Bug 3359

Summary:

Crash on hover with certain styles on the text applied

Product:

WebKit

Reporter:

Jorge Salvador Caffarena <jorge>

Component:

JavaScriptCore

Assignee:

Justin Garcia <justin.garcia>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

alamaz, joost, mrowe

Priority:

Version:

412

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Test case. The crash occurs on mouse over of the link.	none
Patch	mjs: review-
New Patch	mjs: review+
layout test for patch	none

Jorge Salvador Caffarena

Reported 2005-06-08 10:57:16 PDT

If you load this URL http://trac.adiumx.com/search?q=settings&wiki=on&ticket=on and hover on the third link, named #471 Privacy // Invisibility Settings, instant crash with this log: Date/Time: 2005-06-08 19:47:52.582 +0200 OS Version: 10.4.1 (Build 8B15) Report Version: 3 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: launchd [1] Version: 2.0 (412) Build Version: 1 Project Name: WebBrowser Source Version: 4120000 PID: 5392 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 <<00000000>> 0xffff8824 __memcpy + 132 (cpu_capabilities.h:189) 1 com.apple.WebCore 0x0103dc4c QString::insert(unsigned, QChar const*, unsigned) + 148 (icplusplus.c:28) 2 com.apple.WebCore 0x011851b0 khtml::plainText(DOM::RangeImpl const*) + 144 (icplusplus.c:28) 3 com.apple.WebCore 0x01050708 -[WebCoreBridge elementAtPoint:] + 644 (icplusplus.c:28) 4 com.apple.WebKit 0x00341e74 -[WebHTMLView elementAtPoint:] + 68 (WebHTMLView.m: 2903) 5 com.apple.WebKit 0x0034ad68 -[WebHTMLView(WebPrivate) _updateMouseoverWithEvent:] + 772 (WebHTMLView.m:1029) 6 com.apple.Foundation 0x9287bbf8 _nsnote_callback + 180 7 com.apple.CoreFoundation 0x90771840 __CFXNotificationPost + 368 8 com.apple.CoreFoundation 0x90769964 _CFXNotificationPostNotification + 684 9 com.apple.Foundation 0x92866000 -[NSNotificationCenter postNotificationName:object:userInfo:] + 92 10 com.apple.AppKit 0x936f9358 forwardMethod + 92 11 com.apple.AppKit 0x936f9358 forwardMethod + 92 12 com.apple.AppKit 0x936f9358 forwardMethod + 92 13 com.apple.AppKit 0x936f9358 forwardMethod + 92 14 com.apple.AppKit 0x936f9358 forwardMethod + 92 15 com.apple.AppKit 0x936f9358 forwardMethod + 92 16 com.apple.AppKit 0x936f9358 forwardMethod + 92 17 com.apple.AppKit 0x936f9358 forwardMethod + 92 18 com.apple.AppKit 0x936f9358 forwardMethod + 92 19 com.apple.AppKit 0x936f9358 forwardMethod + 92 20 com.apple.AppKit 0x93757ff0 -[NSTextView mouseMoved:] + 2228 21 com.apple.AppKit 0x93687438 -[NSWindow sendEvent:] + 6424 22 com.apple.Safari 0x0001d6bc 0x1000 + 116412 23 com.apple.AppKit 0x9362ff5c -[NSApplication sendEvent:] + 4172 24 com.apple.Safari 0x0001a6a4 0x1000 + 104100 25 com.apple.AppKit 0x936273f0 -[NSApplication run] + 508 26 com.apple.AppKit 0x93717c1c NSApplicationMain + 452 27 com.apple.Safari 0x00002700 0x1000 + 5888 28 com.apple.Safari 0x00057190 0x1000 + 352656 Thread 1: 0 libSystem.B.dylib 0x9000a778 mach_msg_trap + 8 1 libSystem.B.dylib 0x9000a6bc mach_msg + 60 2 com.apple.CoreFoundation 0x9074a4d8 __CFRunLoopRun + 832 3 com.apple.CoreFoundation 0x90749ddc CFRunLoopRunSpecific + 268 4 com.apple.Foundation 0x9288b244 -[NSRunLoop runMode:beforeDate:] + 172 5 com.apple.Foundation 0x9288b17c -[NSRunLoop run] + 76 6 com.apple.WebKit 0x003667a4 +[WebFileDatabase _syncLoop:] + 176 (WebFileDatabase.m:295) 7 com.apple.Foundation 0x9287c2b4 forkThreadForFunction + 108 8 libSystem.B.dylib 0x9002c3d4 _pthread_body + 96 Thread 2: 0 libSystem.B.dylib 0x9000a778 mach_msg_trap + 8 1 libSystem.B.dylib 0x9000a6bc mach_msg + 60 2 com.apple.CoreFoundation 0x9074a4d8 __CFRunLoopRun + 832 3 com.apple.CoreFoundation 0x90749ddc CFRunLoopRunSpecific + 268 4 com.apple.Foundation 0x928a3760 +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 264 5 com.apple.Foundation 0x9287c2b4 forkThreadForFunction + 108 6 libSystem.B.dylib 0x9002c3d4 _pthread_body + 96 Thread 3: 0 libSystem.B.dylib 0x9000a778 mach_msg_trap + 8 1 libSystem.B.dylib 0x9000a6bc mach_msg + 60 2 com.apple.CoreFoundation 0x9074a4d8 __CFRunLoopRun + 832 3 com.apple.CoreFoundation 0x90749ddc CFRunLoopRunSpecific + 268 4 com.apple.Foundation 0x928a48a0 +[NSURLCache _diskCacheSyncLoop:] + 152 5 com.apple.Foundation 0x9287c2b4 forkThreadForFunction + 108 6 libSystem.B.dylib 0x9002c3d4 _pthread_body + 96 Thread 4: 0 libSystem.B.dylib 0x9002ca98 semaphore_wait_signal_trap + 8 1 libSystem.B.dylib 0x9003127c pthread_cond_wait + 508 2 com.apple.Foundation 0x92883420 -[NSConditionLock lockWhenCondition:] + 68 3 com.apple.Syndication 0x9b029af0 -[AsyncDB _run:] + 192 4 com.apple.Foundation 0x9287c2b4 forkThreadForFunction + 108 5 libSystem.B.dylib 0x9002c3d4 _pthread_body + 96 Thread 5: 0 libSystem.B.dylib 0x9001efec select + 12 1 com.apple.CoreFoundation 0x9075cd6c __CFSocketManager + 472 2 libSystem.B.dylib 0x9002c3d4 _pthread_body + 96 Thread 0 crashed with PPC Thread State: srr0: 0xffff8824 srr1: 0x0200f030 vrsave: 0x00000000 cr: 0x24000222 xer: 0x20000004 lr: 0x0103dc4c ctr: 0x901241e0 r0: 0x00000000 r1: 0xbfffdd50 r2: 0x001ffe00 r3: 0x0361069c r4: 0x00000000 r5: 0x00000002 r6: 0x0361069c r7: 0x00740074 r8: 0x0069006e r9: 0x00000002 r10: 0x954f3f94 r11: 0x0121737c r12: 0x0361069c r13: 0x00000000 r14: 0xbfffec20 r15: 0xbfffec70 r16: 0x05aa91e0 r17: 0x055c3eb0 r18: 0x05581220 r19: 0x03496920 r20: 0xa3629800 r21: 0x0039aa6c r22: 0x055ef780 r23: 0x01456550 r24: 0x05ad3040 r25: 0x00000000 r26: 0x00000002 r27: 0xbfffdf80 r28: 0x00000026 r29: 0x00000001 r30: 0x0361069c r31: 0x0118512c Binary Images Description: 0x1000 - 0xd7fff com.apple.Safari 2.0 (412) /Applications/Safari.app/Contents/MacOS/Safari 0x305000 - 0x39cfff com.apple.WebKit 412+ /Users/eevyl/_builds/WebKit.framework/Versions/ A/WebKit 0x5f8000 - 0x6bafff com.apple.JavaScriptCore 412.1 /Users/eevyl/_builds/ JavaScriptCore.framework/Versions/A/JavaScriptCore 0x1008000 - 0x1204fff com.apple.WebCore 413.1 /Users/eevyl/_builds/WebCore.framework/ Versions/A/WebCore 0x536a000 - 0x536cfff com.apple.textencoding.unicode 2.0 /System/Library/TextEncodings/Unicode Encodings.bundle/Contents/MacOS/Unicode Encodings 0x5491000 - 0x5497fff com.apple.DictionaryServiceComponent 1.0.0 /System/Library/Components/DictionaryService.component/Contents/MacOS/DictionaryService 0x54cb000 - 0x54cefff libMPAEncode0.1.dylib /Library/Application Support/DivXNetworks/ libMPAEncode0.1.dylib 0x54d2000 - 0x54e4fff libdpv10.dylib /Library/Application Support/DivXNetworks/libdpv10.dylib 0x5605000 - 0x56cffff com.divxnetworks.DivXCodec 5.2.1 /Library/QuickTime/DivX 5.component/ Contents/MacOS/DivX 5 0x571d000 - 0x574efff liblame3.92.dylib /Library/Application Support/DivXNetworks/ liblame3.92.dylib 0x578b000 - 0x57ebfff libdpus10.dylib /Library/Application Support/DivXNetworks/ libdpus10.dylib 0x8fe00000 - 0x8fe50fff dyld 43 /usr/lib/dyld 0x90000000 - 0x901a6fff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x901fe000 - 0x90202fff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib 0x90204000 - 0x90257fff com.apple.CoreText 1.0.0 (???) /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText 0x90284000 - 0x90335fff ATS /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x90364000 - 0x9069cfff com.apple.CoreGraphics 1.256.4 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ CoreGraphics.framework/Versions/A/CoreGraphics 0x90727000 - 0x90800fff com.apple.CoreFoundation 6.4.1 (368.1) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x90849000 - 0x90849fff com.apple.CoreServices 10.4 (???) /System/Library/Frameworks/ CoreServices.framework/Versions/A/CoreServices 0x9084b000 - 0x9094dfff libicucore.A.dylib /usr/lib/libicucore.A.dylib 0x909a7000 - 0x90a2bfff libobjc.A.dylib /usr/lib/libobjc.A.dylib 0x90a55000 - 0x90ac9fff com.apple.framework.IOKit 1.4 (???) /System/Library/Frameworks/ IOKit.framework/Versions/A/IOKit 0x90ae3000 - 0x90af5fff libauto.dylib /usr/lib/libauto.dylib 0x90afc000 - 0x90dc1fff com.apple.CoreServices.CarbonCore 10.4 (611.1) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/ CarbonCore.framework/Versions/A/CarbonCore 0x90e24000 - 0x90ea4fff com.apple.CoreServices.OSServices 4.0 (4.0.