17464 – REGRESSION: Crash in RenderBlock::findNextLineBreak reading r30444 commit email in GMail

Bug 17464 - REGRESSION: Crash in RenderBlock::findNextLineBreak reading r30444 commit email in GMail

Summary: REGRESSION: Crash in RenderBlock::findNextLineBreak reading r30444 commit ema...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P1 Normal
Assignee:	mitz

URL:
Keywords:	GoogleBug, NeedsReduction, Regression

Depends on:
Blocks:

Reported:	2008-02-20 18:57 PST by Matt Lilek
Modified:	2008-04-21 10:55 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Fix (31.63 KB, patch) 2008-02-20 20:49 PST, mitz	hyatt: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matt Lilek 2008-02-20 18:57:50 PST

Reading the webkit-changes email for r30444 in GMail crashes ToT:

Thread 0 Crashed:
0   com.apple.WebCore             	0x02108150 WebCore::RenderBlock::findNextLineBreak(WebCore::BidiIterator&, WebCore::BidiResolver<WebCore::BidiIterator, WebCore::BidiRun>&) + 6074 (bidi.cpp:1703)
1   com.apple.WebCore             	0x0210aa1f WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 3079 (bidi.cpp:969)
2   com.apple.WebCore             	0x01ef8e7f WebCore::RenderBlock::layoutBlock(bool) + 1319 (RenderBlock.cpp:581)
3   com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
4   com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
5   com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
6   com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
7   com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
8   com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
9   com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
10  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
11  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
12  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
13  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
14  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
15  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
16  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
17  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
18  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
19  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
20  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
21  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
22  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
23  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
24  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
25  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
26  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
27  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
28  com.apple.WebCore             	0x01ef9d1f WebCore::RenderObject::layoutIfNeeded() + 41 (RenderObject.h:487)
29  com.apple.WebCore             	0x0210a219 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 1025 (bidi.cpp:876)
30  com.apple.WebCore             	0x01ef8e7f WebCore::RenderBlock::layoutBlock(bool) + 1319 (RenderBlock.cpp:581)
31  com.apple.WebCore             	0x01f6d145 WebCore::RenderTableCell::layout() + 45 (RenderTableCell.cpp:137)
32  com.apple.WebCore             	0x01f71aaf WebCore::RenderTableRow::layout() + 239 (RenderTableRow.cpp:129)
33  com.apple.WebCore             	0x01ef9d1f WebCore::RenderObject::layoutIfNeeded() + 41 (RenderObject.h:487)
34  com.apple.WebCore             	0x01f0ae32 WebCore::RenderContainer::layout() + 176 (RenderContainer.cpp:497)
35  com.apple.WebCore             	0x01f6a4ce WebCore::RenderTable::layout() + 874 (RenderTable.cpp:298)
36  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
37  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
38  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
39  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
40  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
41  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
42  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
43  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
44  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
45  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
46  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
47  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
48  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
49  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
50  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
