Bug 13336

Summary: REGRESSION (r20646): editing/execCommand/hilitecolor.html crashes under guardMalloc
Product: WebKit Reporter: mitz
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: andrew, hyatt, justin.garcia
Priority: P1 Keywords: Regression
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Avoid calling selectionRect and selectionGapRects on dirty renderers darin: review+

mitz
Reported 2007-04-11 15:14:58 PDT
Backtrace: Thread 0 Crashed: 0 com.apple.WebCore 0x01522bf7 WebCore::TextRun::operator[](int) const + 19 (Font.h:61) 1 com.apple.WebCore 0x011f591d WebCore::Font::canUseGlyphCache(WebCore::TextRun const&) const + 89 (Font.cpp:527) 2 com.apple.WebCore 0x011f6db6 WebCore::Font::selectionRectForText(WebCore::TextRun const&, WebCore::TextStyle const&, WebCore::IntPoint const&, int, int, int) const + 58 (Font.cpp:660) 3 com.apple.WebCore 0x01123796 WebCore::InlineTextBox::selectionRect(int, int, int, int) + 540 (InlineTextBox.cpp:130) 4 com.apple.WebCore 0x0117b5a2 WebCore::RenderText::selectionRect() + 326 (RenderText.cpp:1050) 5 com.apple.WebCore 0x01501b45 WebCore::RenderObject::SelectionInfo::SelectionInfo[in-charge](WebCore::RenderObject*) + 45 (RenderObject.h:815) 6 com.apple.WebCore 0x01142f5c WebCore::RenderView::setSelection(WebCore::RenderObject*, int, WebCore::RenderObject*, int) + 398 (RenderView.cpp:295) 7 com.apple.WebCore 0x0114404f WebCore::RenderView::clearSelection() + 49 (RenderView.cpp:423) 8 com.apple.WebCore 0x011d6efd WebCore::SelectionController::nodeWillBeRemoved(WebCore::Node*) + 997 (SelectionController.cpp:196) 9 com.apple.WebCore 0x010cb064 WebCore::Document::notifyBeforeNodeRemoval(WebCore::Node*) + 54 (Document.cpp:2278) 10 com.apple.WebCore 0x010d4527 WebCore::dispatchChildRemovalEvents(WebCore::Node*, int&) + 95 (ContainerNode.cpp:923) 11 com.apple.WebCore 0x010d48d9 WebCore::willRemoveChild(WebCore::Node*) + 27 (ContainerNode.cpp:342) 12 com.apple.WebCore 0x010d4c98 WebCore::ContainerNode::removeChild(WebCore::Node*, int&) + 584 (ContainerNode.cpp:381) 13 com.apple.WebCore 0x010d510b WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&) + 579 (ContainerNode.cpp:511) 14 com.apple.WebCore 0x011e5cc2 WebCore::WrapContentsInDummySpanCommand::doApply() + 304 (WrapContentsInDummySpanCommand.cpp:50) 15 com.apple.WebCore 0x011b8c6c WebCore::EditCommand::apply() + 384 (EditCommand.cpp:92) 16 com.apple.WebCore 0x011aff37 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) + 53 (CompositeEditCommand.cpp:97) 17 com.apple.WebCore 0x011b142d WebCore::CompositeEditCommand::wrapContentsInDummySpan(WebCore::Element*) + 71 (CompositeEditCommand.cpp:243) 18 com.apple.WebCore 0x011d9d0f WebCore::SplitTextNodeContainingElementCommand::doApply() + 299 (SplitTextNodeContainingElementCommand.cpp:53) 19 com.apple.WebCore 0x011b8c6c WebCore::EditCommand::apply() + 384 (EditCommand.cpp:92) 20 com.apple.WebCore 0x011aff37 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) + 53 (CompositeEditCommand.cpp:97) 21 com.apple.WebCore 0x011b12aa WebCore::CompositeEditCommand::splitTextNodeContainingElement(WebCore::Text*, int) + 78 (CompositeEditCommand.cpp:248) 22 com.apple.WebCore 0x011a8ce0 WebCore::ApplyStyleCommand::splitTextElementAtStartIfNeeded(WebCore::Position const&, WebCore::Position const&) + 252 (ApplyStyleCommand.cpp:1062) 23 com.apple.WebCore 0x011acff2 WebCore::ApplyStyleCommand::applyInlineStyle(WebCore::CSSMutableStyleDeclaration*) + 238 (ApplyStyleCommand.cpp:595) 24 com.apple.WebCore 0x011aedc5 WebCore::ApplyStyleCommand::doApply() + 425 (ApplyStyleCommand.cpp:349) 25 com.apple.WebCore 0x011b8c6c WebCore::EditCommand::apply() + 384 (EditCommand.cpp:92) 26 com.apple.WebCore 0x011b8da0 WebCore::applyCommand(WTF::PassRefPtr<WebCore::EditCommand>) + 82 (EditCommand.cpp:227) 27 com.apple.WebCore 0x01361ce3 WebCore::Editor::applyStyle(WebCore::CSSStyleDeclaration*, WebCore::EditAction) + 213 (Editor.cpp:616) 28 com.apple.WebCore 0x011c2ba1 WebCore::(anonymous namespace)::execStyleChange(WebCore::Frame*, int, WebCore::String const&) + 139 (JSEditor.cpp:156) 29 com.apple.WebCore 0x011c2c64 WebCore::(anonymous namespace)::execBackColor(WebCore::Frame*, bool, WebCore::String const&) + 38 (JSEditor.cpp:198) 30 com.apple.WebCore 0x011c3d25 WebCore::JSEditor::execCommand(WebCore::String const&, bool, WebCore::String const&) + 133 (JSEditor.cpp:87) 31 com.apple.WebCore 0x010c5812 WebCore::Document::execCommand(WebCore::String const&, bool, WebCore::String const&) + 56 (Document.cpp:2742) 32 com.apple.WebCore 0x0122ba1b WebCore::JSDocumentPrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 7693 (JSDocument.cpp:580) 33 com.apple.JavaScriptCore 0x00403a4a KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97) 34 com.apple.JavaScriptCore 0x003fa998 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 944 (nodes.cpp:781) 35 com.apple.JavaScriptCore 0x003f7b50 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1681) 36 com.apple.JavaScriptCore 0x003f587e KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2464) 37 com.apple.JavaScriptCore 0x003f4080 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1657) 38 com.apple.JavaScriptCore 0x003ee939 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 989 (interpreter.cpp:365) 39 com.apple.WebCore 0x012465ff WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 319 (kjs_proxy.cpp:78) 40 com.apple.WebCore 0x01384405 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::Node*, WebCore::String const&) + 99 (FrameLoader.cpp:686) 41 com.apple.WebCore 0x0101ddda WebCore::HTMLTokenizer::scriptExecution(WebCore::DeprecatedString const&, WebCore::HTMLTokenizer::State, WebCore::DeprecatedString, int) + 316 (HTMLTokenizer.cpp:502) 42 com.apple.WebCore 0x01020595 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1449 (HTMLTokenizer.cpp:452) 43 com.apple.WebCore 0x01020a8e WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 918 (HTMLTokenizer.cpp:310) 44 com.apple.WebCore 0x01022440 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 5274 (HTMLTokenizer.cpp:1176) 45 com.apple.WebCore 0x01022bf7 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1173 (HTMLTokenizer.cpp:1389) 46 com.apple.WebCore 0x01378e95 WebCore::FrameLoader::write(char const*, int, bool) + 923 (FrameLoader.cpp:884) 47 com.apple.WebCore 0x01378fc7 WebCore::FrameLoader::addData(char const*, int) + 275 (FrameLoader.cpp:1543) 48 com.apple.WebCore 0x010d72f5 -[WebCoreFrameBridge addData:] + 163 (WebCoreFrameBridge.mm:291) 49 com.apple.WebCore 0x010da6ac -[WebCoreFrameBridge receivedData:textEncodingName:] + 250 (WebCoreFrameBridge.mm:1477) 