RESOLVED FIXED Bug 17988
REGRESSION (r31114-31132): Crash in InlineBox::isDirty() opening chowhound.com 
https://bugs.webkit.org/show_bug.cgi?id=17988
Summary REGRESSION (r31114-31132): Crash in InlineBox::isDirty() opening chowhound.com
Jonathan Kurtzman
Reported 2008-03-21 12:50:44 PDT
chowhound.com crashes on opening only in webkit, not in shipping Safari. Using build r31201. Report shows: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000040 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x00fbb9c3 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) +1827
Attachments
Reduction (will crash) (101 bytes, text/html)
2008-03-21 20:28 PDT, mitz 		no flags
Details
Add null check to cover the case of "childrenInline" blocks that have no in-flow content (3.42 KB, patch)
2008-03-21 20:53 PDT, mitz 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2008-03-21 12:54:59 PDT
Can you please attach the complete crash log?
Matt Lilek
Comment 2 2008-03-21 13:01:48 PDT
Confirmed with r31213: Thread 0 Crashed: 0 com.apple.WebCore 0x01d242fb WebCore::InlineBox::isDirty() const + 9 (InlineBox.h:217) 1 com.apple.WebCore 0x0209f3a8 WebCore::RootInlineBox::floats() + 24 (RootInlineBox.h:124) 2 com.apple.WebCore 0x0209d638 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 4060 (bidi.cpp:950) 3 com.apple.WebCore 0x01e97839 WebCore::RenderBlock::layoutBlock(bool) + 1305 (RenderBlock.cpp:580) 4 com.apple.WebCore 0x01e869ee WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494) 5 com.apple.WebCore 0x01ed199e WebCore::RenderListItem::layout() + 106 (RenderListItem.cpp:234) 6 com.apple.WebCore 0x0209e24d WebCore::RenderObject::layoutIfNeeded() + 41 (RenderObject.h:496) 7 com.apple.WebCore 0x0209cabd WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 1121 (bidi.cpp:806) 8 com.apple.WebCore 0x01e97839 WebCore::RenderBlock::layoutBlock(bool) + 1305 (RenderBlock.cpp:580) 9 com.apple.WebCore 0x01e869ee WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494) 10 com.apple.WebCore 0x01e96135 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233) 11 com.apple.WebCore 0x01e9785b WebCore::RenderBlock::layoutBlock(bool) + 1339 (RenderBlock.cpp:585) 12 com.apple.WebCore 0x01e869ee WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494) 13 com.apple.WebCore 0x01e96135 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233) 14 com.apple.WebCore 0x01e9785b WebCore::RenderBlock::layoutBlock(bool) + 1339 (RenderBlock.cpp:585) 15 com.apple.WebCore 0x01e869ee WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494) 16 com.apple.WebCore 0x01e96135 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233) 17 com.apple.WebCore 0x01e9785b WebCore::RenderBlock::layoutBlock(bool) + 1339 (RenderBlock.cpp:585) 18 com.apple.WebCore 0x01e869ee WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494) 19 com.apple.WebCore 0x01e96135 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233) 20 com.apple.WebCore 0x01e9785b WebCore::RenderBlock::layoutBlock(bool) + 1339 (RenderBlock.cpp:585) 21 com.apple.WebCore 0x01e869ee WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494) 22 com.apple.WebCore 0x01e96135 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233) 23 com.apple.WebCore 0x01e9785b WebCore::RenderBlock::layoutBlock(bool) + 1339 (RenderBlock.cpp:585) 24 com.apple.WebCore 0x01e869ee WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494) 25 com.apple.WebCore 0x01e96135 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1515 (RenderBlock.cpp:1233) 26 com.apple.WebCore 0x01e9785b WebCore::RenderBlock::layoutBlock(bool) + 1339 (RenderBlock.cpp:585) 27 com.apple.WebCore 0x01e869ee WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494) 28 com.apple.WebCore 0x01f36da0 WebCore::RenderView::layout() + 298 (RenderView.cpp:116) 29 com.apple.WebCore 0x01c841f0 WebCore::FrameView::layout(bool) + 2194 (FrameView.cpp:479) 30 com.apple.WebCore 0x01c846ed WebCore::FrameView::layoutTimerFired(WebCore::Timer<WebCore::FrameView>*) + 25 (FrameView.cpp:723) 31 com.apple.WebCore 0x01c86733 WebCore::Timer<WebCore::FrameView>::fired() + 89 (Timer.h:99) 32 com.apple.WebCore 0x0205c47c WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0ul> const&) + 198 (Timer.cpp:350) 33 com.apple.WebCore 0x0205c524 WebCore::TimerBase::sharedTimerFired() + 110 (Timer.cpp:370) 34 com.apple.WebCore 0x0203711c WebCore::timerFired(__CFRunLoopTimer*, void*) + 78 (SharedTimerMac.mm:85) 35 com.apple.CoreFoundation 0x96cf9b5e CFRunLoopRunSpecific + 4494 36 com.apple.CoreFoundation 0x96cf9d18 CFRunLoopRunInMode + 88 37 com.apple.HIToolbox 0x903b66a0 RunCurrentEventLoopInMode + 283 38 com.apple.HIToolbox 0x903b64b9 ReceiveNextEventCommon + 374 39 com.apple.HIToolbox 0x903b632d BlockUntilNextEventMatchingListInMode + 106 40 com.apple.AppKit 0x9329f7d9 _DPSNextEvent + 657 41 com.apple.AppKit 0x9329f08e -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 42 com.apple.Safari 0x0000806e 0x1000 + 28782 43 com.apple.AppKit 0x932980c5 -[NSApplication run] + 795 44 com.apple.AppKit 0x9326530a NSApplicationMain + 574 45 com.apple.Safari 0x000b9a76 0x1000 + 756342
mitz
Comment 3 2008-03-21 20:28:31 PDT
Created attachment 19949 [details] Reduction (will crash)
mitz
Comment 4 2008-03-21 20:53:07 PDT
Created attachment 19951 [details] Add null check to cover the case of "childrenInline" blocks that have no in-flow content
mitz
Comment 5 2008-03-21 23:58:53 PDT
Fixed in <http://trac.webkit.org/projects/webkit/changeset/31227>.
mitz
Comment 6 2008-03-24 21:40:08 PDT
<rdar://problem/5810802>
Note You need to log in before you can comment on or make changes to this bug.