28012 2009-08-05 00:44:43 -0700 WML causes crash on Slashdot.org main page 2009-08-15 17:17:19 -0700 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) PC All RESOLVED FIXED P2 Normal --- 1 red47514f7 staikos jmalonzo red47514f7 staikos zimmermann oldest_to_newest 137267 0 red47514f7 2009-08-05 00:44:43 -0700 If I wget http://slashdot.org/ and just open it in a WebKit-based browser, everything is OK; of course, JavaScript loaded by relative URLs is not working. If I open http://slashdot.org/ in a webkit browser built against latest nightly (I tried two different browsers - uzbl and midori, both have the same regression when the same browser code is linked against too fresh WebKit instead of slightly older one), I see the Slashdot scripts composing a page, for a brief moment I even see nearly-complete rendering and then browser crashes. 137301 1 red47514f7 2009-08-05 06:27:05 -0700 Maybe I misclassified the bug because disabling one CSS file ( http://c.fsdn.com/sd/idlecore-tidied.css?T_2_5_0_266b ) fixes the problem. Bug was first filed when r46770 was fresh nightly. It appeared a few days earlier. gdb reports WebCore::RenderFieldset::findLegend Full backtrace minus paths and application part: #0 0xb7a0b9bf in WebCore::RenderFieldset::findLegend () #1 0xb7a0c83d in WebCore::RenderFieldset::calcPrefWidths () #2 0xb79f6d9b in WebCore::RenderBox::minPrefWidth () #3 0xb7a003d3 in WebCore::RenderBox::calcWidth () #4 0xb79e8cba in WebCore::RenderBlock::layoutBlock () #5 0xb79d6b18 in WebCore::RenderBlock::layout () #6 0xb79e865b in WebCore::RenderBlock::layoutBlockChildren () #7 0xb79e9311 in WebCore::RenderBlock::layoutBlock () #8 0xb79d6b18 in WebCore::RenderBlock::layout () #9 0xb79e865b in WebCore::RenderBlock::layoutBlockChildren () #10 0xb79e9311 in WebCore::RenderBlock::layoutBlock () #11 0xb79d6b18 in WebCore::RenderBlock::layout () #12 0xb79e865b in WebCore::RenderBlock::layoutBlockChildren () #13 0xb79e9311 in WebCore::RenderBlock::layoutBlock () #14 0xb79d6b18 in WebCore::RenderBlock::layout () #15 0xb79e865b in WebCore::RenderBlock::layoutBlockChildren () #16 0xb79e9311 in WebCore::RenderBlock::layoutBlock () #17 0xb79d6b18 in WebCore::RenderBlock::layout () #18 0xb79d896c in WebCore::RenderBlock::insertFloatingObject () #19 0xb79e3377 in WebCore::RenderBlock::handleFloatingChild () #20 0xb79e6313 in WebCore::RenderBlock::handleSpecialChild () #21 0xb79e84b9 in WebCore::RenderBlock::layoutBlockChildren () #22 0xb79e9311 in WebCore::RenderBlock::layoutBlock () #23 0xb79d6b18 in WebCore::RenderBlock::layout () #24 0xb79e865b in WebCore::RenderBlock::layoutBlockChildren () #25 0xb79e9311 in WebCore::RenderBlock::layoutBlock () #26 0xb79d6b18 in WebCore::RenderBlock::layout () #27 0xb79e865b in WebCore::RenderBlock::layoutBlockChildren () #28 0xb79e9311 in WebCore::RenderBlock::layoutBlock () #29 0xb79d6b18 in WebCore::RenderBlock::layout () #30 0xb79e865b in