46770 2010-09-28 17:23:28 -0700 crash at lineBreakExistsAtPosition 2010-09-29 17:13:12 -0700 1 1 1 Unclassified WebKit HTML Editing 528+ (Nightly build) All OS X 10.5 RESOLVED FIXED InRadar P2 Normal --- 1 enrica enrica rniwa tony oldest_to_newest 286656 0 enrica 2010-09-28 17:23:28 -0700 This bug has been reported by several people. We don't have a repro case, but it seems related to typing in form controls. Here is the stacktrace: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x9282476d WebCore::lineBreakExistsAtPosition(WebCore::Position const&) + 125 1 com.apple.WebCore 0x928236c6 WebCore::InsertTextCommand::input(WebCore::String const&, bool) + 294 2 com.apple.WebCore 0x92822e8c WebCore::TypingCommand::insertTextRunWithoutNewlines(WebCore::String const&, bool) + 140 3 com.apple.WebCore 0x92822ddf WebCore::TypingCommand::insertText(WebCore::String const&, bool) + 351 4 com.apple.WebCore 0x928215c3 WebCore::TypingCommand::insertText(WebCore::Document*, WebCore::String const&, WebCore::VisibleSelection const&, bool, bool) + 659 5 com.apple.WebCore 0x92820c78 WebCore::Editor::insertTextWithoutSendingTextEvent(WebCore::String const&, bool, WebCore::Event*) + 1048 6 com.apple.WebCore 0x92820835 WebCore::EventHandler::defaultTextInputEventHandler(WebCore::TextEvent*) + 197 7 com.apple.WebCore 0x9263ddbb WebCore::Node::defaultEventHandler(WebCore::Event*) + 379 8 com.apple.WebCore 0x927026b8 WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 600 9 com.apple.WebCore 0x9263d8f1 WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>) + 1297 10 com.apple.WebCore 0x9263d2a1 WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 225 11 com.apple.WebCore 0x928205ce WebCore::EventHandler::handleTextInputEvent(WebCore::String const&, WebCore::Event*, bool, bool) + 238 12 com.apple.WebCore 0x928204d9 WebCore::Editor::insertText(WebCore::String const&, WebCore::Event*) + 57 13 com.apple.WebKit 0x932588bd -[WebHTMLView(WebNSTextInputSupport) insertText:] + 1229 14 com.apple.WebKit 0x9325830a -[WebHTMLView(WebInternal) _interceptEditingKeyEvent:shouldSaveCommand:] + 682 15 com.apple.WebKit 0x93258b4c WebEditorClient::handleKeyboardEvent(WebCore::KeyboardEvent*) + 108 16 com.apple.WebCore 0x9281fc99 WebCore::EventHandler::defaultKeyboardEventHandler(WebCore::KeyboardEvent*) + 217 17 com.apple.WebCore 0x9263dcaa WebCore::Node::defaultEventHandler(WebCore::Event*) + 106 18 com.apple.WebCore 0x927025f6 WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 406 19 com.apple.WebCore 0x9263d8f1 WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>) + 1297 20 com.apple.WebCore 0x9263d2a1 WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 225 21 com.apple.WebCore 0x9281f3f3 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 1827 22 com.apple.WebCore 0x9281d068 WebCore::EventHandler::keyEvent(NSEvent*) + 296 23 com.apple.WebKit 0x93257ebd -[WebHTMLView keyDown:] + 269 286659 1 69141 enrica 2010-09-28 17:27:17 -0700 Created attachment 69141 Patch 286662 2 69141 darin 2010-09-28 17:29:55 -0700 Comment on attachment 69141 Patch Normally we require a test for any bug fix. I am saying review+ on this even without a test, but it seems that given you understanding of the cause you could construct a test. 287032 3 enrica 2010-09-29 11:48:39 -0700 (In reply to comment #2) > (From update of attachment 69141 [details]) > Normally we require a test for any bug fix. I am saying review+ on this even without a test, but it seems that given you understanding of the cause you could construct a test. I still want to spend some more time trying to create a test. What makes me feel comfortable landing this patch without a test, is the fact that this is the only case of dereferencing of a render object that is performed without checking for null that I could find in Webcore. 