313 (nodes.cpp:1428) 28 com.apple.JavaScriptCore 0x004ef0dc KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1680) 29 com.apple.JavaScriptCore 0x004eccd4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2457) 30 com.apple.JavaScriptCore 0x004eb60c KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1656) 31 com.apple.JavaScriptCore 0x004dde96 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362) 32 com.apple.JavaScriptCore 0x004e0179 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111) 33 com.apple.JavaScriptCore 0x004fc038 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97) 34 com.apple.JavaScriptCore 0x004f2640 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 716 (nodes.cpp:687) 35 com.apple.JavaScriptCore 0x004ef0dc KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1680) 36 com.apple.JavaScriptCore 0x004eccd4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2457) 37 com.apple.JavaScriptCore 0x004eb60c KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1656) 38 com.apple.JavaScriptCore 0x004eefd0 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1699) 39 com.apple.JavaScriptCore 0x004eccd4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2457) 40 com.apple.JavaScriptCore 0x004eb60c KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1656) 41 com.apple.JavaScriptCore 0x004dde96 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362) 42 com.apple.JavaScriptCore 0x004e0179 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111) 43 com.apple.JavaScriptCore 0x004fc038 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97) 44 com.apple.JavaScriptCore 0x004f2640 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 716 (nodes.cpp:687) 45 com.apple.JavaScriptCore 0x004ef0dc KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1680) 46 com.apple.JavaScriptCore 0x004ef037 KJS::IfNode::execute(KJS::ExecState*) + 523 (nodes.cpp:1706) 47 com.apple.JavaScriptCore 0x004ece0a KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2463) 48 com.apple.JavaScriptCore 0x004eb60c KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1656) 49 com.apple.JavaScriptCore 0x004e5a45 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 977 (interpreter.cpp:369) 50 com.apple.WebCore 0x0123c159 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 319 (kjs_proxy.cpp:74) 51 com.apple.WebCore 0x01373453 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::Node*, WebCore::String const&) + 99 (FrameLoader.cpp:681) 52 com.apple.WebCore 0x0101ddaa WebCore::HTMLTokenizer::scriptExecution(WebCore::DeprecatedString const&, WebCore::HTMLTokenizer::State, WebCore::DeprecatedString, int) + 316 (HTMLTokenizer.cpp:502) 53 com.apple.WebCore 0x01020565 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1449 (HTMLTokenizer.cpp:452) 54 com.apple.WebCore 0x01020a5e WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 918 (HTMLTokenizer.cpp:310) 55 com.apple.WebCore 0x010223fd WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 5255 (HTMLTokenizer.cpp:1175) 56 com.apple.WebCore 0x01022bc1 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1173 (HTMLTokenizer.cpp:1389) 57 com.apple.WebCore 0x01368ae9 WebCore::FrameLoader::write(char const*, int, bool) + 923 (FrameLoader.cpp:878) 58 com.apple.WebCore 0x01368c1b WebCore::FrameLoader::addData(char const*, int) + 275 (FrameLoader.cpp:1492) 59 com.apple.WebCore 0x010cfd6d -[WebCoreFrameBridge addData:] + 163 (WebCoreFrameBridge.mm:294) 60 com.apple.WebCore 0x010d30f8 -[WebCoreFrameBridge receivedData:textEncodingName:] + 250 (WebCoreFrameBridge.mm:1484) 61 com.apple.WebKit 0x00331c19 -[WebHTMLRepresentation receivedData:withDataSource:] + 199 (WebHTMLRepresentation.mm:175) 62 com.apple.WebKit 0x0032d2cb -[WebDataSource(WebInternal) _receivedData:] + 89 (WebDataSource.mm:178) 63 com.apple.WebKit 0x00393bb9 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 127 (WebFrameLoaderClient.mm:644) 64 com.apple.WebCore 0x01365515 WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader*, char const*, int) + 53 (FrameLoader.cpp:2877) 65 com.apple.WebCore 0x013759c7 WebCore::DocumentLoader::commitLoad(char const*, int) + 87 (DocumentLoader.cpp:339) 66 com.apple.WebCore 0x01375a20 WebCore::DocumentLoader::receivedData(char const*, int) + 76 (DocumentLoader.cpp:352) 67 com.apple.WebCore 0x01364a23 WebCore::FrameLoader::receivedData(char const*, int) + 41 (FrameLoader.cpp:1884) 68 com.apple.WebCore 0x0137725e WebCore::MainResourceLoader::addData(char const*, int, bool) + 80 (MainResourceLoader.cpp:133) 69 com.apple.WebCore 0x013792ab WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 83 70 com.apple.WebCore 0x01377593 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 281 (MainResourceLoader.cpp:290) 71 com.apple.WebCore 0x01378f12 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 58 72 com.apple.WebCore 0x01358768 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 172 (ResourceHandleMac.mm:352) 73 com.apple.Foundation 0x9265eb86 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 641 74 com.apple.Foundation 0x9265ce67 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 686 75 com.apple.Foundation 0x9265cb41 _sendCallbacks + 201 76 com.apple.CoreFoundation 0x9082afd2 CFRunLoopRunSpecific + 1213 77 com.apple.CoreFoundation 0x9082ab0e CFRunLoopRunInMode + 61 78 com.apple.HIToolbox 0x92ddabef RunCurrentEventLoopInMode + 285 79 com.apple.HIToolbox 0x92dda2fd ReceiveNextEventCommon + 385 80 com.apple.HIToolbox 0x92dda154 BlockUntilNextEventMatchingListInMode + 81 81 com.apple.AppKit 0x9327f465 _DPSNextEvent + 572 82 com.apple.AppKit 0x9327f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137 83 com.apple.Safari 0x00006cea 0x1000 + 23786 84 com.apple.AppKit 0x93278ddb -[NSApplication run] + 512 85 com.apple.AppKit 0x9326cd2f NSApplicationMain + 573 86 com.apple.Safari 0x0005f54a 0x1000 + 386378 87 com.apple.Safari 0x0005f471 0x1000 + 386161
This is a regression from shipping Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8N1037). Tested with a local debug build of WebKit r19943 with the above software.
