Bug 15367

Summary:

Assertion failure inspecting a document including soft hyphen code (0xad)

Product:

WebKit

Reporter:

Satoshi Ueyama <gyuque>

Component:

Layout and Rendering

Assignee:

mitz

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, gyuque, mitz

Priority:

Keywords:

HasReduction

Version:

523.x (Safari 3)

Hardware:

All

OS:

All

URL:

http://gyuque.googlepages.com/crash1.html

Attachments:

Description	Flags
test case html	none
Patch, including layout test and change log	zimmermann: review+

Satoshi Ueyama

Reported 2007-10-04 04:13:28 PDT

Safari version: 3.0.4 for Windows WebKit revision: r26024 (Debug build) OS: Windows XP SP2 (Japanese) Steps to reproduce: 1a. Open http://gyuque.googlepages.com/crash0.html with Safari or 1b. Open http://gyuque.googlepages.com/crash1.html with Safari 2. Select an (any) element and select "Inspect Element" from its context menu. 3. Assert! Assertion fails on "RenderText::calcPrefWidths()" due to incorrect soft hyphen code. ( http://trac.webkit.org/projects/webkit/browser/trunk/WebCore/rendering/RenderText.cpp?rev=25754#L586 ) Although the author didn't tuck soft hyphens into the document, this bug also occurs in utf-8 encoded Japanese documents. (Step 1a) Strings created by "addSourceToFrame()" include (wchar_t)0x00ad because the function forcibly uses Windows-1252 to decode utf-8 strings. ( http://trac.webkit.org/projects/webkit/browser/trunk/WebCore/page/InspectorController.cpp?rev=25769#L230 )

Attachments
test case html (197 bytes, text/html) 2007-10-05 01:13 PDT, Satoshi Ueyama	no flags	Details
Patch, including layout test and change log (32.95 KB, patch) 2007-10-18 00:20 PDT, mitz	zimmermann: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Satoshi Ueyama

Comment 1 2007-10-05 01:13:39 PDT

Created attachment 16539 [details] test case html ** This file may crash your browser. Here's a simpler test case. This sample causes an assertion failure with only opening the file (without Inspector). Triggers are: 1. 0xad is inside a table cell. 2. has a style word-break:break-all; # "(Step 1a)" in my comment#0 is typo of "(Step 1b)". Sorry.

mitz

Comment 2 2007-10-05 08:30:02 PDT

This example shows that the computed width is in fact wrong: <div style="position: absolute; word-break: break-all;">softhyphen</div>

David Kilzer (:ddkilzer)

