Bug 15309

Summary: Crash due to infinite recursion in RenderTable::addChild
Product: WebKit Reporter: Sam Weinig <sam>
Component: TablesAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mitz
Priority: P1 Keywords: HasReduction, InRadar
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://dev.opera.com/articles/view/can-kestrels-do-math-mathml-support-in/stress.xhtml
Attachments:
Description Flags
Reduction (will ASSERT)
none
Fix adding a child before a table caption hyatt: review+

Sam Weinig
Reported 2007-09-28 10:56:03 PDT
Presumed infinite recursion crash at http://dev.opera.com/articles/view/can-kestrels-do-math-mathml-support-in/stress.xhtml.
Attachments
Reduction (will ASSERT) (202 bytes, text/html)
2007-09-28 12:56 PDT, mitz 		no flags
Details
Fix adding a child before a table caption (34.58 KB, patch)
2007-09-29 12:05 PDT, mitz 		hyatt: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Sam Weinig
Comment 1 2007-09-28 10:58:03 PDT
<rdar://problem/5512020>
mitz
Comment 2 2007-09-28 12:23:50 PDT
On a debug build I get ASSERTION FAILED: beforeChild->parent()->isAnonymousBlock() (WebKit/WebCore/rendering/RenderBlock.cpp:166 virtual void WebCore::RenderBlock::addChildToFlow(WebCore::RenderObject*, WebCore::RenderObject*)) with this backtrace: #0 0x01b502c8 in WebCore::RenderBlock::addChildToFlow (this=0x8a1005c, newChild=0x8a1026c, beforeChild=0x8a1005c) at WebKit/WebCore/rendering/RenderBlock.cpp:166 #1 0x01b97950 in WebCore::RenderFlow::addChild (this=0x8a1005c, newChild=0x8a1026c, beforeChild=0x8a1005c) at WebKit/WebCore/rendering/RenderFlow.cpp:121 #2 0x01c0ce08 in WebCore::RenderTable::addChild (this=0x8a0ea2c, child=0x8a1026c, beforeChild=0x8a1005c) at WebKit/WebCore/rendering/RenderTable.cpp:200 #3 0x01d07f04 in WebCore::Node::createRendererIfNeeded (this=0x861a330) at WebKit/WebCore/dom/Node.cpp:1028 #4 0x01d158d4 in WebCore::Element::attach (this=0x861a330) at WebKit/WebCore/dom/Element.cpp:661 #5 0x01af02a0 in WebCore::ContainerNode::attach (this=0x861a1f0) at WebKit/WebCore/dom/ContainerNode.cpp:595 #6 0x01d158e0 in WebCore::Element::attach (this=0x861a1f0) at WebKit/WebCore/dom/Element.cpp:662 #7 0x01af02a0 in WebCore::ContainerNode::attach (this=0x861a170) at WebKit/WebCore/dom/ContainerNode.cpp:595 #8 0x01d158e0 in WebCore::Element::attach (this=0x861a170) at WebKit/WebCore/dom/Element.cpp:662 #9 0x01af02a0 in WebCore::ContainerNode::attach (this=0x861a0b0) at WebKit/WebCore/dom/ContainerNode.cpp:595 #10 0x01d158e0 in WebCore::Element::attach (this=0x861a0b0) at WebKit/WebCore/dom/Element.cpp:662 #11 0x01af02a0 in WebCore::ContainerNode::attach (this=0x80650a0) at WebKit/WebCore/dom/ContainerNode.cpp:595 #12 0x01d158e0 in WebCore::Element::attach (this=0x80650a0) at WebKit/WebCore/dom/Element.cpp:662 #13 0x01af02a0 in WebCore::ContainerNode::attach (this=0x83589d0) at WebKit/WebCore/dom/ContainerNode.cpp:595 #14 0x01d158e0 in WebCore::Element::attach (this=0x83589d0) at WebKit/WebCore/dom/Element.cpp:662 #15 0x01d15500 in WebCore::Element::recalcStyle (this=0x83589d0, change=WebCore::Node::Force) at