RESOLVED FIXED 9537
REGRESSION: Reproducible crash in WebCore::RenderTextField::textWithHardLineBreaks() 
https://bugs.webkit.org/show_bug.cgi?id=9537
Summary REGRESSION: Reproducible crash in WebCore::RenderTextField::textWithHardLineB...
David Kilzer (:ddkilzer)
Reported 2006-06-21 21:56:07 PDT
After clicking a submit button on a form on Spamcop (was reporting spam), Safari+WebKit crashed with the stack trace below. I'm using Mac OS X 10.4.6 (8I127/PowerPC) with Safari 2.0.3 (417.9.3) and WebKit r14968. Date/Time: 2006-06-21 23:50:55.774 -0500 OS Version: 10.4.6 (Build 8I127) Report Version: 4 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: bash [263] Version: 2.0.3 (417.9.3) Build Version: 2 Project Name: WebBrowser Source Version: 4170903 PID: 24555 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 com.apple.WebCore 0x012514c0 WebCore::RenderTextField::textWithHardLineBreaks() + 328 (RenderTextField.cpp:277) 1 com.apple.WebCore 0x0110b50c WebCore::HTMLTextAreaElement::appendFormData(WebCore::FormDataList&, bool) + 224 (HTMLTextAreaElement.cpp:176) 2 com.apple.WebCore 0x01106fd0 WebCore::HTMLFormElement::formData(WebCore::FormData&) const + 756 (HTMLFormElement.cpp:214) 3 com.apple.WebCore 0x01107c0c WebCore::HTMLFormElement::submit(bool) + 1008 (HTMLFormElement.cpp:375) 4 com.apple.WebCore 0x01107edc WebCore::HTMLFormElement::prepareSubmit() + 316 (HTMLFormElement.cpp:326) 5 com.apple.WebCore 0x01100c74 WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 720 (HTMLInputElement.cpp:1216) 6 com.apple.WebCore 0x012f9db0 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 2116 (EventTargetNode.cpp:254) 7 com.apple.WebCore 0x012fa7bc WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 348 (EventTargetNode.cpp:290) 8 com.apple.WebCore 0x012faec8 WebCore::EventTargetNode::dispatchUIEvent(WebCore::AtomicString const&, int) + 420 (EventTargetNode.cpp:343) 9 com.apple.WebCore 0x012fb3ec WebCore::EventTargetNode::dispatchMouseEvent(WebCore::AtomicString const&, int, int, int, int, int, int, bool, bool, bool, bool, bool, WebCore::Node*) + 1268 (EventTargetNode.cpp:441) 10 com.apple.WebCore 0x012fb674 WebCore::EventTargetNode::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WebCore::AtomicString const&, int, WebCore::Node*) + 392 (EventTargetNode.cpp:374) 11 com.apple.WebCore 0x01141c68 WebCore::FrameView::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 736 (FrameView.cpp:1043) 12 com.apple.WebCore 0x01142184 WebCore::FrameView::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 628 (FrameView.cpp:737) 13 com.apple.WebCore 0x0112c730 WebCore::FrameMac::mouseUp(NSEvent*) + 508 (FrameMac.mm:2015) 14 com.apple.WebCore 0x01161134 -[WebCoreFrameBridge mouseUp:] + 52 (WebCoreFrameBridge.mm:1034) 15 com.apple.WebKit 0x0037303c -[WebHTMLView mouseUp:] + 292 (WebHTMLView.m:3140) 16 com.apple.AppKit 0x9377bca0 -[NSWindow sendEvent:] + 4728 17 com.apple.Safari 0x00021ca4 0x1000 + 134308 18 com.apple.AppKit 0x93724c74 -[NSApplication sendEvent:] + 4172 19 com.apple.Safari 0x000217a8 0x1000 + 133032 20 com.apple.AppKit 0x9371c0b0 -[NSApplication run] + 508 21 com.apple.AppKit 0x9380cbfc NSApplicationMain + 452 22 com.apple.Safari 0x0005cb98 0x1000 + 375704 23 com.apple.Safari 0x0005ca40 0x1000 + 375360
Attachments
Test case (141 bytes, text/html)
2006-06-22 04:32 PDT, David Kilzer (:ddkilzer) 		no flags
Details
Patch v1 (4.01 KB, patch)
2006-06-25 15:10 PDT, David Kilzer (:ddkilzer) 		no flags
DetailsFormatted DiffDiff
Patch v2 (4.95 KB, patch)
2006-06-25 15:29 PDT, David Kilzer (:ddkilzer) 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2006-06-22 04:30:39 PDT
After reducing a page that crashed, it seems that defining a textarea with a name and a wrap attribute of either "physical" or "hard" will cause Safari to crash when the form is submitted.  See attached test case.
David Kilzer (:ddkilzer)
Comment 2 2006-06-22 04:32:08 PDT
Created attachment 8962 [details] Test case Test case that crashes Safari.  You must click the "Submit" button before it crashes, though.
Darin Adler
Comment 3 2006-06-25 13:22:04 PDT
The code says this: m_div->firstChild()->renderer()->inlineBox(0, DOWNSTREAM) I think that renderer might be 0.
Darin Adler
Comment 4 2006-06-25 13:26:16 PDT
Definitely the problem == no text, no renderer, nil-deref when trying to make a call on the renderer. Just add a nil check.
David Kilzer (:ddkilzer)
Comment 5 2006-06-25 15:10:59 PDT
Created attachment 9022 [details] Patch v1 Patch and test case.
Darin Adler
Comment 6 2006-06-25 15:20:15 PDT
Comment on attachment 9022 [details] Patch v1 r=me -- even better if we can figure out some day how to do the test without a timeout
David Kilzer (:ddkilzer)
Comment 7 2006-06-25 15:29:54 PDT
Created attachment 9023 [details] Patch v2 Changed test timeout from 200ms to 0ms.  Also fixed LayoutTests/fast/forms/textarea-hard-linewrap.html the same way.
Darin Adler
Comment 8 2006-06-25 16:38:25 PDT
Comment on attachment 9023 [details] Patch v2 r=me
David Kilzer (:ddkilzer)
Comment 9 2006-06-25 16:50:32 PDT
Committed revision 15040.
Note You need to log in before you can comment on or make changes to this bug.