WebCore::RenderBlock::layoutBlockChildren () #31 0xb79e9311 in WebCore::RenderBlock::layoutBlock () #32 0xb79d6b18 in WebCore::RenderBlock::layout () #33 0xb79e865b in WebCore::RenderBlock::layoutBlockChildren () #34 0xb79e9311 in WebCore::RenderBlock::layoutBlock () #35 0xb79d6b18 in WebCore::RenderBlock::layout () #36 0xb7a6ff17 in WebCore::RenderView::layout () #37 0xb7932682 in WebCore::FrameView::layout () #38 0xb773c250 in WebCore::Document::updateLayout () #39 0xb774f5d9 in WebCore::Document::updateLayoutIgnorePendingStylesheets () #40 0xb76b684b in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue () #41 0xb76bcf98 in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue () #42 0xb76b5446 in WebCore::CSSComputedStyleDeclaration::getPropertyValue () #43 0xb76f6353 in WebCore::CSSStyleDeclaration::getPropertyValue () #44 0xb7cb66c4 in WebCore::jsCSSStyleDeclarationPrototypeFunctionGetPropertyValue () 137526 2 red47514f7 2009-08-05 23:09:33 -0700 Still crashes in r46809 nightly (just in case..) 137832 3 red47514f7 2009-08-07 02:01:59 -0700 Simple reduction (derived from slashdot.org). <form> tag can be added if you wish so. <html> <head> <style> label{display:block;} </style> </head> <body> <fieldset> <label></label> a </fieldset> </body> </html> 137833 4 34261 red47514f7 2009-08-07 02:04:22 -0700 Created attachment 34261 Reduction for slashdot.org crash <form> tag around <fieldset> is omitted for brevity. It would make no difference. 137843 5 red47514f7 2009-08-07 03:32:36 -0700 Further investigating: it only ocurs when WML support was enabled during the build. 140481 6 jmalonzo 2009-08-15 14:10:42 -0700 CC'ing Nikolas as he knows more about WML. 140484 7 staikos 2009-08-15 14:42:46 -0700 I believe this is a regression of a bug that was fixed before. It's platform independent. 140498 8 34908 staikos 2009-08-15 16:47:03 -0700 Created attachment 34908 Patch and testcase to fix the bug 140499 9 staikos 2009-08-15 16:59:32 -0700 Bug # can be added when landing. It's in my local tree. 140501 10 jmalonzo 2009-08-15 17:05:17 -0700 (In reply to comment #9) > Bug # can be added when landing. It's in my local tree. Looks ok. r=me. 140503 11 staikos 2009-08-15 17:17:19 -0700 Checked in r47329 34261 2009-08-07 02:04:22 -0700 2009-08-07 02:04:22 -0700 Reduction for slashdot.org crash reduction-slashdot.html text/html 261 red47514f7 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEvL0VOIiAiaHR0cDov L3d3dy53My5vcmcvVFIvaHRtbDQvc3RyaWN0LmR0ZCI+CjxodG1sPiAKICA8aGVhZD4gCiAgICA8 c3R5bGU+CiAgICAgIGxhYmVse2Rpc3BsYXk6YmxvY2s7fQogICAgPC9zdHlsZT4KICA8L2hlYWQ+ CiAgPGJvZHk+CiAgICAgICAgPGZpZWxkc2V0PgoJPGxhYmVsPjwvbGFiZWw+CgkgIGEKICAgICAg ICA8L2ZpZWxkc2V0PiAKICA8L2JvZHk+CjwvaHRtbD4K 34908 2009-08-15 16:47:03 -0700 2009-08-15 17:05:41 -0700 Patch and testcase to fix the bug wml-legend-crash.patch text/plain 2462 staikos SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0NzMyOCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTQgQEAKKzIwMDktMDgtMTUgIEdlb3JnZSBTdGFpa29zICA8Z2VvcmdlLnN0YWlr