RESOLVED FIXED Bug 3855
Table with Form Field and Hidden DIV crashes Safari 
https://bugs.webkit.org/show_bug.cgi?id=3855
Summary Table with Form Field and Hidden DIV crashes Safari
Bryan
Reported 2005-07-04 17:18:22 PDT
The following code is from a test page that always will cause Safari to crash. More discussion on this can be found here: http://www.pmachine.com/forums/viewthread/24217/P0/ <html> <head> <title>test</title> </head> <body> <form> <textarea cols='30' rows='10'></textarea> <div style="display:none;"> <table> <tr> <td>test</td> </tr> </table> </div> <div><input type='text' name='bla' value='' size="33" /></div> </form> </body> </html>
Attachments
minimal testcase (217 bytes, text/html)
2005-07-04 23:02 PDT, Joost de Valk (AlthA) 		no flags
Details
minimal testcase (268 bytes, text/html)
2005-07-04 23:06 PDT, Joost de Valk (AlthA) 		no flags
Details
Proposed fix (2.48 KB, patch)
2005-07-07 21:34 PDT, Carsten Guenther 		hyatt: review-
DetailsFormatted DiffDiff
Merging patch (2.42 KB, patch)
2005-07-09 15:50 PDT, Carsten Guenther 		hyatt: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2005-07-04 21:40:24 PDT
The report is missing a key step to reproduce: the crash only occurs after you begin typing in the bottom text entry field. This occurs with both WebKit 412 and ToT CVS. Crash log from ToT included below: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c Thread 0 Crashed: 0 com.apple.WebCore 0x011dfed4 khtml::RenderTableCell::table() const + 0 (icplusplus.c:28) 1 <<00000000>> 0xbfffe324 0 + -1073749212 2 com.apple.WebCore 0x010204b8 KWQKHTMLPart::searchForLabelsBeforeElement(NSArray*, DOM::ElementImpl*) + 204 (icplusplus.c:28) 3 com.apple.Safari 0x0009956c 0x1000 + 623980 4 com.apple.Safari 0x00098edc 0x1000 + 622300 5 com.apple.Safari 0x000958f8 0x1000 + 608504 6 com.apple.Safari 0x00095b50 0x1000 + 609104 7 com.apple.Safari 0x0004402c 0x1000 + 274476 8 com.apple.Foundation 0x92886d18 __NSFireDelayedPerform + 304 9 com.apple.CoreFoundation 0x9075deb0 __CFRunLoopDoTimer + 184 10 com.apple.CoreFoundation 0x9074a828 __CFRunLoopRun + 1680 11 com.apple.CoreFoundation 0x90749ddc CFRunLoopRunSpecific + 268 12 com.apple.HIToolbox 0x93122ca0 RunCurrentEventLoopInMode + 264 13 com.apple.HIToolbox 0x93122334 ReceiveNextEventCommon + 380 14 com.apple.HIToolbox 0x931221a0 BlockUntilNextEventMatchingListInMode + 96 15 com.apple.AppKit 0x9362b1a4 _DPSNextEvent + 384 16 com.apple.AppKit 0x9362ae68 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 17 com.apple.Safari 0x00007058 0x1000 + 24664 18 com.apple.AppKit 0x936273cc -[NSApplication run] + 472 19 com.apple.AppKit 0x93717c1c NSApplicationMain + 452 20 com.apple.Safari 0x00002700 0x1000 + 5888 21 com.apple.Safari 0x00057190 0x1000 + 352656
Mark Rowe (bdash)
Comment 2 2005-07-04 21:42:18 PDT
A easiliy accessible case for this bug is at http://pmachine.com/misc/safari_crash.html It consists of the HTML included in the initial bug report.
Joost de Valk (AlthA)
Comment 3 2005-07-04 23:02:22 PDT
Created attachment 2799 [details] minimal testcase Removing either the table or the display:none prevents the crash.
Joost de Valk (AlthA)
Comment 4 2005-07-04 23:06:20 PDT
Created attachment 2800 [details] minimal testcase This time the testcase tells hows to recreate the problem.
Carsten Guenther
Comment 5 2005-07-07 21:34:54 PDT
Created attachment 2858 [details] Proposed fix This patch checks for the existence of the cell renderer.
Dave Hyatt
Comment 6 2005-07-09 14:01:36 PDT
Comment on attachment 2858 [details] Proposed fix The fix looks good, but this patch isn't going to merge any more after the changes from 3405. Can you make the fix again and attach a new patch? Thanks.
Carsten Guenther
Comment 7 2005-07-09 15:50:06 PDT
Created attachment 2888 [details] Merging patch Here you go.
Joost de Valk (AlthA)
Comment 8 2005-07-11 06:09:04 PDT
Comment on attachment 2888 [details] Merging patch Changed name of patch, since it could seem now as if you just attached the patch again...
Dave Hyatt
Comment 9 2005-07-12 14:35:08 PDT
Comment on attachment 2888 [details] Merging patch r=me
Vicki Murley
Comment 10 2005-07-14 11:53:16 PDT
I'll commit this
Carsten Guenther
Comment 11 2005-07-18 19:38:27 PDT
Closing since this has been committed.
John Sullivan
Comment 12 2005-09-05 12:07:42 PDT
This is also in Radar as <rdar://problem/4146880>
Note You need to log in before you can comment on or make changes to this bug.