51  com.apple.WebCore             	0x01ef7e03 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233)
52  com.apple.WebCore             	0x01ef8ea1 WebCore::RenderBlock::layoutBlock(bool) + 1353 (RenderBlock.cpp:586)
53  com.apple.WebCore             	0x01ee95f6 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494)
54  com.apple.WebCore             	0x01f92b7e WebCore::RenderView::layout() + 310 (RenderView.cpp:114)
55  com.apple.WebCore             	0x01cf087a WebCore::FrameView::layout(bool) + 2160 (FrameView.cpp:471)
56  com.apple.WebCore             	0x01f49c87 WebCore::RenderPart::updateWidgetPosition() + 727 (RenderPart.cpp:115)
57  com.apple.WebCore             	0x01f93817 WebCore::RenderView::updateWidgetPositions() + 87 (RenderView.cpp:446)
58  com.apple.WebCore             	0x01cefe1f WebCore::FrameView::performPostLayoutTasks() + 51 (FrameView.cpp:887)
59  com.apple.WebCore             	0x01cf0b19 WebCore::FrameView::layout(bool) + 2831 (FrameView.cpp:516)
60  com.apple.WebCore             	0x01ccbc8f WebCore::Frame::forceLayout(bool) + 57 (Frame.cpp:1376)
61  com.apple.WebCore             	0x020cb252 -[WebCoreFrameBridge forceLayoutAdjustingViewSize:] + 40 (WebCoreFrameBridge.mm:403)
62  com.apple.WebKit              	0x001c8cd0 -[WebHTMLView layoutToMinimumPageWidth:maximumPageWidth:adjustingViewSize:] + 234 (WebHTMLView.mm:2664)
63  com.apple.WebKit              	0x001c8de0 -[WebHTMLView layout] + 68 (WebHTMLView.mm:2678)
64  com.apple.WebKit              	0x001cfc0b -[WebHTMLView(WebInternal) _layoutIfNeeded] + 195 (WebHTMLView.mm:4811)
65  com.apple.WebKit              	0x001cfcec -[WebHTMLView(WebInternal) _web_layoutIfNeededRecursive] + 218 (WebHTMLView.mm:4826)
66  com.apple.WebKit              	0x001c3d7c -[WebHTMLView(WebPrivate) viewWillDraw] + 94 (WebHTMLView.mm:1063)
67  com.apple.AppKit              	0x917c5516 -[NSView viewWillDraw] + 579
68  com.apple.AppKit              	0x917c5516 -[NSView viewWillDraw] + 579
69  com.apple.AppKit              	0x917c5516 -[NSView viewWillDraw] + 579
70  com.apple.AppKit              	0x917c5516 -[NSView viewWillDraw] + 579
71  com.apple.AppKit              	0x917c5516 -[NSView viewWillDraw] + 579
72  com.apple.AppKit              	0x917c5516 -[NSView viewWillDraw] + 579
73  com.apple.AppKit              	0x917c5516 -[NSView viewWillDraw] + 579
74  com.apple.AppKit              	0x917c5516 -[NSView viewWillDraw] + 579
75  com.apple.AppKit              	0x917c4bf8 -[NSView _sendViewWillDrawInRect:] + 1015
76  com.apple.AppKit              	0x91706ec9 -[NSView displayIfNeeded] + 869
77  com.apple.AppKit              	0x91706ab9 -[NSWindow displayIfNeeded] + 189
78  com.apple.Safari              	0x000233a9 0x1000 + 140201
79  com.apple.AppKit              	0x917068e0 _handleWindowNeedsDisplay + 436
80  com.apple.CoreFoundation      	0x943ad9c2 __CFRunLoopDoObservers + 466
81  com.apple.CoreFoundation      	0x943aed25 CFRunLoopRunSpecific + 853
82  com.apple.CoreFoundation      	0x943afd18 CFRunLoopRunInMode + 88
83  com.apple.HIToolbox           	0x910986a0 RunCurrentEventLoopInMode + 283
84  com.apple.HIToolbox           	0x910984b9 ReceiveNextEventCommon + 374
85  com.apple.HIToolbox           	0x9109832d BlockUntilNextEventMatchingListInMode + 106
86  com.apple.AppKit              	0x917047d9 _DPSNextEvent + 657
87  com.apple.AppKit              	0x9170408e -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
88  com.apple.Safari              	0x0000965e 0x1000 + 34398
89  com.apple.AppKit              	0x916fd0c5 -[NSApplication run] + 795
90  com.apple.AppKit              	0x916ca30a NSApplicationMain + 574
91  com.apple.Safari              	0x00002a76 0x1000 + 6774

Comment 1 mitz 2008-02-20 20:49:54 PST

Created attachment 19248 [details]
Fix

Comment 2 Dave Hyatt 2008-02-20 20:54:24 PST

Comment on attachment 19248 [details]
Fix

r=me

Comment 3 mitz 2008-02-20 21:01:29 PST

Fixed in <http://trac.webkit.org/projects/webkit/changeset/30454>.

Comment 4 Eric Seidel (no email) 2008-04-21 10:41:35 PDT

Looks like this never made it into 3.1.  :sigh:  I just saw a crash in GMail which I think was this bug.

Comment 5 mitz 2008-04-21 10:55:51 PDT

(In reply to comment #4)
> Looks like this never made it into 3.1.  :sigh:  I just saw a crash in GMail
> which I think was this bug.

This bug was introduced in <http://trac.webkit.org/projects/webkit/changeset/30412> which is not in 3.1 either.