VERIFIED FIXED 5777
REGRESSION: ToT crashes applying first-letter pseudo-property 
https://bugs.webkit.org/show_bug.cgi?id=5777
Summary REGRESSION: ToT crashes applying first-letter pseudo-property
mitz
Reported 2005-11-19 16:18:52 PST
Safari and DumpRenderTree crash when opening the css1/pseudo/firstletter.html layout test. This is a very fresh regression (probably <48h). Backtrace (from DRT): 0 com.apple.WebCore 0x013c4ae4 khtml::RenderStyle::isFloating() const + 20 (render_style.h: 1175) 1 com.apple.WebCore 0x0125e384 khtml::RenderBlock::updateFirstLetter() + 1096 (render_block.cpp:3339) 2 com.apple.WebCore 0x011c9398 khtml::RenderObject::recalcMinMaxWidths() + 260 (render_object.cpp:2286) 3 com.apple.WebCore 0x011c9494 khtml::RenderObject::recalcMinMaxWidths() + 512 (render_object.cpp:2298) 4 com.apple.WebCore 0x011c9494 khtml::RenderObject::recalcMinMaxWidths() + 512 (render_object.cpp:2298) 5 com.apple.WebCore 0x011c9494 khtml::RenderObject::recalcMinMaxWidths() + 512 (render_object.cpp:2298) 6 com.apple.WebCore 0x0126c464 khtml::RenderCanvas::layout() + 412 (render_canvas.cpp: 156) 7 com.apple.WebCore 0x010a8458 KHTMLView::layout() + 1660 (khtmlview.cpp:689) 8 com.apple.WebCore 0x011f7b50 DOM::DocumentImpl::implicitClose() + 1316 (dom_docimpl.cpp:1468) 9 com.apple.WebCore 0x010a30b4 KHTMLPart::checkEmitLoadEvent() + 916 (khtml_part.cpp: 2027) 10 com.apple.WebCore 0x010a32d0 KHTMLPart::checkCompleted() + 520 (khtml_part.cpp: 1950) 11 com.apple.WebCore 0x010a47dc KHTMLPart::slotLoaderRequestDone(khtml::DocLoader*, khtml::CachedObject*) + 60 (khtml_part.cpp:1864) 12 com.apple.WebCore 0x012342c0 KWQSlot::call(khtml::DocLoader*, khtml::CachedObject*) const + 128 (KWQSlot.mm:353) 13 com.apple.WebCore 0x0123354c KWQSignal::call(khtml::DocLoader*, khtml::CachedObject*) const + 232 (KWQSignal.mm:147) 14 com.apple.WebCore 0x010670e4 khtml::Loader::requestDone(khtml::DocLoader*, khtml::CachedObject*) + 60 (KWQSignalStubs.mm:45) 15 com.apple.WebCore 0x0118a390 khtml::Loader::slotFinished(KIO::Job*, NSData*) + 712 (loader.cpp:1674) 16 com.apple.WebCore 0x01234674 KWQSlot::callWithData(KIO::Job*, NSData*) const + 108 (KWQSlot.mm:323) 17 com.apple.WebCore 0x01233184 KWQSignal::callWithData(KIO::Job*, NSData*) const + 232 (KWQSignal.mm:183) 18 com.apple.WebCore 0x01038e60 KIO::TransferJob::emitResult(NSData*) + 72 (KWQKJobClasses.mm:243) 19 com.apple.WebCore 0x0123fff8 -[KWQResourceLoader finishJobAndHandle:] + 124 (KWQResourceLoader.mm:95) 20 com.apple.WebCore 0x01240294 -[KWQResourceLoader finishWithData:] + 196 (KWQResourceLoader.mm:126) 21 com.apple.WebKit 0x002425ec -[WebSubresourceLoader didFinishLoading] + 132 (WebSubresourceLoader.m:218) 22 com.apple.WebKit 0x00251124 -[WebLoader connectionDidFinishLoading:] + 184 (WebLoader.m:663) 23 com.apple.Foundation 0x92910cdc -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 24 com.apple.Foundation 0x9290ef48 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 25 com.apple.Foundation 0x9290eca0 _sendCallbacks + 156 26 