Bug 18134

Summary: Crash setting -webkit-transform on a table row
Product: WebKit Reporter: David Smith <catfish.man>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, mitz
Priority: P1 Keywords: HasReduction, InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://arstechnica.com
Attachments:
Description Flags
Backtrace
none
Reduction (will crash) none

Description David Smith 2008-03-26 23:07:50 PDT 
Steps to reproduce:
1) put the following rules in a user stylesheet
h1, h2, h3, h4, h5, h6 { -webkit-transform: rotate(10deg); }
p { -webkit-transform: rotate(-10deg); }
tr { -webkit-transform: skew(50deg); }

2) go to arstechnica.com

r31356/10.5.2/Intel
Comment 1 David Smith 2008-03-26 23:11:46 PDT 
Created attachment 20115 [details]
Backtrace

First few frames:
Thread 0 Crashed:
0   com.apple.WebCore             	0x00e273ef WebCore::RenderBlock::insertPositionedObject(WebCore::RenderObject*) + 15
1   com.apple.WebCore             	0x00ffa524 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 2884
2   com.apple.WebCore             	0x00e305ea WebCore::RenderBlock::layoutBlock(bool) + 714
3   com.apple.WebCore             	0x00e8d8c2 WebCore::RenderTableCell::layout() + 34
4   com.apple.WebCore             	0x00e91676 WebCore::RenderTableRow::layout() + 214
Comment 2 mitz 2008-03-30 17:06:23 PDT 
Created attachment 20226 [details]
Reduction (will crash)

Having a transform turns the table row into a containing block, but only RenderBlocks can be containing blocks.
Comment 3 mitz 2008-03-30 17:07:52 PDT 
<rdar://problem/5830746>
Comment 4 Simon Fraser (smfr) 2008-09-30 18:07:38 PDT 
No longer crashes on TOT. I think this was fixed in r32861.
Comment 5 Simon Fraser (smfr) 2008-10-24 14:39:20 PDT 
Fixed in r32861, <rdar://problem/5840475>
Comment 6 Simon Fraser (smfr) 2009-01-27 21:00:21 PST 
http://trac.webkit.org/changeset/32861