Summary: | Reproducible crash in BidiContext::deref | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Krzysztof Kowalczyk <kkowalczyk> | ||||||||||||||||||
Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> | ||||||||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||||||||
Severity: | Normal | CC: | gibbonsb, mitz, peterenevoldsen | ||||||||||||||||||
Priority: | P1 | Keywords: | InRadar | ||||||||||||||||||
Version: | 420+ | ||||||||||||||||||||
Hardware: | All | ||||||||||||||||||||
OS: | All | ||||||||||||||||||||
Attachments: |
|
Description
Krzysztof Kowalczyk
2007-02-15 17:18:42 PST
Created attachment 13193 [details]
Fix the crash
Honestly, I don't see how this could crash because template <typename T> inline RefPtr<T>& RefPtr<T>::operator=(T* optr) has a check for NULL, but it does happen.
Even if it's a gcc miscompilation, I believe it's worth putting the work-around since this was compiled with gcc 4.1.2 that ships on Ubuntu 6.10, which is one of the most popular distros.
Comment on attachment 13193 [details]
Fix the crash
Without any justification just putting a null check won't fly -- why can this crash gdk but not everything else?
if it can crash other platforms we need a specific bug
We'll also need a layout test before this gets landed. Created attachment 13604 [details] Crash log from Mac build I've just seen this crash on a Mac build: nightly build r20136. Reproduction instructions in <rdar://problem/5058791> (In reply to comment #5) > Reproduction instructions in <rdar://problem/5058791> Is there a reason why these steps can't be published in Bugzilla? Reproducible crashers are P1. Created attachment 13610 [details]
Crashlog with line numbers
The reproduction instructions can't be posted here as they involve information that is under a NDA.
This crash log contains line number information. The crash only occurs with Release builds, not Debug builds.
*** Bug 13055 has been marked as a duplicate of this bug. *** Created attachment 13615 [details]
Reduced test case (will crash)
Created attachment 13616 [details]
Add an assert to InlineBox::root()
The test case fails this assertion. The illegal case leads to the crash down the road. I think this assertion will be good to have in the code. For one, it can help make a reliable regression test for this bug.
Created attachment 13618 [details]
Reduction
This fails the ASSERT in InlineBox::root(), but doesn't crash.
Created attachment 13620 [details]
Patch without test and change log
Comment on attachment 13620 [details]
Patch without test and change log
Looks good to me, but this is clearly a Hyatt-review patch.
*** Bug 13063 has been marked as a duplicate of this bug. *** Comment on attachment 13620 [details]
Patch without test and change log
r=me but get a changelog and test etc.
Created attachment 13628 [details]
Adopt line boxes of anonymous blocks being destroyed
Comment on attachment 13628 [details]
Adopt line boxes of anonymous blocks being destroyed
Nice test, nice change log, patch looks good and was reviewed by Hyatt. I give it thumbs up.
Landed in r20188. |