I cannot reproduce this on a PowerPC Mac.
(In reply to comment #2) > I cannot reproduce this on a PowerPC Mac. Weird! I can't reproduce this with my PB G4, either. Local debug build of WebKit r19943 with Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8L127).
(In reply to comment #2) > I cannot reproduce this on a PowerPC Mac. The issue is most likely caused by differences in how NaN floating point values are handled on PowerPC versus Intel architectures. Obviously, this code from StringTruncator.cpp (line 109) returns true with a NaN on PowerPC, but false with a NaN on Intel: ASSERT(maxWidth >= 0); I added an additional ASSERT() macro to the Intel debug build: + ASSERT(!isnan(maxWidth)); ASSERT(maxWidth >= 0); And rerunning the steps to reproduce demonstrated that maxWidth was a NaN value: ASSERTION FAILED: !isnan(maxWidth) (/Users/dkilzer/Projects/WebKit/WebCore/platform/StringTruncator.cpp:109 WebCore::String WebCore::truncateString(const WebCore::String&, float, const WebCore::Font&, unsigned int (*)(const WebCore::String&, unsigned int, unsigned int, UChar*))) Segmentation fault Not sure if we need to determine where the NaN is generated, or simply handle the NaN case differently in the truncateString(const String& string, float maxWidth, const Font& font, TruncationFunction truncateToBuffer) method.
This bug is hard to reproduce. The steps that I take to reliably test the bug are: 1. Open Webkit 2. Make sure the "popunder" cookie for network-drivers.com is NOT set via Safari preferences. 3. Set "Accept Cookies" to Never. 3. Make sure "Block Pop-Up Windows" is NOT set. 4. Command-click on URL: http://www.network-drivers.com/drivers/53/53064.htm 5. Repeat step 4 until you see detailed popup that contains bar graphs. So far I have isolated the bug to between WebKit-SVN-r17653.dmg (works) and WebKit-SVN-r17656.dmg (crashes). I have an iMac G5 and 10.4.8.
Created attachment 13457 [details] Reduction Command-click to open this attachment to crash Webkit. I believe that this bug is a GC-related error. The original page can be fixed by removing the "left=85,top=20," from the popup parameters. Accessing the zero index of an array and either a left= or top= parameter are necessary for this crash.
The root of this problem is that kjs_window.cpp:1616 calls WebCore::screenRect with null as the argument. This results in toUserSpace invoking Objective-C methods on nil objects, which will either return zero or an undefined value depending on the return type of the method in question. This looks to cause userRect to be scaled by NaN, eventually leading to the assertion failure mentioned in this bug report. One strange thing I noticed while debugging this is that the x/y/width/height members of the WindowFeatures structure are not initialized, and in many cases are used before initialization. This could lead in some cases for windows created via window.open to have arbitrary sizes and locations while still being constrained within the screens bounds.
Created attachment 13477 [details] Patch
Comment on attachment 13477 [details] Patch I didn't include a layout test in this patch as I didn't see any way to test popups via DRT.
Landed in r19961.
(In reply to comment #9) > I didn't include a layout test in this patch as I didn't see any way to test > popups via DRT. Do we need a separate bug to implement this feature in DRT? Should DRT be dumping the list of pop-up menu items in each pop-up? What should happen in text mode versus layout mode?
I meant popups in the sense of popup windows created via window.open.
Mass removal of NeedsRadar keyword from my bugs that have already been RESOLVED.
*** Bug 12540 has been marked as a duplicate of this bug. ***