Summary: | Website crashes on load due to messy HTML in search form | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Alexis Deveria <adeveria> | ||||||||||
Component: | DOM | Assignee: | Beth Dakin <bdakin> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Critical | CC: | bdakin, mitz, sky, webkit, zwarich | ||||||||||
Priority: | P1 | Keywords: | HasReduction, InRadar | ||||||||||
Version: | 528+ (Nightly build) | ||||||||||||
Hardware: | Mac | ||||||||||||
OS: | OS X 10.5 | ||||||||||||
URL: | http://outpost10f.com | ||||||||||||
Attachments: |
|
Description
Alexis Deveria
2008-09-10 08:14:54 PDT
Created attachment 23319 [details]
Minimum HTML needed to cause crash
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x03559cdd in WebCore::RenderContainer::appendChildNode (this=0x1d00b97c, newChild=0x1cb66e9c, fullAppend=true) at WebCore/rendering/RenderContainer.cpp:417 417 ASSERT(!isBlockFlow() || (!newChild->isTableSection() && !newChild->isTableRow() && !newChild->isTableCell())); (gdb) bt #0 0x03559cdd in WebCore::RenderContainer::appendChildNode (this=0x1d00b97c, newChild=0x1cb66e9c, fullAppend=true) at WebCore/rendering/RenderContainer.cpp:417 #1 0x035752bc in WebCore::RenderInline::splitFlow (this=0x1d00b34c, beforeChild=0x0, newBlockBox=0x1d00b88c, newChild=0x1d00b7ec, oldCont=0x0) at WebCore/rendering/RenderInline.cpp:255 #2 0x035755a2 in WebCore::RenderInline::addChildToFlow (this=0x1d00b34c, newChild=0x1d00b7ec, beforeChild=0x0) at WebCore/rendering/RenderInline.cpp:122 The website ( http://outpost10f.com/ ) has now removed the buggy HTML, so it won't crash any more. *** Bug 24247 has been marked as a duplicate of this bug. *** Created attachment 29547 [details]
Patch
Comment on attachment 29547 [details]
Patch
r=me
Thanks Beth! Created attachment 29575 [details]
patch to clean up some loose ends
Created attachment 29576 [details]
better version of "loose ends" patch
Comment on attachment 29576 [details]
better version of "loose ends" patch
I don't understand why it's ok to remove this line:
bool wrapInAnonymousSection = !child->isPositioned();
and replace it with false.
(In reply to comment #12) > (From update of attachment 29576 [details] [review]) > I don't understand why it's ok to remove this line: > > bool wrapInAnonymousSection = !child->isPositioned(); > > and replace it with false. Because every single code path after that sets wrapInAnonymousSection to either true or false; that value is ignored and my patch doesn't change behavior at all. If we need correct handling of positioned elements we need to fix the code to not do that any more. And write test cases so it doesn't break again. Also, the other tables renderers that do wrapping similarly don't check isPositioned. Comment on attachment 29576 [details]
better version of "loose ends" patch
r=me
|