Comment 3 2007-10-05 08:36:10 PDT

(In reply to comment #1) > ** This file may crash your browser. Using a local debug build of WebKit r26042 with Safari 3 Public Beta v. 3.0.3 (522.12.1) on Mac OS X 10.4.10 (8R218), this does cause an assertion failure: ASSERTION FAILED: lastWordBoundary == i (/path/to/WebKit/WebCore/rendering/RenderText.cpp:586 virtual void WebCore::RenderText::calcPrefWidths(int)) Segmentation fault Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.WebCore 0x011d8a0c WebCore::RenderText::calcPrefWidths(int) + 1408 (RenderText.cpp:586) 1 com.apple.WebCore 0x011d7c2c WebCore::RenderText::trimmedPrefWidths(int, int&, bool&, int&, bool&, bool&, bool&, int&, int&, int&, int&, bool&) + 224 (RenderText.cpp:432) 2 com.apple.WebCore 0x0116475c WebCore::RenderBlock::calcInlinePrefWidths() + 2136 (RenderBlock.cpp:3741) 3 com.apple.WebCore 0x01164da8 WebCore::RenderBlock::calcPrefWidths() + 540 (RenderBlock.cpp:3395) 4 com.apple.WebCore 0x011ec12c WebCore::RenderTableCell::calcPrefWidths() + 64 (RenderTableCell.cpp:109) 5 com.apple.WebCore 0x0131b4c4 WebCore::AutoTableLayout::recalcColumn(int) + 740 (AutoTableLayout.cpp:85) 6 com.apple.WebCore 0x0131bfd8 WebCore::AutoTableLayout::fullRecalc() + 1292 (AutoTableLayout.cpp:213) 7 com.apple.WebCore 0x0131d7bc WebCore::AutoTableLayout::calcPrefWidths(int&, int&) + 52 (AutoTableLayout.cpp:254) 8 com.apple.WebCore 0x011f2398 WebCore::RenderTable::calcPrefWidths() + 192 (RenderTable.cpp:540) 9 com.apple.WebCore 0x01177498 WebCore::RenderBox::maxPrefWidth() const + 80 (RenderBox.cpp:184) 10 com.apple.WebCore 0x011eeb08 WebCore::RenderTable::calcWidth() + 880 (RenderTable.cpp:244) 11 com.apple.WebCore 0x011f2614 WebCore::RenderTable::layout() + 492 (RenderTable.cpp:282) 12 com.apple.WebCore 0x016c07a8 WebCore::RenderObject::layoutIfNeeded() + 76 (RenderObject.h:477) 13 com.apple.WebCore 0x01174880 WebCore::RenderBlock::layoutBlockChildren(bool) + 1976 (RenderBlock.cpp:1215) 14 com.apple.WebCore 0x01175fdc WebCore::RenderBlock::layoutBlock(bool) + 1616 (RenderBlock.cpp:585) 15 com.apple.WebCore 0x0115f810 WebCore::RenderBlock::layout() + 92 (RenderBlock.cpp:494) 16 com.apple.WebCore 0x016c07a8 WebCore::RenderObject::layoutIfNeeded() + 76 (RenderObject.h:477) 17 com.apple.WebCore 0x01174880 WebCore::RenderBlock::layoutBlockChildren(bool) + 1976 (RenderBlock.cpp:1215) 18 com.apple.WebCore 0x01175fdc WebCore::RenderBlock::layoutBlock(bool) + 1616 (RenderBlock.cpp:585) 19 com.apple.WebCore 0x0115f810 WebCore::RenderBlock::layout() + 92 (RenderBlock.cpp:494) 20 com.apple.WebCore 0x016c07a8 WebCore::RenderObject::layoutIfNeeded() + 76 (RenderObject.h:477) 21 com.apple.WebCore 0x01174880 WebCore::RenderBlock::layoutBlockChildren(bool) + 1976 (RenderBlock.cpp:1215) 22 com.apple.WebCore 0x01175fdc WebCore::RenderBlock::layoutBlock(bool) + 1616 (RenderBlock.cpp:585) 23 com.apple.WebCore 0x0115f810 WebCore::RenderBlock::layout() + 92 (RenderBlock.cpp:494) 24 com.apple.WebCore 0x011861cc WebCore::RenderView::layout() + 392 (RenderView.cpp:114) 25 com.apple.WebCore 0x011040f0 WebCore::FrameView::layout(bool) + 2500 (FrameView.cpp:435) 26 com.apple.WebCore 0x0110f4cc WebCore::Document::implicitClose() + 1440 (Document.cpp:1460) 27 com.apple.WebCore 0x01483bd8 WebCore::FrameLoader::checkCallImplicitClose() + 592 (FrameLoader.cpp:1309) 28 com.apple.WebCore 0x0148f770 WebCore::FrameLoader::checkCompleted() + 404 (FrameLoader.cpp:1255) 29 com.apple.WebCore 0x01490b7c WebCore::FrameLoader::finishedParsing() + 116 (FrameLoader.cpp:1203) 30 com.apple.WebCore 0x011085c0 WebCore::Document::finishedParsing() + 84 (Document.cpp:3429) 31 com.apple.WebCore 0x01024928 WebCore::HTMLParser::finished() + 308 (HTMLParser.cpp:1427) 32 com.apple.WebCore 0x01028034 WebCore::HTMLTokenizer::end() + 336 (HTMLTokenizer.cpp:1555) 33 com.apple.WebCore 0x01028534 WebCore::HTMLTokenizer::finish() + 1212 (HTMLTokenizer.cpp:1596) 34 com.apple.WebCore 0x0110674c WebCore::Document::finishParsing() + 84 (Document.cpp:1560) 35 com.apple.WebCore 0x01492d9c WebCore::FrameLoader::endIfNotLoadingMainResource() + 160 (FrameLoader.cpp:1030) 36 com.apple.WebCore 0x01492e80 WebCore::FrameLoader::end() + 44 (FrameLoader.cpp:1015) 37 com.apple.WebCore 0x01497f00 WebCore::DocumentLoader::finishedLoading() + 92 (DocumentLoader.cpp:321) 38 com.apple.WebCore 0x014898c8 WebCore::FrameLoader::finishedLoading() + 96 (FrameLoader.cpp:2737) 39 com.apple.WebCore 0x0149856c WebCore::MainResourceLoader::didFinishLoading() + 272 (MainResourceLoader.cpp:305) 40 com.apple.WebCore 0x0149a88c WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 60 41 com.apple.WebCore 0x0146d7a0 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 204 (ResourceHandleMac.mm:456) 42 com.apple.Foundation 0x92c1589c -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 43 com.apple.Foundation 0x92c13b08 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 44 com.apple.Foundation 0x92c13860 _sendCallbacks + 156 45 com.apple.CoreFoundation 0x907de4fc __CFRunLoopDoSources0 + 384 46 com.apple.CoreFoundation 0x907dda2c __CFRunLoopRun + 452 47 com.apple.CoreFoundation 0x907dd4ac CFRunLoopRunSpecific + 268 48 com.apple.HIToolbox 0x9329bb20 RunCurrentEventLoopInMode + 264 49 com.apple.HIToolbox 0x9329b1b4 ReceiveNextEventCommon + 380 50 com.apple.HIToolbox 0x9329b020 BlockUntilNextEventMatchingListInMode + 96 51 com.apple.AppKit 0x937a1ae4 _DPSNextEvent + 384 52 com.apple.AppKit 0x937a17a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 53 com.apple.Safari 0x00006770 0x1000 + 22384 54 com.apple.AppKit 0x9379dcec -[NSApplication run] + 472 55 com.apple.AppKit 0x9388e87c NSApplicationMain + 452 56 com.apple.Safari 0x0000244c 0x1000 + 5196 57 com.apple.Safari 0x0004f1b0 0x1000 + 319920

mitz

Comment 4 2007-10-18 00:20:49 PDT

Created attachment 16716 [details] Patch, including layout test and change log

Nikolas Zimmermann

Comment 5 2007-10-18 07:00:56 PDT

Comment on attachment 16716 [details] Patch, including layout test and change log Patch looks good - though you left some tabs in it :-) I also ran into this problem lately, and had a similar fix, so r=me.

mitz

Comment 6 2007-10-18 09:32:29 PDT

Fixed in <http://trac.webkit.org/projects/webkit/changeset/26746>.

Note You need to log in before you can comment on or make changes to this bug.