7363 2006-02-19 09:16:35 -0800 REGRESSION (r12872): Repro crash when clicking the Quick Reply box in Gmail 2006-03-01 09:21:06 -0800 1 1 1 Unclassified WebKit New Bugs 420+ Mac OS X 10.4 RESOLVED FIXED http://mail.google.com HasReduction, InRadar, Regression P1 Normal --- 1 mustiman vicki adele alice.barraclough darin Graham.Dennis mitz vicki oldest_to_newest 33375 0 mustiman 2006-02-19 09:16:35 -0800 Steps: Logon to GMail Click on any message in Inbox Click on the Quick Reply box to enter a reply You see the input box with Check Spelling, then WebKit crashes. Crash Report below: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 com.apple.WebCore 0x01180b20 WebCore::DocumentImpl::setFocusNode(KXMLCore::PassRefPtr<WebCore::NodeImpl>) + 400 1 com.apple.WebCore 0x010b0cd4 WebCore::ElementImpl::focus() + 116 2 com.apple.WebCore 0x01064b10 KJS::HTMLElementFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1136 3 com.apple.JavaScriptCore 0x00139ec4 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 100 4 com.apple.JavaScriptCore 0x0012badc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 524 5 com.apple.JavaScriptCore 0x00130468 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 6 com.apple.JavaScriptCore 0x001337d8 KJS::SourceElementsNode::execute(KJS::ExecState*) + 488 7 com.apple.JavaScriptCore 0x00130398 KJS::BlockNode::execute(KJS::ExecState*) + 152 8 com.apple.JavaScriptCore 0x0013330c KJS::TryNode::execute(KJS::ExecState*) + 108 9 com.apple.JavaScriptCore 0x001336ec KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 10 com.apple.JavaScriptCore 0x00130398 KJS::BlockNode::execute(KJS::ExecState*) + 152 11 com.apple.JavaScriptCore 0x001183f8 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 56 12 com.apple.JavaScriptCore 0x00117d30 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 464 13 com.apple.JavaScriptCore 0x00139ec4 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 100 14 com.apple.JavaScriptCore 0x0012c27c KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 524 15 com.apple.JavaScriptCore 0x00130468 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 16 com.apple.JavaScriptCore 0x001336ec KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 17 com.apple.JavaScriptCore 0x00130398 KJS::BlockNode::execute(KJS::ExecState*) + 152 18 com.apple.JavaScriptCore 0x001183f8 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 56 19 com.apple.JavaScriptCore 0x00117d30 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 464 20 com.apple.JavaScriptCore 0x00139ec4 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 100 21 com.apple.JavaScriptCore 0x0012c27c KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 524 22 com.apple.JavaScriptCore 0x00130468 KJS::ExprStatementNode::execute(KJS::ExecState*) + 104 23 com.apple.JavaScriptCore 0x001336ec KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 24 com.apple.JavaScriptCore 0x00130398 KJS::BlockNode::execute(KJS::ExecState*) + 152 25 com.apple.JavaScriptCore 0x00130744 KJS::IfNode::execute(KJS::ExecState*) + 484 26 com.apple.JavaScriptCore 0x001336ec KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 27 com.apple.JavaScriptCore 0x00130398 KJS::BlockNode::execute(KJS::ExecState*) + 152 28 com.apple.JavaScriptCore 0x00130744 KJS::IfNode::execute(KJS::ExecState*) + 484 29 com.apple.JavaScriptCore 0x001337d8 KJS::SourceElementsNode::execute(KJS::ExecState*) + 488 30 com.apple.JavaScriptCore 0x00130398 KJS::BlockNode::execute(KJS::ExecState*) + 152 31 com.apple.JavaScriptCore 0x0013330c KJS::TryNode::execute(KJS::ExecState*) + 