RESOLVED FIXED 9432
REGRESSION: crash in capitalization code due to empty-string generated content 
https://bugs.webkit.org/show_bug.cgi?id=9432
Summary REGRESSION: crash in capitalization code due to empty-string generated content
David Smith
Reported 2006-06-14 01:41:55 PDT
Relevant section of backtrace: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xfffffffe Thread 0 Crashed: 0 com.apple.WebCore 0x011be3c0 WebCore::RenderText::setText(WebCore::StringImpl*, bool) + 368 1 com.apple.WebCore 0x01195500 WebCore::RenderContainer::addChild(WebCore::RenderObject*, WebCore::RenderObject*) + 816 2 com.apple.WebCore 0x011a1620 WebCore::RenderInline::addChildToFlow(WebCore::RenderObject*, WebCore::RenderObject*) + 192 3 com.apple.WebCore 0x0125f7e8 WebCore::Node::createRendererIfNeeded() + 312 4 com.apple.WebCore 0x0122c698 WebCore::Text::attach() + 24 5 com.apple.WebCore 0x0102d1f8 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 472 6 com.apple.WebCore 0x0102ecd0 WebCore::HTMLParser::parseToken(WebCore::Token*) + 800 7 com.apple.WebCore 0x01030350 WebCore::HTMLTokenizer::processToken() + 768 8 com.apple.WebCore 0x01035550 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 928 9 com.apple.WebCore 0x010ce8d8 WebCore::Frame::write(char const*, int) + 824 10 com.apple.WebKit 0x003348bc -[WebHTMLRepresentation receivedData:withDataSource:] + 156 11 com.apple.WebKit 0x003280ac -[WebDataSource(WebPrivate) _commitLoadWithData:] + 92 12 com.apple.WebKit 0x00349074 -[WebMainResourceLoader addData:] + 84 13 com.apple.WebKit 0x00325530 -[WebLoader didReceiveData:lengthReceived:] + 64 14 com.apple.WebKit 0x003499e8 -[WebMainResourceLoader didReceiveData:lengthReceived:] + 120 15 com.apple.WebKit 0x00325978 -[WebLoader connection:didReceiveData:lengthReceived:] + 56 16 com.apple.Foundation 0x929a85d4 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 17 com.apple.Foundation 0x929a6a74 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488
Attachments
Test case reduction (321 bytes, text/html)
2006-06-14 05:01 PDT, jonathanjohnsson 		no flags
Details
Ignore empty-string renderers (38.35 KB, patch)
2006-06-15 13:17 PDT, mitz 		hyatt: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2006-06-14 03:37:23 PDT
Confirmed with r14767.
David Kilzer (:ddkilzer)
Comment 2 2006-06-14 03:42:55 PDT
Crash on locally-built r14857 (first method is different): Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xfffffffe Thread 0 Crashed: 0 com.apple.WebCore 0x01b98a58 WebCore::StringImpl::operator[](int) const + 40 (HTMLParser.cpp:84) 1 com.apple.WebCore 0x0197cd4c WebCore::RenderText::setText(WebCore::StringImpl*, bool) + 696 (RenderText.cpp:895) 2 com.apple.WebCore 0x019419d4 WebCore::RenderContainer::addChild(WebCore::RenderObject*, WebCore::RenderObject*) + 1600 (RenderContainer.cpp:157) 3 com.apple.WebCore 0x0195026c WebCore::RenderInline::addChildToFlow(WebCore::RenderObject*, WebCore::RenderObject*) + 1000 (RenderInline.cpp:113) 4 com.apple.WebCore 0x01948128 WebCore::RenderFlow::addChild(WebCore::RenderObject*, WebCore::RenderObject*) + 156 (RenderFlow.cpp:120) 5 com.apple.WebCore 0x01a47d64 WebCore::Node::createRendererIfNeeded() + 748 (Node.cpp:920) 6 com.apple.WebCore 0x01a03f04 WebCore::Text::attach() + 36 (Text.cpp:158) 7 com.apple.WebCore 0x0188bfb0 WebCore::ContainerNode::attach() + 72 (ContainerNode.cpp:574) 8 com.apple.WebCore 0x01a4f968 WebCore::Element::attach() + 48 (Element.cpp:544) 9 com.apple.WebCore 0x0188bfb0 WebCore::ContainerNode::attach() + 72 (ContainerNode.cpp:574) 10 com.apple.WebCore 0x01a4f968 WebCore::Element::attach() + 48 (Element.cpp:544) 11 com.apple.WebCore 0x01ae4a78 WebCore::HTMLLIElement::attach() + 100 (HTMLLIElement.cpp:85) 12 com.apple.WebCore 0x0188bfb0 WebCore::ContainerNode::attach() + 72 (ContainerNode.cpp:574) 13 com.apple.WebCore 0x01a4f968 WebCore::Element::attach() + 48 (Element.cpp:544) 14 com.apple.WebCore 0x0188bfb0 WebCore::ContainerNode::attach() + 72 (ContainerNode.cpp:574) 15 com.apple.WebCore 