Bug 12886

Summary: Crash with Scriptalicious javascript library
Product: WebKit Reporter: Steven Bredenberg <datasink>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: mitz
Priority: P1 Keywords: HasReduction
Version: 419.x   
Hardware: Mac (PowerPC)   
OS: OS X 10.4   
URL: http://www.killsaw.com/safari-crash/
Attachments:
Description Flags
Reduction (will crash when the instructions are followed)
none
Slightly more general reduction (ditto)
none
Possible fix
none
Detect withdrawn floats hyatt: review+

Steven Bredenberg
Reported 2007-02-25 05:36:17 PST
Reliably crashes the version of Safari that ships with Tiger in addition to the most recent nightly build. I'm running OSX 10.4.8.
Attachments
Reduction (will crash when the instructions are followed) (641 bytes, text/html)
2007-02-25 10:38 PST, mitz 		no flags
Details
Slightly more general reduction (ditto) (691 bytes, text/html)
2007-02-25 11:15 PST, mitz 		no flags
Details
Possible fix (35.09 KB, patch)
2007-02-25 14:08 PST, mitz 		no flags
DetailsFormatted DiffDiff
Detect withdrawn floats (33.25 KB, patch)
2007-02-25 14:50 PST, mitz 		hyatt: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2007-02-25 10:38:11 PST
Created attachment 13369 [details] Reduction (will crash when the instructions are followed) Click "Ready" (notice the incorrect layout), then click "Crash".
mitz
Comment 2 2007-02-25 11:15:25 PST
Created attachment 13370 [details] Slightly more general reduction (ditto) The "foo" div doesn't get marked for layout. The check in layoutBlockChildren() is // If an element might be affected by the presence of floats, then always mark it for // layout. which doesn't cover an object being affected by floats no longer intruding into it.
mitz
Comment 3 2007-02-25 14:08:03 PST
Created attachment 13371 [details] Possible fix This patch fixes the problem, but I'm afraid it adds too many unnecessary layouts. I am going to explore an alternative approach based on detecting the changes to overhang.
mitz
Comment 4 2007-02-25 14:50:03 PST
Created attachment 13372 [details] Detect withdrawn floats
Dave Hyatt
Comment 5 2007-02-25 18:02:33 PST
Comment on attachment 13372 [details] Detect withdrawn floats r=me
Mark Rowe (bdash)
Comment 6 2007-02-25 21:43:07 PST
Landed in r19852.
Note You need to log in before you can comment on or make changes to this bug.