108 32 com.apple.JavaScriptCore 0x001336ec KJS::SourceElementsNode::execute(KJS::ExecState*) + 252 33 com.apple.JavaScriptCore 0x00130398 KJS::BlockNode::execute(KJS::ExecState*) + 152 34 com.apple.JavaScriptCore 0x001183f8 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 56 35 com.apple.JavaScriptCore 0x00117d30 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 464 36 com.apple.JavaScriptCore 0x00139ec4 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 100 37 com.apple.WebCore 0x010766dc KJS::ScheduledAction::execute(KJS::Window*) + 236 38 com.apple.WebCore 0x010769d4 KJS::WindowQObject::timerFired(KJS::DOMWindowTimer*) + 148 39 com.apple.WebCore 0x012d2164 WebCore::TimerBase::fireTimers(double, KXMLCore::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 324 40 com.apple.WebCore 0x012d2210 WebCore::TimerBase::sharedTimerFired() + 112 41 com.apple.CoreFoundation 0x90770aec __CFRunLoopDoTimer + 184 42 com.apple.CoreFoundation 0x9075d464 __CFRunLoopRun + 1680 43 com.apple.CoreFoundation 0x9075ca18 CFRunLoopRunSpecific + 268 44 com.apple.HIToolbox 0x9318f1e0 RunCurrentEventLoopInMode + 264 45 com.apple.HIToolbox 0x9318e874 ReceiveNextEventCommon + 380 46 com.apple.HIToolbox 0x9318e6e0 BlockUntilNextEventMatchingListInMode + 96 47 com.apple.AppKit 0x9366c104 _DPSNextEvent + 384 48 com.apple.AppKit 0x9366bdc8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 49 com.apple.Safari 0x000072d4 0x1000 + 25300 50 com.apple.AppKit 0x9366830c -[NSApplication run] + 472 51 com.apple.AppKit 0x93758e68 NSApplicationMain + 452 52 com.apple.Safari 0x0005cfdc 0x1000 + 376796 53 com.apple.Safari 0x0005ce80 0x1000 + 376448 33390 1 6612 mitz 2006-02-19 10:51:32 -0800 Created attachment 6612 Test case (crasher) To see the problem, open the test case and click where indicated. The second time you click, Safari will crash. 33391 2 mitz 2006-02-19 10:56:05 -0800 This is a regression from r12872 (the fix for <rdar://problem/4315673> and <rdar://problem/4447009>). The crash happens when the element losing focus no longer has a renderer. The fix may be as simple as adding a null check for r right here in DocumentImpl::setFocusNode: // Dispatch a change event for text fields or textareas that have been edited RenderObject *r = static_cast<RenderObject*>(oldFocusNode.get()->renderer()); if ((r->isTextArea() || r->isTextField()) && r->isEdited()) { oldFocusNode->dispatchHTMLEvent(changeEvent, true, false); r->setEdited(false); } However I'm not sure about the implications of not dispatching the changeEvent in this case. 33414 3 darin 2006-02-19 15:04:39 -0800 The code quoted here has another problem, too. After calling dispatchHTMLEvent, the renderer may be gone, so we can't just call r->setEdited(false) without first re-getting that renderer from the DOM node. 33582 4 Graham.Dennis 2006-02-20 23:59:30 -0800 *** Bug 7398 has been marked as a duplicate of this bug. *** 33583 5 6641 Graham.Dennis 2006-02-21 00:47:46 -0800 Created attachment 6641 automatic testcase (caused by detached node) This is a second testcase where the lack of a renderer is caused by a detached node instead of 'display: none' styling. 