Bug 14545 - REGRESSION (r21854-r21869): Repro crash in RenderBlock::updateFirstLetter @ nola.com/rose/
Summary: REGRESSION (r21854-r21869): Repro crash in RenderBlock::updateFirstLetter @ n...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Nobody
URL: http://www.nola.com/rose/
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2007-07-06 14:09 PDT by Gibbons Burke
Modified: 2007-07-06 19:39 PDT (History)
2 users (show)

See Also:


Attachments
Crash report (36.17 KB, text/plain)
2007-07-06 14:10 PDT, Gibbons Burke
no flags Details
Reduction (will crash) (195 bytes, text/html)
2007-07-06 15:00 PDT, mitz
no flags Details
Allow :first-letter and text-transform:capitalize to coexist (41.70 KB, patch)
2007-07-06 16:47 PDT, mitz
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gibbons Burke 2007-07-06 14:09:53 PDT
Steps to reproduce:

1) Start Webkit.app nightly build (r24064)
2) Type "Chris Rose" in Google search text area
3) Select first hit in google results page

CRASH!

Full crash report attached.

This crash does not occur in Safari 3.0.2.

Partial crash report:

Date/Time:      2007-07-06 16:02:06.631 -0500
OS Version:     10.4.10 (Build 8R218)
Report Version: 4

Command: Safari
Path:    /Applications/Safari.app/Contents/MacOS/Safari
Parent:  WindowServer [101]

Version: r24064 (24064)

