Bug 15362

Summary: Safari Crashes when opening a JS TreeGrid widget
Product: WebKit Reporter: Sjoerd Mulder <sjoerdmulder>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: mitz
Priority: P1 Keywords: HasReduction, InRadar
Version: 523.x (Safari 3)   
Hardware: PC   
OS: All   
URL: http://demo.backbase.com/current/Backbase_4_1/examples/www.backbase.com.2007.debugger/debugger/index.html
Bug Depends on:    
Bug Blocks: 6628    
Attachments:
Description Flags
Reduction for the assertion failure
none
Reduction (will crash)
none
Fix insertion before a child nested in anonymous table parts hyatt: review+

Sjoerd Mulder
Reported 2007-10-03 09:49:48 PDT
Reproducable: always Howto reproduce: 1. Goto http://demo.backbase.com/current/Backbase_4_1/examples/www.backbase.com.2007.debugger/debugger/index.html 2. After the page is loaded press ESC to open the Backbase Debugger 3. Click on some Treenode on the left of the window to select it. 4. Now at the right side you see the 'DOM Node' properties. 5. Try to Expand the Properties => tagName property => CRASH This happens ALWAYS, the code behind the Treegrid is quite simple, it's generates some TR's and does insertBefore on the TBODY with the current TR as reference. This doesnt happen when the Grid is in some other container (e.g. for example in the Console Tab)
Attachments
Reduction for the assertion failure (318 bytes, text/html)
2007-10-03 14:10 PDT, mitz 		no flags
Details
Reduction (will crash) (404 bytes, text/html)
2007-10-03 14:13 PDT, mitz 		no flags
Details
Fix insertion before a child nested in anonymous table parts (125.88 KB, patch)
2007-10-24 20:00 PDT, mitz 		hyatt: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2007-10-03 13:36:29 PDT
ASSERTION FAILED: !beforeChild || beforeChild->parent()->isRenderBlock() || beforeChild->parent()->isRenderInline() (WebKit/WebCore/rendering/RenderFlow.cpp:90 void WebCore::RenderFlow::addChildWithContinuation(WebCore::RenderObject*, WebCore::RenderObject*))
mitz
Comment 2 2007-10-03 14:10:08 PDT
Created attachment 16525 [details] Reduction for the assertion failure This reduction does not crash the release build, but triggers the assertion failure.
mitz
Comment 3 2007-10-03 14:13:43 PDT
Created attachment 16526 [details] Reduction (will crash) This also reproduces the crash.
Mark Rowe (bdash)
Comment 4 2007-10-24 17:33:26 PDT
<rdar://problem/5558715>
mitz
Comment 5 2007-10-24 20:00:13 PDT
Created attachment 16848 [details] Fix insertion before a child nested in anonymous table parts Includes change log and a regression test.
Dave Hyatt
Comment 6 2007-10-25 11:12:07 PDT
Comment on attachment 16848 [details] Fix insertion before a child nested in anonymous table parts r=me
mitz
Comment 7 2007-10-25 11:34:18 PDT
Fixed in <http://trac.webkit.org/projects/webkit/changeset/27051>.
Note You need to log in before you can comment on or make changes to this bug.