50 com.apple.WebKit 0x002324d5 -[WebHTMLRepresentation receivedData:withDataSource:] + 199 (WebHTMLRepresentation.mm:175) 51 com.apple.WebKit 0x0022dbdb -[WebDataSource(WebInternal) _receivedData:] + 89 (WebDataSource.mm:178) 52 com.apple.WebKit 0x00294e93 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 127 (WebFrameLoaderClient.mm:645) 53 com.apple.WebCore 0x01375d21 WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader*, char const*, int) + 53 (FrameLoader.cpp:2956) 54 com.apple.WebCore 0x013869e5 WebCore::DocumentLoader::commitLoad(char const*, int) + 87 (DocumentLoader.cpp:347) 55 com.apple.WebCore 0x01386a3e WebCore::DocumentLoader::receivedData(char const*, int) + 76 (DocumentLoader.cpp:360) 56 com.apple.WebCore 0x01375351 WebCore::FrameLoader::receivedData(char const*, int) + 41 (FrameLoader.cpp:1979) 57 com.apple.WebCore 0x01388308 WebCore::MainResourceLoader::addData(char const*, int, bool) + 80 (MainResourceLoader.cpp:134) 58 com.apple.WebCore 0x0138a43f WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 83 59 com.apple.WebCore 0x0138863d WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 281 (MainResourceLoader.cpp:289) 60 com.apple.WebCore 0x0138a046 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 58 61 com.apple.WebCore 0x01368d8c -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 172 (ResourceHandleMac.mm:352) 62 com.apple.Foundation 0x92856afa -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 641 63 com.apple.Foundation 0x92854ddb -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 686 64 com.apple.Foundation 0x92854ab5 _sendCallbacks + 201 65 com.apple.CoreFoundation 0x9082df92 CFRunLoopRunSpecific + 1213 66 com.apple.CoreFoundation 0x9082dace CFRunLoopRunInMode + 61 67 com.apple.Foundation 0x92825d3a -[NSRunLoop runMode:beforeDate:] + 182 68 DumpRenderTree 0x0000a450 runTest + 1109 (DumpRenderTree.m:1400) 69 DumpRenderTree 0x000065f5 dumpRenderTree + 2209 (DumpRenderTree.m:503) 70 DumpRenderTree 0x0000685d main + 70 (DumpRenderTree.m:558) 71 DumpRenderTree 0x00002482 _start + 216 72 DumpRenderTree 0x000023a9 start + 41
Attachments
Avoid calling selectionRect and selectionGapRects on dirty renderers (3.86 KB, patch)
2007-04-19 07:50 PDT, mitz 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Andrew Wellington
Comment 1 2007-04-15 04:08:52 PDT
This happens because WebCore::InlineTextBox assumes that its textObject() will not change the length of its text. SplitTextNodeContainingElementCommand violates this by calling splitTextNode() which eventually will hit CharacterData::deleteData, chopping some data off the textObject()'s text as it does the split. We need to watch for this change and update the m_len value as appropriate.
mitz
Comment 2 2007-04-16 01:24:08 PDT
I think the problem is calling selectionRect() on a renderer that needs layout (and has dirty line boxes). I don't like the idea of requiring setTextWithOffset to clean up dirty boxes. That's what layout is for.
mitz
Comment 3 2007-04-19 07:50:30 PDT
Created attachment 14089 [details] Avoid calling selectionRect and selectionGapRects on dirty renderers No layout test regressions.
Andrew Wellington
Comment 4 2007-04-19 15:54:24 PDT
Landed in 20959
Note You need to log in before you can comment on or make changes to this bug.