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/ OSServices.framework/Versions/A/OSServices 0x90eee000 - 0x90f2efff com.apple.CFNetwork 4.0 (80) /System/Library/Frameworks/ CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork 0x90f43000 - 0x90f5bfff com.apple.WebServices 1.1.2 (1.1.0) /System/Library/Frameworks/ CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/ WebServicesCore 0x90f6b000 - 0x90fe9fff com.apple.SearchKit 1.0.3 /System/Library/Frameworks/ CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit 0x9102e000 - 0x91055fff com.apple.Metadata 0.1 (121) /System/Library/Frameworks/ CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata 0x91066000 - 0x91073fff libz.1.dylib /usr/lib/libz.1.dylib 0x91076000 - 0x91238fff com.apple.security 4.0 (221) /System/Library/Frameworks/ Security.framework/Versions/A/Security 0x9133a000 - 0x91343fff com.apple.DiskArbitration 2.1 /System/Library/Frameworks/ DiskArbitration.framework/Versions/A/DiskArbitration 0x9134a000 - 0x91371fff com.apple.SystemConfiguration 1.8.0 /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration 0x91384000 - 0x9138cfff libbsm.dylib /usr/lib/libbsm.dylib 0x91390000 - 0x9140efff com.apple.audio.CoreAudio 3.0.0 (3.0) /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio 0x9144c000 - 0x9144cfff com.apple.ApplicationServices 10.4 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices 0x9144e000 - 0x91486fff com.apple.AE 1.5 (297) /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE 0x914a1000 - 0x9156cfff com.apple.ColorSync 4.4 /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync 0x915c1000 - 0x91654fff com.apple.print.framework.PrintCore 4.0 (172) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ PrintCore.framework/Versions/A/PrintCore 0x9169a000 - 0x91757fff com.apple.QD 3.8.5 (???) /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x91795000 - 0x917f3fff com.apple.HIServices 1.5.0 (???) /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x91821000 - 0x91844fff com.apple.LangAnalysis 1.6 /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/ LangAnalysis 0x91858000 - 0x9187dfff com.apple.FindByContent 1.5 /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/ FindByContent 0x91890000 - 0x918d0fff com.apple.LaunchServices 10.4.1 (118) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ LaunchServices.framework/Versions/A/LaunchServices 0x918eb000 - 0x918fffff com.apple.speech.synthesis.framework 3.3 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ SpeechSynthesis.framework/Versions/A/SpeechSynthesis 0x9190d000 - 0x91943fff com.apple.ImageIO.framework 1.0 /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO 0x91957000 - 0x91a19fff libcrypto.0.9.7.dylib /usr/lib/libcrypto.0.9.7.dylib 0x91a65000 - 0x91a7afff libcups.2.dylib /usr/lib/libcups.2.dylib 0x91a7f000 - 0x91a9bfff libJPEG.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib 0x91aa0000 - 0x91b0ffff libJP2.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib 0x91b26000 - 0x91b2afff libGIF.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib 0x91b2c000 - 0x91b44fff libRaw.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib 0x91b47000 - 0x91b8afff libTIFF.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib 0x91b91000 - 0x91baafff libPng.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib 0x91baf000 - 0x91bb2fff libRadiance.dylib /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/ libRadiance.dylib 0x91bb4000 - 0x91bb4fff com.apple.Accelerate 1.1.1 (Accelerate 1.1.