Bug 10213

Summary: REGRESSION: Crash in WebCore::RenderLayer::isTransparent involving <iframe> and <select>
Product: WebKit Reporter: Jesse Ruderman <jruderman>
Component: Layout and RenderingAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Critical Keywords: HasReduction, Regression
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
testcase
none
patch, including change log and a layout test hyatt: review+

Jesse Ruderman
Reported 2006-08-02 09:28:14 PDT
Yesterday's WebKit nightly crashes on this testcase. The stack trace is a little strange (Crash Reporter gives a bogus second frame) and I don't know why. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000004 Thread 0 Crashed: 0 com.apple.WebCore 0x011a4b6c WebCore::RenderLayer::isTransparent() const + 28 1 <<00000000>> 0xbfffc240 0 + -1073757632 2 com.apple.WebCore 0x01193858 WebCore::RenderView::paintBoxDecorations(WebCore::RenderObject::PaintInfo&, int, int) + 104 3 com.apple.WebCore 0x011aa418 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, bool, WebCore::PaintRestriction, WebCore::RenderObject*) + 584 4 com.apple.WebCore 0x010c81a4 WebCore::Frame::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) + 196 5 com.apple.WebCore 0x01104518 -[WebCoreFrameBridge drawRect:] + 168 6 com.apple.WebKit 0x0033e260 -[WebHTMLView drawSingleRect:] + 288 7 com.apple.WebKit 0x0033e4b0 -[WebHTMLView drawRect:] + 288 8 com.apple.AppKit 0x93734858 -[NSView _drawRect:clip:] + 2128 9 com.apple.AppKit 0x93733e18 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 404
Attachments
testcase (664 bytes, application/xhtml+xml)
2006-08-02 09:28 PDT, Jesse Ruderman 		no flags
Details
patch, including change log and a layout test (16.79 KB, patch)
2006-08-03 21:33 PDT, Darin Adler 		hyatt: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jesse Ruderman
Comment 1 2006-08-02 09:28:56 PDT
Created attachment 9822 [details] testcase
Alexey Proskuryakov
Comment 2 2006-08-02 21:43:38 PDT
Crash log from a debug build: 0 WebCore::RenderLayer::isTransparent() const + 36 (RenderLayer.cpp:354) 1 WebCore::RenderView::paintBoxDecorations(WebCore::RenderObject::PaintInfo&, int, int) + 188 (RenderView.cpp:190) 2 WebCore::RenderView::paint(WebCore::RenderObject::PaintInfo&, int, int) + 132 (RenderView.cpp:161) ...
Darin Adler
Comment 3 2006-08-03 20:29:43 PDT
This test case involves an <iframe> inside an <option>. In an HTML page, the parser would not allow that sort of nesting. But since this is XHTML, we allow anything to go anywhere. Because the <iframe> is inside an <option>, it ends up without a renderer. The code that crashes is code in RenderView::paintBoxDecorations that assumes that the owner element of a frame is going to have a renderer. A nil check would suffice to prevent the crash.
Darin Adler
Comment 4 2006-08-03 21:33:20 PDT
Created attachment 9867 [details] patch, including change log and a layout test
Dave Hyatt
Comment 5 2006-08-04 14:44:23 PDT
Comment on attachment 9867 [details] patch, including change log and a layout test r=me
Darin Adler
Comment 6 2006-08-05 13:09:09 PDT
Committed revision 15808.
Note You need to log in before you can comment on or make changes to this bug.