33638 6 vicki 2006-02-21 14:20:12 -0800 I've attached the patch that fixes this bug, which Adele reviewed and I'll commit shortly. The second test case here ("automatic testcase"), exhibits a second bug. Focusing a text field from an onload handler fails, b/c the node doesn't have a renderer when onload fires. "Automatic testcase" no longer crashes, but the text field isn't focused as it should be. This issue has already been reported in another bug (http://bugzilla.opendarwin.org/show_bug.cgi?id=7405). The attached patch doesn't aim to fix this second bug. 33640 7 6650 vicki 2006-02-21 14:23:50 -0800 Created attachment 6650 patch 33642 8 vicki 2006-02-21 14:33:29 -0800 I haven't committed a test case for this yet b/c tests that use eventSender are hanging from time to time (see Justin's comment in the Changelog). I'm seeing this hang in the test case I'm working on. 34646 9 alice.barraclough 2006-03-01 09:21:06 -0800 <rdar://problem/4462712> 6612 2006-02-19 10:51:32 -0800 2006-02-19 10:51:32 -0800 Test case (crasher) gmail crash reduction.html text/html 211 mitz PHNjcmlwdD4KICAgIGZ1bmN0aW9uIHRlc3QoKQogICAgewogICAgICAgIGIuc3R5bGUuZGlzcGxh eSA9ICdub25lJzsKICAgICAgICBhLnZhbHVlID0gJ25vdyBjbGljayBoZXJlJzsKICAgIH0KPC9z Y3JpcHQ+CjxpbnB1dCBpZD0iYiIgdHlwZT0idGV4dCIgdmFsdWU9ImNsaWNrIGhlcmUiIG9uZm9j dXM9InRlc3QoKSI+CjxpbnB1dCBpZD0iYSIgdHlwZT0idGV4dCI+Cg== 6641 2006-02-21 00:47:46 -0800 2006-02-21 00:47:46 -0800 automatic testcase (caused by detached node) setFocusNode.html text/html 245 Graham.Dennis PGh0bWw+CjxzY3JpcHQ+CiAgICBmdW5jdGlvbiB0ZXN0KCkKICAgIHsKICAgICAgICBiLnBhcmVu dE5vZGUucmVtb3ZlQ2hpbGQoYik7CiAgICAgICAgYS5mb2N1cygpOwogICAgfQo8L3NjcmlwdD4K PGJvZHkgb25Mb2FkPSJiLmZvY3VzKCkiPgo8aW5wdXQgaWQ9ImIiIHR5cGU9InRleHQiIHZhbHVl PSJjbGljayBoZXJlIiBvbmZvY3VzPSJ0ZXN0KCkiPgo8aW5wdXQgaWQ9ImEiIHR5cGU9InRleHQi Pgo8L2JvZHk+CjwvaHRtbD4= 6650 2006-02-21 14:23:50 -0800 2006-02-21 14:23:50 -0800 patch 7363.txt text/plain 1538 vicki SW5kZXg6IGRvbS9Eb2N1bWVudEltcGwuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGRvbS9Eb2N1bWVudElt cGwuY3BwCShyZXZpc2lvbiAxMjkwMSkKKysrIGRvbS9Eb2N1bWVudEltcGwuY3BwCSh3b3JraW5n IGNvcHkpCkBAIC0yMDU1LDkgKzIwNTUsMTAgQEAKICAgICAgICAgICAgICAgICAKICAgICAgICAg Ly8gRGlzcGF0Y2ggYSBjaGFuZ2UgZXZlbnQgZm9yIHRleHQgZmllbGRzIG9yIHRleHRhcmVhcyB0 aGF0IGhhdmUgYmVlbiBlZGl0ZWQKICAgICAgICAgUmVuZGVyT2JqZWN0ICpyID0gc3RhdGljX2Nh c3Q8UmVuZGVyT2JqZWN0Kj4ob2xkRm9jdXNOb2RlLmdldCgpLT5yZW5kZXJlcigpKTsKLSAgICAg ICAgaWYgKChyLT5pc1RleHRBcmVhKCkgfHwgci0+aXNUZXh0RmllbGQoKSkgJiYgci0+aXNFZGl0 ZWQoKSkgeworICAgICAgICBpZiAociAmJiAoci0+aXNUZXh0QXJlYSgpIHx8IHItPmlzVGV4dEZp ZWxkKCkpICYmIHItPmlzRWRpdGVkKCkpIHsKICAgICAgICAgICAgIG9sZEZvY3VzTm9kZS0+ZGlz cGF0Y2hIVE1MRXZlbnQoY2hhbmdlRXZlbnQsIHRydWUsIGZhbHNlKTsKLSAgICAgICAgICAgIHIt PnNldEVkaXRlZChmYWxzZSk7CisgICAgICAgICAgICBpZiAoKHIgPSBzdGF0aWNfY2FzdDxSZW5k ZXJPYmplY3QqPihvbGRGb2N1c05vZGUuZ2V0KCktPnJlbmRlcmVyKCkpKSkKKyAgICAgICAgICAg ICAgICByLT5zZXRFZGl0ZWQoZmFsc2UpOwogICAgICAgICB9CiAKICAgICAgICAgb2xkRm9jdXNO b2RlLT5kaXNwYXRjaEhUTUxFdmVudChibHVyRXZlbnQsIGZhbHNlLCBmYWxzZSk7CkluZGV4OiBD aGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PQotLS0gQ2hhbmdlTG9nCShyZXZpc2lvbiAxMjkyNikKKysrIENo YW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBACisyMDA2LTAyLTIxICBWaWNr aSBNdXJsZXkgPHZpY2tpQGFwcGxlLmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBBZGVsZS4K KworICAgICAgICAtIGZpeCBodHRwOi8vYnVnemlsbGEub3BlbmRhcndpbi5vcmcvc2hvd19idWcu Y2dpP2lkPTczNjMKKyAgICAgICAgUkVHUkVTU0lPTiAocjEyODcyKTogUmVwcm8gY3Jhc2ggd2hl biBjbGlja2luZyB0aGUgUXVpY2sgUmVwbHkgYm94IGluIEdtYWlsCisKKyAgICAgICAgQWRkIGEg bmlsIGNoZWNrIGZvciB0aGUgcmVuZGVyZXIsIGFuZCByZWZldGNoIHRoZSByZW5kZXJlciBmb3Ig dGhlIG9sZCBmb2N1cyBub2RlCisgICAgICAgIGFmdGVyIGRpc3BhdGNoaW5nIHRoZSBldmVudC4g CisKKyAgICAgICAgKiBkb20vRG9jdW1lbnRJbXBsLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkRv Y3VtZW50SW1wbDo6c2V0Rm9jdXNOb2RlKToKKwogMjAwNi0wMi0yMSAgTWFjaWVqIFN0YWNob3dp YWsgIDxtanNAYXBwbGUuY29tPgogCiAgICAgICAgIFJ1YmJlciBTdGFtcGVkIGJ5IEh5YXR0Lgo=