0x01a4f968 WebCore::Element::attach() + 48 (Element.cpp:544) 16 com.apple.WebCore 0x0188bfb0 WebCore::ContainerNode::attach() + 72 (ContainerNode.cpp:574) 17 com.apple.WebCore 0x01a4f968 WebCore::Element::attach() + 48 (Element.cpp:544) 18 com.apple.WebCore 0x0188bfb0 WebCore::ContainerNode::attach() + 72 (ContainerNode.cpp:574) 19 com.apple.WebCore 0x01a4f968 WebCore::Element::attach() + 48 (Element.cpp:544) 20 com.apple.WebCore 0x0188bfb0 WebCore::ContainerNode::attach() + 72 (ContainerNode.cpp:574) 21 com.apple.WebCore 0x01a4f968 WebCore::Element::attach() + 48 (Element.cpp:544) 22 com.apple.WebCore 0x01a4fb50 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 468 (Element.cpp:561) 23 com.apple.WebCore 0x01a4fe10 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 1172 (Element.cpp:588) 24 com.apple.WebCore 0x01882e70 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) + 1240 (Document.cpp:851) 25 com.apple.WebCore 0x01888dc0 WebCore::Document::updateStyleSelector() + 92 (Document.cpp:1752) 26 com.apple.WebCore 0x01888edc WebCore::Document::stylesheetLoaded() + 136 (Document.cpp:1731) 27 com.apple.WebCore 0x01ab7318 WebCore::HTMLLinkElement::setStyleSheet(WebCore::String const&, WebCore::String const&) + 536 (HTMLLinkElement.cpp:226) 28 com.apple.WebCore 0x018a4764 WebCore::CachedCSSStyleSheet::checkNotify() + 380 (CachedCSSStyleSheet.cpp:115) 29 com.apple.WebCore 0x018a48a4 WebCore::CachedCSSStyleSheet::data(WTF::Vector<char, (unsigned long)0>&, bool) + 216 (CachedCSSStyleSheet.cpp:101) 30 com.apple.WebCore 0x018a9570 WebCore::Loader::receivedAllData(WebCore::TransferJob*, NSData*) + 464 (loader.cpp:139) 31 com.apple.WebCore 0x01795afc -[KWQResourceLoader finishJobAndHandle:] + 180 (KWQResourceLoader.mm:98) 32 com.apple.WebCore 0x01795dac -[KWQResourceLoader finishWithData:] + 196 (KWQResourceLoader.mm:130) 33 com.apple.WebKit 0x0033d9f4 -[WebSubresourceLoader didFinishLoading] + 132 (WebSubresourceLoader.m:210) 34 com.apple.WebKit 0x00341798 -[WebLoader connectionDidFinishLoading:] + 184 (WebLoader.m:575) 35 com.apple.Foundation 0x929a884c -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 36 com.apple.Foundation 0x929a6ab8 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 37 com.apple.Foundation 0x929a6810 _sendCallbacks + 156 38 com.apple.CoreFoundation 0x907e44cc __CFRunLoopDoSources0 + 384 39 com.apple.CoreFoundation 0x907e39fc __CFRunLoopRun + 452 40 com.apple.CoreFoundation 0x907e347c CFRunLoopRunSpecific + 268 41 com.apple.HIToolbox 0x9321d980 RunCurrentEventLoopInMode + 264 42 com.apple.HIToolbox 0x9321d014 ReceiveNextEventCommon + 380 43 com.apple.HIToolbox 0x9321ce80 BlockUntilNextEventMatchingListInMode + 96 44 com.apple.AppKit 0x9371fe84 _DPSNextEvent + 384 45 com.apple.AppKit 0x9371fb48 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 46 com.apple.Safari 0x00006df4 0x1000 + 24052 47 com.apple.AppKit 0x9371c08c -[NSApplication run] + 472 48 com.apple.AppKit 0x9380cbfc NSApplicationMain + 452 49 com.apple.Safari 0x0005cb98 0x1000 + 375704 50 com.apple.Safari 0x0005ca40 0x1000 + 375360
jonathanjohnsson
Comment 3 2006-06-14 05:01:34 PDT
Created attachment 8844 [details] Test case reduction
mitz
Comment 4 2006-06-14 13:24:29 PDT
This looks like an easy fix once you decide whether the empty generated-content string constitutes a word break or not.
Darin Adler
Comment 5 2006-06-15 07:55:47 PDT
(In reply to comment #4) > This looks like an easy fix once you decide whether the empty generated-content > string constitutes a word break or not. Lets code this for now so that an empty string doesn't cause a word break.
mitz
Comment 6 2006-06-15 13:17:02 PDT
Created attachment 8862 [details] Ignore empty-string renderers
Dave Hyatt
Comment 7 2006-06-15 13:20:16 PDT
Comment on attachment 8862 [details] Ignore empty-string renderers r=me
David Kilzer (:ddkilzer)
Comment 8 2006-06-16 06:09:49 PDT
Committed revision 14887.
Note You need to log in before you can comment on or make changes to this bug.