b3NAdG9yY2htb2JpbGUuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEp LgorCisgICAgICAgIERvbid0IGNyYXNoIGluIGZpZWxkc2V0IGNvZGUgd2hlbiBXTUwgaXMgZW5h YmxlZC4KKworICAgICAgICBUZXN0OiBmYXN0L3dtbC9odG1sLWZpZWxkc2V0LWNyYXNoLmh0bWwK KworICAgICAgICAqIHJlbmRlcmluZy9SZW5kZXJGaWVsZHNldC5jcHA6CisgICAgICAgIChXZWJD b3JlOjpSZW5kZXJGaWVsZHNldDo6ZmluZExlZ2VuZCk6ICsrYnJhY2tldHMKKwogMjAwOS0wOC0x NSAgU2FtIFdlaW5pZyAgPHNhbUB3ZWJraXQub3JnPgogCiAgICAgICAgIFRyeSBhbmQgZW5hYmxl IEV2ZW50U291cmNlIG9uIFdpbmRvd3MuCkluZGV4OiBXZWJDb3JlL3JlbmRlcmluZy9SZW5kZXJG aWVsZHNldC5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyRmllbGRz ZXQuY3BwCShyZXZpc2lvbiA0NzMyNikKKysrIFdlYkNvcmUvcmVuZGVyaW5nL1JlbmRlckZpZWxk c2V0LmNwcAkod29ya2luZyBjb3B5KQpAQCAtMTA4LDEwICsxMDgsMTEgQEAgUmVuZGVyQm94KiBS ZW5kZXJGaWVsZHNldDo6ZmluZExlZ2VuZCgpIAogewogICAgIGZvciAoUmVuZGVyT2JqZWN0KiBs ZWdlbmQgPSBmaXJzdENoaWxkKCk7IGxlZ2VuZDsgbGVnZW5kID0gbGVnZW5kLT5uZXh0U2libGlu ZygpKSB7CiAgICAgICAgIGlmICghbGVnZW5kLT5pc0Zsb2F0aW5nT3JQb3NpdGlvbmVkKCkgJiYg bGVnZW5kLT5ub2RlKCkgJiYKLSAgICAgICAgICAgIGxlZ2VuZC0+bm9kZSgpLT5oYXNUYWdOYW1l KGxlZ2VuZFRhZykKKyAgICAgICAgICAgIChsZWdlbmQtPm5vZGUoKS0+aGFzVGFnTmFtZShsZWdl bmRUYWcpCiAjaWYgRU5BQkxFKFdNTCkKICAgICAgICAgICAgIHx8IGxlZ2VuZC0+bm9kZSgpLT5o YXNUYWdOYW1lKFdNTE5hbWVzOjppbnNlcnRlZExlZ2VuZFRhZykKICNlbmRpZgorICAgICAgICAg ICAgKQogICAgICAgICAgICApCiAgICAgICAgICAgICByZXR1cm4gdG9SZW5kZXJCb3gobGVnZW5k KTsKICAgICB9CkluZGV4OiBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5 b3V0VGVzdHMvQ2hhbmdlTG9nCShyZXZpc2lvbiA0NzMyOCkKKysrIExheW91dFRlc3RzL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDEyIEBACisyMDA5LTA4LTE1ICBHZW9yZ2Ug U3RhaWtvcyAgPGdlb3JnZS5zdGFpa29zQHRvcmNobW9iaWxlLmNvbT4KKworICAgICAgICBSZXZp ZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUZXN0IHRvIGRlbW9uc3RyYXRlIGNy YXNoIGluIGZpZWxkc2V0IGNvZGUgd2hlbiBXTUwgaXMgZW5hYmxlZC4KKyAgICAgICAgVGVzdCBw cm92aWRlZCBieSByZWQ0NzUxNGY3QHlhbmRleC5ydQorCisgICAgICAgICogZmFzdC93bWwvaHRt bC1maWVsZHNldC1jcmFzaC5odG1sOiBBZGRlZC4KKwogMjAwOS0wOC0xNSAgU2FtIFdlaW5pZyAg PHNhbUB3ZWJraXQub3JnPgogCiAgICAgICAgIFJlbW92ZSBubyBsb25nZXIgY29ycmVjdCBhbmQg bm93IGZhaWxpbmcgdGVzdC4gIGRvY3VtZW50LmJvZHkub251bmxvYWQKSW5kZXg6IExheW91dFRl c3RzL2Zhc3Qvd21sL2h0bWwtZmllbGRzZXQtY3Jhc2guaHRtbAo9PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlv dXRUZXN0cy9mYXN0L3dtbC9odG1sLWZpZWxkc2V0LWNyYXNoLmh0bWwJKHJldmlzaW9uIDApCisr KyBMYXlvdXRUZXN0cy9mYXN0L3dtbC9odG1sLWZpZWxkc2V0LWNyYXNoLmh0bWwJKHJldmlzaW9u IDApCkBAIC0wLDAgKzEsMTQgQEAKKzwhRE9DVFlQRSBIVE1MIFBVQkxJQyAiLS8vVzNDLy9EVEQg SFRNTCA0LjAxLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL2h0bWw0L3N0cmljdC5kdGQiPgor PGh0bWw+IAorICA8aGVhZD4gCisgICAgPHN0eWxlPgorICAgICAgbGFiZWx7ZGlzcGxheTpibG9j azt9CisgICAgPC9zdHlsZT4KKyAgPC9oZWFkPgorICA8Ym9keT4KKyAgICAgICAgPGZpZWxkc2V0 PgorCTxsYWJlbD48L2xhYmVsPgorCSAgYQorICAgICAgICA8L2ZpZWxkc2V0PiAKKyAgPC9ib2R5 PgorPC9odG1sPgo=