WebKit/WebCore/dom/Element.cpp:702 #16 0x01acf178 in WebCore::Document::recalcStyle (this=0x3a34600, change=WebCore::Node::Force) at WebKit/WebCore/dom/Document.cpp:1034 #17 0x01ad2c68 in WebCore::Document::updateStyleSelector (this=0x3a34600) at WebKit/WebCore/dom/Document.cpp:1980 #18 0x01ad2d78 in WebCore::Document::removePendingSheet (this=0x3a34600) at WebKit/WebCore/dom/Document.cpp:1952 #19 0x01dd7b18 in WebCore::ProcessingInstruction::sheetLoaded (this=0x835d2d0) at WebKit/WebCore/dom/ProcessingInstruction.cpp:194 #20 0x01dda71c in WebCore::CSSStyleSheet::checkLoaded (this=0x839e330) at WebKit/WebCore/css/CSSStyleSheet.cpp:179 #21 0x01dd7c18 in WebCore::ProcessingInstruction::parseStyleSheet (this=0x835d2d0, sheet=@0x8385790) at WebKit/WebCore/dom/ProcessingInstruction.cpp:226 #22 0x01dd8850 in WebCore::ProcessingInstruction::setCSSStyleSheet (this=0x835d2d0, url=@0xbfffdb60, charset=@0xbfffdb2c, sheet=@0x8385790) at WebKit/WebCore/dom/ProcessingInstruction.cpp:206 #23 0x01b06420 in WebCore::CachedCSSStyleSheet::checkNotify (this=0x8385670) at WebKit/WebCore/loader/CachedCSSStyleSheet.cpp:90 #24 0x01b06994 in WebCore::CachedCSSStyleSheet::data (this=0x8385670, data=@0xbfffdc48, allDataReceived=true) at WebKit/WebCore/loader/CachedCSSStyleSheet.cpp:80 #25 0x01b0e1d4 in WebCore::Loader::didFinishLoading (this=0x7bb2c8, loader=0x3a3e200) at WebKit/WebCore/loader/loader.cpp:116 #26 0x0200a028 in WebCore::SubresourceLoader::didFinishLoading (this=0x3a3e200) at WebKit/WebCore/loader/SubresourceLoader.cpp:193 #27 0x02007ba0 in WebCore::ResourceLoader::didFinishLoading (this=0x3a3e200) at WebKit/WebCore/loader/ResourceLoader.cpp:361 #28 0x01fcee50 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x83cd100, _cmd=0x90b6a340, con=0x838e780) at WebKit/WebCore/platform/network/mac/ResourceHandleMac.mm:455 #29 0x91241a88 in _NSURLConnectionDidFinishLoading () #30 0x91b1a758 in sendDidFinishLoadingCallback () #31 0x91b17654 in _CFURLConnectionSendCallbacks () #32 0x91b16f0c in muxerSourcePerform () #33 0x94dbf008 in CFRunLoopRunSpecific () #34 0x907eed50 in RunCurrentEventLoopInMode () #35 0x907eeb74 in ReceiveNextEventCommon () #36 0x907ee9b4 in BlockUntilNextEventMatchingListInMode () #37 0x953c40b8 in _DPSNextEvent () #38 0x953c3b08 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #39 0x00009e90 in ?? () #40 0x953bd814 in -[NSApplication run] () #41 0x9538e35c in NSApplicationMain () #42 0x00002724 in ?? ()
mitz
Comment 3 2007-09-28 12:56:07 PDT
Created attachment 16433 [details] Reduction (will ASSERT) Reduction for the assertion failure
mitz
Comment 4 2007-09-29 12:05:43 PDT
Created attachment 16457 [details] Fix adding a child before a table caption No layout test regressions. Includes change logs and a layout test.
Dave Hyatt
Comment 5 2007-09-30 01:20:46 PDT
Comment on attachment 16457 [details] Fix adding a child before a table caption r=me
Mark Rowe (bdash)
Comment 6 2007-10-14 04:43:42 PDT
Landed in r26583.
Note You need to log in before you can comment on or make changes to this bug.