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate 0x91bb6000 - 0x91ca0fff com.apple.vImage 2.0 /System/Library/Frameworks/ Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage 0x91ca8000 - 0x91cc7fff com.apple.Accelerate.vecLib 3.1.1 (vecLib 3.1.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/ Versions/A/vecLib 0x91d33000 - 0x91d53fff libmx.A.dylib /usr/lib/libmx.A.dylib 0x91d59000 - 0x91dbefff libvMisc.dylib /System/Library/Frameworks/Accelerate.framework/ Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib 0x91dc8000 - 0x91e5afff libvDSP.dylib /System/Library/Frameworks/Accelerate.framework/ Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib 0x91e74000 - 0x92404fff libBLAS.dylib /System/Library/Frameworks/Accelerate.framework/ Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib 0x9244c000 - 0x9275cfff libLAPACK.dylib /System/Library/Frameworks/Accelerate.framework/ Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib 0x92789000 - 0x92814fff com.apple.DesktopServices 1.3 /System/Library/PrivateFrameworks/ DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv 0x92856000 - 0x92a7ffff com.apple.Foundation 6.4 (567) /System/Library/Frameworks/ Foundation.framework/Versions/C/Foundation 0x92b9d000 - 0x92c7bfff libxml2.2.dylib /usr/lib/libxml2.2.dylib 0x92c9b000 - 0x92d89fff libiconv.2.dylib /usr/lib/libiconv.2.dylib 0x92d9b000 - 0x92db9fff libGL.dylib /System/Library/Frameworks/OpenGL.framework/Versions/ A/Libraries/libGL.dylib 0x92dc4000 - 0x92e1efff libGLU.dylib /System/Library/Frameworks/OpenGL.framework/Versions/ A/Libraries/libGLU.dylib 0x92e3c000 - 0x92e3cfff com.apple.Carbon 10.4 (???) /System/Library/Frameworks/ Carbon.framework/Versions/A/Carbon 0x92e3e000 - 0x92e52fff com.apple.ImageCapture 3.0 /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture 0x92e6a000 - 0x92e7afff com.apple.speech.recognition.framework 3.4 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ SpeechRecognition.framework/Versions/A/SpeechRecognition 0x92e86000 - 0x92e9bfff com.apple.securityhi 2.0 (203) /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI 0x92ead000 - 0x92f34fff com.apple.ink.framework 101.2 (69) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/ Versions/A/Ink 0x92f48000 - 0x92f53fff com.apple.help 1.0.3 (32) /System/Library/Frameworks/Carbon.framework/ Versions/A/Frameworks/Help.framework/Versions/A/Help 0x92f5d000 - 0x92f8afff com.apple.openscripting 1.2.2 (???) /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting 0x92fa4000 - 0x92fb4fff com.apple.print.framework.Print 4.0 (187) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/ Versions/A/Print 0x92fc0000 - 0x93026fff com.apple.htmlrendering 1.1.2 /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering 0x93057000 - 0x930a9fff com.apple.NavigationServices 3.4 /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/ NavigationServices 0x930d5000 - 0x930f2fff com.apple.audio.SoundManager 3.9 /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound 0x93104000 - 0x93111fff com.apple.CommonPanels 1.2.2 (73) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ CommonPanels.framework/Versions/A/CommonPanels 0x9311a000 - 0x9342afff com.apple.HIToolbox 1.4.1 (???) /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x93575000 - 0x93581fff com.apple.opengl 1.4.0 /System/Library/Frameworks/OpenGL.framework/ Versions/A/OpenGL 0x93586000 - 0x935a8fff com.apple.DirectoryService.Framework 2.0 /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService 0x93614000 - 0x9361cfff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib 0x93621000 - 0x93621fff com.apple.Cocoa 6.4 (???) /System/Library/Frameworks/ Cocoa.framework/Versions/A/Cocoa 0x93623000 - 0x93c54fff com.apple.AppKit 6.4.1 (824.1) /System/Library/Frameworks/ AppKit.framework/Versions/C/AppKit 