Bug 15362

Summary: Safari Crashes when opening a JS TreeGrid widget
Product: WebKit Reporter: Sjoerd Mulder <sjoerdmulder>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: mitz
Priority: P1 Keywords: HasReduction, InRadar
Version: 523.x (Safari 3)   
Hardware: PC   
OS: All   
URL: http://demo.backbase.com/current/Backbase_4_1/examples/www.backbase.com.2007.debugger/debugger/index.html
Bug Depends on:    
Bug Blocks: 6628    
Attachments:
Description Flags
Reduction for the assertion failure
none
Reduction (will crash)
none
Fix insertion before a child nested in anonymous table parts hyatt: review+

Description Sjoerd Mulder 2007-10-03 09:49:48 PDT 
Reproducable: always

Howto reproduce: 1. Goto http://demo.backbase.com/current/Backbase_4_1/examples/www.backbase.com.2007.debugger/debugger/index.html
2. After the page is loaded press ESC to open the Backbase Debugger
3. Click on some Treenode on the left of the window to select it.
4. Now at the right side you see the 'DOM Node' properties.
5. Try to Expand the Properties => tagName property => CRASH

This happens ALWAYS, the code behind the Treegrid is quite simple, it's generates some TR's and does insertBefore on the TBODY with the current TR as reference. This doesnt happen when the Grid is in some other container (e.g. for example in the Console Tab)
Comment 1 mitz 2007-10-03 13:36:29 PDT 
ASSERTION FAILED: !beforeChild || beforeChild->parent()->isRenderBlock() || beforeChild->parent()->isRenderInline()
(WebKit/WebCore/rendering/RenderFlow.cpp:90 void WebCore::RenderFlow::addChildWithContinuation(WebCore::RenderObject*, WebCore::RenderObject*))
Comment 2 mitz 2007-10-03 14:10:08 PDT 
Created attachment 16525 [details]
Reduction for the assertion failure

This reduction does not crash the release build, but triggers the assertion failure.
Comment 3 mitz 2007-10-03 14:13:43 PDT 
Created attachment 16526 [details]
Reduction (will crash)

This also reproduces the crash.
Comment 4 Mark Rowe (bdash) 2007-10-24 17:33:26 PDT 
<rdar://problem/5558715>
Comment 5 mitz 2007-10-24 20:00:13 PDT 
Created attachment 16848 [details]
Fix insertion before a child nested in anonymous table parts

Includes change log and a regression test.
Comment 6 Dave Hyatt 2007-10-25 11:12:07 PDT 
Comment on attachment 16848 [details]
Fix insertion before a child nested in anonymous table parts

r=me
Comment 7 mitz 2007-10-25 11:34:18 PDT 
Fixed in <http://trac.webkit.org/projects/webkit/changeset/27051>.