Bug 19525

Summary:

-webkit-box-reflect in hyperlink causes webkit to crash

Product:

WebKit

Reporter:

Trevor Downs <cyberskull>

Component:

CSS

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mitz

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Mac (PowerPC)

OS:

OS X 10.5

Attachments:

Description	Flags
A FAQ I am performing stylistic cleaning up on.	none
Log for one of the crashes.	none
Another crash log for this incident	none
Suppress reflections of inline flows	hyatt: review+

Description Trevor Downs 2008-06-12 15:52:00 PDT

I'm using Mac OS X 10.5.3 PPC and today's build of WebKit. In the attached document I tried to put a reflection effect on a link. It did not render and when I tried to select the text it caused the browser to crash. I've tried 3 times.

To recreate:
1. open the attached HTML file.
2. On the second line try to highlight "CyberSkull"
3. Spinning marble of doom, then crash.

Comment 1 Trevor Downs 2008-06-12 15:53:37 PDT

Created attachment 21666 [details]
A FAQ I am performing stylistic cleaning up on.

Comment 2 Trevor Downs 2008-06-12 15:54:46 PDT

Created attachment 21667 [details]
Log for one of the crashes.

Comment 3 Trevor Downs 2008-06-12 15:55:20 PDT

Created attachment 21668 [details]
Another crash log for this incident

Comment 4 Matt Lilek 2008-06-12 18:21:45 PDT

Confirmed with ToT. Debug stack trage:

Thread 0 Crashed:
0   com.apple.WebCore             	0x0286ad73 WebCore::RenderLayer::reflection() const + 9 (RenderLayer.h:220)
1   com.apple.WebCore             	0x02873cff WebCore::RenderBox::computeAbsoluteRepaintRect(WebCore::IntRect&, bool) + 245 (RenderBox.cpp:1104)
2   com.apple.WebCore             	0x028bd09a WebCore::RenderObject::computeAbsoluteRepaintRect(WebCore::IntRect&, bool) + 448 (RenderObject.cpp:2013)
3   com.apple.WebCore             	0x028edcfd WebCore::RenderText::selectionRect(bool) + 519 (RenderText.cpp:1080)
4   com.apple.WebCore             	0x0290b87c WebCore::RenderObject::SelectionInfo::SelectionInfo(WebCore::RenderObject*, bool) + 92
5   com.apple.WebCore             	0x0290aabd WebCore::RenderView::setSelection(WebCore::RenderObject*, int, WebCore::RenderObject*, int) + 1467 (RenderView.cpp:357)
6   com.apple.WebCore             	0x026062c7 WebCore::Frame::selectionLayoutChanged() + 999 (Frame.cpp:631)
7   com.apple.WebCore             	0x02a3d368 WebCore::SelectionController::setSelection(WebCore::Selection const&, bool, bool, bool) + 648 (SelectionController.cpp:143)

Comment 5 mitz 2008-06-12 22:11:51 PDT

<rdar://problem/5961768> is essentially the same issue.

Comment 6 mitz 2008-07-15 15:00:15 PDT

Created attachment 22291 [details]
Suppress reflections of inline flows

This proved to be hard to do in adjustRenderStyle() because there is no easy way to tell the that element is going to be an inline flow, so instead this patch just overrides the flag on the renderer.

Comment 7 Dave Hyatt 2008-07-15 15:00:59 PDT

Comment on attachment 22291 [details]
Suppress reflections of inline flows

r=me

Comment 8 mitz 2008-07-15 15:53:54 PDT

Fixed in <http://trac.webkit.org/changeset/35186>.