287041 4 tony 2010-09-29 12:00:23 -0700 If it helps, many of the crash dumps in Chromium have http://www.netflix.com/WiHome as the crashing URL. The chromium crash report is here: http://code.google.com/p/chromium/issues/detail?id=29253 Ryosuke also suspects that this null check is all that we need to do, but a repro would still be nice. 287045 5 rniwa 2010-09-29 12:06:42 -0700 (In reply to comment #4) > If it helps, many of the crash dumps in Chromium have http://www.netflix.com/WiHome as the crashing URL. > > The chromium crash report is here: http://code.google.com/p/chromium/issues/detail?id=29253 > > Ryosuke also suspects that this null check is all that we need to do, but a repro would still be nice. Oh yeah, I spent sometime investigating that bug and it's to do with input element. I remembre it was hard to reproduce. But every time I could reproduce, it was right after the page load. I had to move back & forth between pages to reproduce it. 287049 6 enrica 2010-09-29 12:08:46 -0700 This is the only place I could find where we dereference the renderer without checking for null. 287233 7 enrica 2010-09-29 17:13:12 -0700 Committed revision 68727. 69141 2010-09-28 17:27:17 -0700 2010-09-28 17:29:55 -0700 Patch bug7028809.txt text/plain 1659 enrica SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA2ODYxMSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjIgQEAKKzIwMTAtMDktMjggIEVucmljYSBDYXN1Y2NpICA8ZW5yaWNhQGFwcGxl LmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBD cmFzaCBhdCBsaW5lQnJlYWtFeGlzdHNBdFBvc2l0aW9uICsgMTI1CisgICAgICAgIDxyZGFyOi8v cHJvYmxlbS83MDI4ODA5PiAKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19i dWcuY2dpP2lkPTQ2NzcwCisgICAgICAgIAorICAgICAgICBsaW5lQnJlYWtFeGlzdHNBdFBvc2l0 aW9uIGlzIGNhbGxlZCBmcm9tIEluc2VydFRleHRDb21tYW5kOjppbnB1dCwKKyAgICAgICAgd2hl cmUgd2UgY29tcHV0ZSB0aGUgZG93bnN0cmVhbSBwb3NpdGlvbiBvZiB0aGUgZW5kaW5nU2VsZWN0 aW9uKCkuCisgICAgICAgIERvd25zdHJlYW0gY2FuIHJldHVybiB0aGUgb3JpZ2luYWwgcG9zaXRp b24sIHRoYXQgY29tZXMgZnJvbSBhIFZpc2libGVTZWxlY3Rpb24KKyAgICAgICAgYnV0IHRoZXJl IGlzIG5vIGd1YXJhbnRlZSB0aGF0IGl0cyByZW5kZXJlciBpcyBzdGlsbCB0aGVyZS4KKyAgICAg ICAgCisgICAgICAgIFRoZXJlIGlzIG5vIHJlZ3Jlc3Npb24gdGVzdC4KKyAgICAgICAgCisgICAg ICAgICogZWRpdGluZy9odG1sZWRpdGluZy5jcHA6CisgICAgICAgIChXZWJDb3JlOjpsaW5lQnJl YWtFeGlzdHNBdFBvc2l0aW9uKTogQWRkZWQgY2hlY2sgdGhhdCB0aGUgcmVuZGVyZXIgaXMgbm90 IG51bGwKKyAgICAgICAgYmVmb3JlIGRlcmVmZXJlbmNpbmcgaXQuCisKIDIwMTAtMDktMjggIE1p aGFpIFBhcnBhcml0YSAgPG1paGFpcEBjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQg YnkgRGltaXRyaSBHbGF6a292LgpJbmRleDogV2ViQ29yZS9lZGl0aW5nL2h0bWxlZGl0aW5nLmNw cAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL2VkaXRpbmcvaHRtbGVkaXRpbmcuY3BwCShyZXZpc2lv biA2ODU0NykKKysrIFdlYkNvcmUvZWRpdGluZy9odG1sZWRpdGluZy5jcHAJKHdvcmtpbmcgY29w eSkKQEAgLTEwNjksNiArMTA2OSw5IEBAIGJvb2wgbGluZUJyZWFrRXhpc3RzQXRQb3NpdGlvbihj b25zdCBQb3MKICAgICBpZiAocG9zaXRpb24uYW5jaG9yTm9kZSgpLT5oYXNUYWdOYW1lKGJyVGFn KSAmJiBwb3NpdGlvbi5hdEZpcnN0RWRpdGluZ1Bvc2l0aW9uRm9yTm9kZSgpKQogICAgICAgICBy ZXR1cm4gdHJ1ZTsKICAgICAKKyAgICBpZiAoIXBvc2l0aW9uLmFuY2hvck5vZGUoKS0+cmVuZGVy ZXIoKSkKKyAgICAgICAgcmV0dXJuIGZhbHNlOworICAgIAogICAgIGlmICghcG9zaXRpb24uYW5j aG9yTm9kZSgpLT5pc1RleHROb2RlKCkgfHwgIXBvc2l0aW9uLmFuY2hvck5vZGUoKS0+cmVuZGVy ZXIoKS0+c3R5bGUoKS0+cHJlc2VydmVOZXdsaW5lKCkpCiAgICAgICAgIHJldHVybiBmYWxzZTsK ICAgICAK