0x93fe0000 - 0x9404afff com.apple.CoreData 1.0 (46) /System/Library/Frameworks/ CoreData.framework/Versions/A/CoreData 0x94082000 - 0x9414cfff com.apple.audio.toolbox.AudioToolbox 1.4 /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox 0x941a0000 - 0x941a0fff com.apple.audio.units.AudioUnit 1.4 /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit 0x941a2000 - 0x94301fff com.apple.QuartzCore 1.4.1 /System/Library/Frameworks/ QuartzCore.framework/Versions/A/QuartzCore 0x94349000 - 0x94386fff libsqlite3.0.dylib /usr/lib/libsqlite3.0.dylib 0x9438e000 - 0x943d9fff libGLImage.dylib /System/Library/Frameworks/OpenGL.framework/ Versions/A/Libraries/libGLImage.dylib 0x94467000 - 0x9449ffff com.apple.vmutils 4.0.0 (85) /System/Library/PrivateFrameworks/ vmutils.framework/Versions/A/vmutils 0x944e2000 - 0x944fefff com.apple.securityfoundation 2.0 (262) /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation 0x94512000 - 0x94555fff com.apple.securityinterface 2.0 (256) /System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface 0x94579000 - 0x94588fff libCGATS.A.dylib /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/ Resources/libCGATS.A.dylib 0x94590000 - 0x9459cfff libCSync.A.dylib /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/ Resources/libCSync.A.dylib 0x945e1000 - 0x945f5fff libRIP.A.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib 0x945fb000 - 0x9485dfff com.apple.QuickTime 7.0.1 /System/Library/Frameworks/ QuickTime.framework/Versions/A/QuickTime 0x94930000 - 0x9494ffff com.apple.vecLib 3.1.1 (vecLib 3.1.1) /System/Library/Frameworks/vecLib.framework/Versions/A/vecLib 0x94abc000 - 0x94be9fff com.apple.AddressBook.framework 4.0.1 (472) /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook 0x94c7a000 - 0x94c89fff com.apple.DSObjCWrappers.Framework 1.1 /System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers 0x94c91000 - 0x94cb8fff com.apple.LDAPFramework 1.4 (68) /System/Library/Frameworks/ LDAP.framework/Versions/A/LDAP 0x94cbe000 - 0x94ccefff libsasl2.2.dylib /usr/lib/libsasl2.2.dylib 0x94cd2000 - 0x94d00fff libssl.0.9.7.dylib /usr/lib/libssl.0.9.7.dylib 0x94d10000 - 0x94d2dfff libresolv.9.dylib /usr/lib/libresolv.9.dylib 0x95491000 - 0x95514fff libstdc++.6.dylib /usr/lib/libstdc++.6.dylib 0x96038000 - 0x96061fff libxslt.1.dylib /usr/lib/libxslt.1.dylib 0x96dd0000 - 0x96e73fff libcrypto.0.9.dylib /usr/lib/libcrypto.0.9.dylib 0x96ea7000 - 0x96ed4fff libssl.0.9.dylib /usr/lib/libssl.0.9.dylib 0x97ad6000 - 0x97ae3fff com.apple.agl 2.5.6 (AGL-2.5.6) /System/Library/Frameworks/ AGL.framework/Versions/A/AGL 0x99534000 - 0x99cc6fff com.apple.QuickTimeComponents.component 7.0.1 /System/Library/QuickTime/QuickTimeComponents.component/Contents/MacOS/ QuickTimeComponents 0x9b027000 - 0x9b05afff com.apple.Syndication 1.0.0 (38) /System/Library/PrivateFrameworks/ Syndication.framework/Versions/A/Syndication 0x9b075000 - 0x9b085fff com.apple.SyndicationUI 1.0.0 (38) /System/Library/PrivateFrameworks/ SyndicationUI.framework/Versions/A/SyndicationUI 0xefbef000 - 0xefcd1fff libPSIKey.dylib /Library/Application Support/DivXNetworks/libPSIKey.dylib Model: PowerBook6,1, BootROM 4.5.5f4, 1 processors, PowerPC G4 (3.3), 867 MHz, 640 MB Graphics: NVIDIA GeForce4 MX, GeForce4 MX, AGP, 32 MB Memory Module: DIMM0/BUILT-IN, 128 MB, built-in, built-in Memory Module: DIMM1/J31, 512 MB, DDR SDRAM, PC2100U-25330 AirPort: AirPort Extreme, 3.5f1 (3.50.37.p6) Modem: MicroDash, Euro, V.92, 1.0F, APPLE VERSION 2.6.4 Bluetooth: Version 1.6.0f2, 2 service, 1 devices, 1 incoming serial ports Network Service: Ethernet incorporada, Ethernet, en0 Parallel ATA Device: MATSHITACD-RW CW-8122, Parallel ATA Device: FUJITSU MHS2040AT D, 37.26 GB USB Device: Bluetooth HCI, , Up to 12 Mb/sec, 500 mA USB Device: Kensington PocketMouse Pro, Kensington, Up to 1.5 Mb/sec, 500 mA

