Bug 20765

Summary: Website crashes on load due to messy HTML in search form
Product: WebKit Reporter: Alexis Deveria <adeveria>
Component: DOMAssignee: Beth Dakin <bdakin>
Status: RESOLVED FIXED    
Severity: Critical CC: bdakin, mitz, sky, webkit, zwarich
Priority: P1 Keywords: HasReduction, InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://outpost10f.com
Attachments:
Description Flags
Minimum HTML needed to cause crash
none
Patch
hyatt: review+
patch to clean up some loose ends
none
better version of "loose ends" patch hyatt: review+

Alexis Deveria
Reported 2008-09-10 08:14:54 PDT
Crashes in latest nightly Webkit, as well as Safari 3.1 and Chrome 0.2 on OSX 10.5, Windows XP and presumably other OSes. This is the minimal HTML I've found required to replicate the crash: <table><tr><b><form style="display:inline"></b><td>a</td><td><p> I have contacted the website and suggested they remove the <b> tags, since they don't serve any purpose in this case anyway.
Attachments
Minimum HTML needed to cause crash (64 bytes, text/html)
2008-09-10 08:22 PDT, Alexis Deveria 		no flags
Details
Patch (39.74 KB, patch)
2009-04-16 13:40 PDT, Beth Dakin 		hyatt: review+
DetailsFormatted DiffDiff
patch to clean up some loose ends (6.85 KB, patch)
2009-04-17 06:24 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
better version of "loose ends" patch (6.38 KB, patch)
2009-04-17 06:48 PDT, Darin Adler 		hyatt: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alexis Deveria
Comment 1 2008-09-10 08:22:36 PDT
Created attachment 23319 [details] Minimum HTML needed to cause crash
Mark Rowe (bdash)
Comment 2 2008-09-10 12:51:43 PDT
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x03559cdd in WebCore::RenderContainer::appendChildNode (this=0x1d00b97c, newChild=0x1cb66e9c, fullAppend=true) at WebCore/rendering/RenderContainer.cpp:417 417 ASSERT(!isBlockFlow() || (!newChild->isTableSection() && !newChild->isTableRow() && !newChild->isTableCell())); (gdb) bt #0 0x03559cdd in WebCore::RenderContainer::appendChildNode (this=0x1d00b97c, newChild=0x1cb66e9c, fullAppend=true) at WebCore/rendering/RenderContainer.cpp:417 #1 0x035752bc in WebCore::RenderInline::splitFlow (this=0x1d00b34c, beforeChild=0x0, newBlockBox=0x1d00b88c, newChild=0x1d00b7ec, oldCont=0x0) at WebCore/rendering/RenderInline.cpp:255 #2 0x035755a2 in WebCore::RenderInline::addChildToFlow (this=0x1d00b34c, newChild=0x1d00b7ec, beforeChild=0x0) at WebCore/rendering/RenderInline.cpp:122
Mark Rowe (bdash)
Comment 3 2008-09-10 12:58:39 PDT
<rdar://problem/6210633>
Alexis Deveria
Comment 4 2008-09-11 06:02:20 PDT
The website ( http://outpost10f.com/ ) has now removed the buggy HTML, so it won't crash any more.
Beth Dakin
Comment 5 2009-04-16 13:22:10 PDT
*** Bug 24247 has been marked as a duplicate of this bug. ***
Beth Dakin
Comment 6 2009-04-16 13:40:30 PDT
Created attachment 29547 [details] Patch
Dave Hyatt
Comment 7 2009-04-16 13:45:14 PDT
Comment on attachment 29547 [details] Patch r=me
Beth Dakin
Comment 8 2009-04-16 13:48:53 PDT
Fixed with r42586.
Scott Violet
Comment 9 2009-04-16 13:51:53 PDT
Thanks Beth!
Darin Adler
Comment 10 2009-04-17 06:24:29 PDT
Created attachment 29575 [details] patch to clean up some loose ends
Darin Adler
Comment 11 2009-04-17 06:48:21 PDT
Created attachment 29576 [details] better version of "loose ends" patch
Dave Hyatt
Comment 12 2009-04-17 10:21:42 PDT
Comment on attachment 29576 [details] better version of "loose ends" patch I don't understand why it's ok to remove this line: bool wrapInAnonymousSection = !child->isPositioned(); and replace it with false.
Darin Adler
Comment 13 2009-04-17 11:01:15 PDT
(In reply to comment #12) > (From update of attachment 29576 [details] [review]) > I don't understand why it's ok to remove this line: > > bool wrapInAnonymousSection = !child->isPositioned(); > > and replace it with false. Because every single code path after that sets wrapInAnonymousSection to either true or false; that value is ignored and my patch doesn't change behavior at all. If we need correct handling of positioned elements we need to fix the code to not do that any more. And write test cases so it doesn't break again. Also, the other tables renderers that do wrapping similarly don't check isPositioned.
Dave Hyatt
Comment 14 2009-04-17 11:09:55 PDT
Comment on attachment 29576 [details] better version of "loose ends" patch r=me
Note You need to log in before you can comment on or make changes to this bug.