com.apple.CoreFoundation 0x9075da5c __CFRunLoopDoSources0 + 384 27 com.apple.CoreFoundation 0x9075cf8c __CFRunLoopRun + 452 28 com.apple.CoreFoundation 0x9075ca0c CFRunLoopRunSpecific + 268 29 com.apple.Foundation 0x928ed664 -[NSRunLoop runMode:beforeDate:] + 172 30 DumpRenderTree 0x00006094 dumpRenderTree + 740 (DumpRenderTree.m:567) 31 DumpRenderTree 0x00003a60 main + 2244 (DumpRenderTree.m:171) 32 DumpRenderTree 0x000029f4 _start + 340 (crt.c:272) 33 DumpRenderTree 0x0000289c start + 60
Attachments
testcase for first-letter regression (333 bytes, text/html)
2005-11-19 16:35 PST, Daniel Udey 		no flags
Details
Hyatt's original patch. (13.72 KB, patch)
2005-11-20 13:42 PST, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Udey
Comment 1 2005-11-19 16:35:19 PST
Created attachment 4737 [details] testcase for first-letter regression ToT crashes when applying styles to the first-letter pseudo-property of an element. This example uses a paragraph tag, but the result is the same with any tag tested.
mitz
Comment 2 2005-11-20 08:55:19 PST
*** Bug 5780 has been marked as a duplicate of this bug. ***
mitz
Comment 3 2005-11-20 09:16:48 PST
Looks like a regression from 2005-11-17 David Hyatt <hyatt@apple.com> Add support for getMatchedCSSRules, an API that can be used to inspect the set of rules that match on an element. From Obj-C you see all rules (user agent, author, user). From JS you just see author rules. (Rolling out the patch eliminates this bug).
mitz
Comment 4 2005-11-20 10:00:09 PST
This is the culprit (from that patch): --- cssstyleselector.cpp 2 Nov 2005 08:52:40 -0000 1.220 +++ cssstyleselector.cpp 17 Nov 2005 21:28:10 -0000 1.221 @@ -377,8 +378,16 @@ sortMatchedRules(0, m_matchedRuleCount); // Now transfer the set of matched rules over to our list of decls. - for (unsigned i = 0; i < m_matchedRuleCount; i++) - addMatchedDeclaration(m_matchedRules[i]->rule()->declaration()); + if (style) { + for (unsigned i = 0; i < m_matchedRuleCount; i++) + addMatchedDeclaration(m_matchedRules[i]->rule()->declaration()); + } else { + for (unsigned i = 0; i < m_matchedRuleCount; i++) { + if (!m_ruleList) + m_ruleList = new CSSRuleListImpl(); + m_ruleList->append(m_matchedRules[i]->rule()); + } + } }
Rosyna
Comment 5 2005-11-20 11:58:23 PST
*** Bug 5781 has been marked as a duplicate of this bug. ***
Eric Seidel (no email)
Comment 6 2005-11-20 13:42:16 PST
Created attachment 4750 [details] Hyatt's original patch.
Eric Seidel (no email)
Comment 7 2005-11-20 13:42:38 PST
I rolled out hyatt's patch (which I have attached).
Joost de Valk (AlthA)
Comment 8 2006-01-22 04:51:56 PST
Removing keyword(s) cause bug is fixed.
Joost de Valk (AlthA)
Comment 9 2006-01-22 04:54:30 PST
Removing keyword(s) since bug is fixed.
Joost de Valk (AlthA)
Comment 10 2006-01-22 05:00:00 PST
Removing keyword(s) since bug is fixed.
Eric Seidel (no email)
Comment 11 2006-01-31 21:20:51 PST
Removing Regression keyword from bugs already fixed.
Note You need to log in before you can comment on or make changes to this bug.