PID:    6767
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x0000006c

Thread 0 Crashed:
0   com.apple.WebCore         	0x0116c5ac WebCore::RenderBlock::updateFirstLetter() + 1276
1   com.apple.WebCore         	0x0116d140 WebCore::RenderBlock::calcPrefWidths() + 48
2   com.apple.WebCore         	0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60
3   com.apple.WebCore         	0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420
4   com.apple.WebCore         	0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180
5   com.apple.WebCore         	0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60
6   com.apple.WebCore         	0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420
7   com.apple.WebCore         	0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180
8   com.apple.WebCore         	0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60
9   com.apple.WebCore         	0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420
10  com.apple.WebCore         	0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180
11  com.apple.WebCore         	0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60
12  com.apple.WebCore         	0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420
13  com.apple.WebCore         	0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180
14  com.apple.WebCore         	0x011d1488 WebCore::RenderTableCell::calcPrefWidths() + 72
15  com.apple.WebCore         	0x012ed10c WebCore::AutoTableLayout::recalcColumn(int) + 604
16  com.apple.WebCore         	0x012ed6f0 WebCore::AutoTableLayout::fullRecalc() + 688
17  com.apple.WebCore         	0x012ee2e8 WebCore::AutoTableLayout::calcPrefWidths(int&, int&) + 40
18  com.apple.WebCore         	0x011d4c4c WebCore::RenderTable::calcPrefWidths() + 92
19  com.apple.WebCore         	0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60
20  com.apple.WebCore         	0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420
21  com.apple.WebCore         	0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180
22  com.apple.WebCore         	0x011d1488 WebCore::RenderTableCell::calcPrefWidths() + 72
23  com.apple.WebCore         	0x012ed10c WebCore::AutoTableLayout::recalcColumn(int) + 604
24  com.apple.WebCore         	0x012ed6f0 WebCore::AutoTableLayout::fullRecalc() + 688
25  com.apple.WebCore         	0x012ee2e8 WebCore::AutoTableLayout::calcPrefWidths(int&, int&) + 40
26  com.apple.WebCore         	0x011d4c4c WebCore::RenderTable::calcPrefWidths() + 92
27  com.apple.WebCore         	0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60
28  com.apple.WebCore         	0x011d51d0 WebCore::RenderTable::calcWidth() + 288
29  com.apple.WebCore         	0x011d5784 WebCore::RenderTable::layout() + 692
30  com.apple.WebCore         	0x01177008 WebCore::RenderBlock::layoutBlockChildren(bool) + 1416
31  com.apple.WebCore         	0x0117796c WebCore::RenderBlock::layoutBlock(bool) + 1324
32  com.apple.WebCore         	0x011678fc WebCore::RenderBlock::layout() + 76
33  com.apple.WebCore         	0x01177008 WebCore::RenderBlock::layoutBlockChildren(bool) + 1416
34  com.apple.WebCore         	0x0117796c WebCore::RenderBlock::layoutBlock(bool) + 1324
35  com.apple.WebCore         	0x011678fc WebCore::RenderBlock::layout() + 76
36  com.apple.WebCore         	0x01177008 WebCore::RenderBlock::layoutBlockChildren(bool) + 1416
37  com.apple.WebCore         	0x0117796c WebCore::RenderBlock::layoutBlock(bool) + 1324
38  com.apple.WebCore         	0x011678fc WebCore::RenderBlock::layout() + 76
39  com.apple.WebCore         	0x01185a98 WebCore::RenderView::layout() + 216
40  com.apple.WebCore         	0x010e74d4 WebCore::FrameView::layout(bool) + 1364
41  com.apple.WebCore         	0x01243ac4 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 180
42  com.apple.WebCore         	0x01243b60 WebCore::TimerBase::sharedTimerFired() + 112
43  com.apple.WebCore         	0x012432bc WebCore::timerFired(__CFRunLoopTimer*, void*) + 76
44  com.apple.CoreFoundation  	0x902c5578 __CFRunLoopDoTimer + 184
45  com.apple.CoreFoundation  	0x902b1ef8 __CFRunLoopRun + 1680
46  com.apple.CoreFoundation  	0x902b14ac CFRunLoopRunSpecific + 268
47  com.apple.HIToolbox       	0x92020b20 RunCurrentEventLoopInMode + 264
48  com.apple.HIToolbox       	0x920201b4 ReceiveNextEventCommon + 380
49  com.apple.HIToolbox       	0x92020020 BlockUntilNextEventMatchingListInMode + 96
50  com.apple.AppKit          	0x92509ae4 _DPSNextEvent + 384
51  com.apple.AppKit          	0x925097a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
52  com.apple.Safari          	0x00006770 0x1000 + 22384
53  com.apple.AppKit          	0x92505cec -[NSApplication run] + 472
54  com.apple.AppKit          	0x925f687c NSApplicationMain + 452
55  com.apple.Safari          	0x0000244c 0x1000 + 5196
56  com.apple.Safari          	0x0004f1b0 0x1000 + 319920
Comment 1 Gibbons Burke 2007-07-06 14:10:27 PDT
Created attachment 15422 [details]
Crash report
Comment 2 Geoffrey Garen 2007-07-06 14:25:17 PDT
To repro, all you need is to navigate to http://www.nola.com/rose/.
Comment 3 Geoffrey Garen 2007-07-06 14:27:02 PDT
<rdar://problem/5317892>
Comment 4 Beth Dakin 2007-07-06 14:46:30 PDT
This is a recent regression. The site loads fine with the version of Safari that is part of the WWDC Leopard seed.
Comment 5 mitz 2007-07-06 15:00:59 PDT
Created attachment 15423 [details]
Reduction (will crash)

I suspect this regressed in <http://trac.webkit.org/projects/webkit/changeset/21742>. Note that on the beta, while WebKit doesn't crash, it doesn't render correctly either (it capitalizes the second letter).
Comment 6 mitz 2007-07-06 15:16:20 PDT
(In reply to comment #5)
> I suspect this regressed in
> <http://trac.webkit.org/projects/webkit/changeset/21742>.

False suspicion.
Comment 7 mitz 2007-07-06 15:32:33 PDT
Regressed between r21854 and r21869. The change most likely to have caused the regression is <http://trac.webkit.org/projects/webkit/changeset/21861>.
Comment 8 mitz 2007-07-06 16:47:22 PDT
Created attachment 15424 [details]
Allow :first-letter and text-transform:capitalize to coexist

No layout test regressions, and a new test. Finding the real previous character in the remaining text fragment case may be an overkill (i.e. maybe ' ' will do) but I'm taking the conservative approach since I don't know for a fact that every character that is not fit to serve as a first letter (meaning: punctuation and spaces) is also a word separator.
Comment 9 Darin Adler 2007-07-06 18:38:50 PDT
Comment on attachment 15424 [details]
Allow :first-letter and text-transform:capitalize to coexist

r=me
Comment 10 Mark Rowe (bdash) 2007-07-06 19:39:05 PDT
Landed in r24084.