Attachments
Test case. The crash occurs on mouse over of the link. (596 bytes, text/html) 2005-06-09 01:42 PDT, Mark Rowe (bdash)	no flags	Details
Patch (817 bytes, patch) 2005-07-18 19:06 PDT, Justin Garcia	mjs: review-	Details Formatted Diff Diff
New Patch (1.96 KB, patch) 2005-07-26 21:06 PDT, Justin Garcia	mjs: review+	Details Formatted Diff Diff
layout test for patch (1.07 KB, text/plain) 2005-07-26 21:08 PDT, Justin Garcia	no flags	Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Joost de Valk (AlthA)

Comment 1 2005-06-09 00:06:59 PDT

i can't reproduce this bug, not in Webkit 412 nor in the current Safari shipped with Tiger.

Mark Rowe (bdash)

Comment 2 2005-06-09 01:42:55 PDT

Created attachment 2172 [details] Test case. The crash occurs on mouse over of the link. The attached test case causes 100% reproducable crash. Verified with ToT WebKit.

Mark Rowe (bdash)

Comment 3 2005-06-09 16:11:20 PDT

*** Bug 3389 has been marked as a duplicate of this bug. ***

Joost de Valk (AlthA)

Comment 4 2005-06-14 12:42:21 PDT

K, can reproduce with this testcase. Changing it to javascript since the crash seems to be in there, and changed it to p1 since it's a reproducable crash.

Vicki Murley

Comment 5 2005-06-17 11:44:03 PDT

I've been looking into this, so I went ahead and assigned it to myself. Is that the proper Bugzilla etiquette?

Joost de Valk (AlthA)

Comment 6 2005-07-05 12:27:17 PDT

It is proper etiquette :) It's not yet fixed tho? why not? :P

Justin Garcia

Comment 7 2005-07-18 12:13:56 PDT

The crash occurs when a TextIterator returns a length 1 item with no characters. But the fault lies with Bidi, which constructs an InlineTextBox of length 1 for the node whose nodeValue was set to "" (TextIterators iterate over InlineTextBoxes)

Justin Garcia

Comment 8 2005-07-18 19:06:19 PDT

Created attachment 3014 [details] Patch In the test case, bidi adds a run of length 1 for an empty text node. It's length 1 because it's at the end of a line, and bidi creates the last run in a line using "appendRunsForObject(start, bidi.eor.pos+1, obj, bidi);" But Bidi probably shouldn't even encounter zero length RenderObjects (from empty text nodes) anyway, so one fix is to kill a text node's RenderObject if its nodeValue is set to "". This fix detaches a node if its nodeValue is set to "", and reattaches it if nodeValue becomes non-empty. Any suggestions?

Maciej Stachowiak

Comment 9 2005-07-24 16:22:53 PDT

Comment on attachment 3014 [details] Patch I don't think this patch is quite right. When the document as a whole is attached, individual nodes should not be detached, even if they do not need a renderer. If a node changes to a state where it should no longer have a renderer, then the right thing to do is to detach and reattach it, if it is already attached. Then createRendererIfNeeded will do the right thing and make a new renderer or not. Note that CharacterDataImpl::rendererIsNeeded will already refuse to create a renderer if the string is empty. Conversely, you can't just unconditionally attach a text node if its text is getting changed to non-empty. If style hasn't been resolved yet, it wouldn't have been attached in the first place. And finally, note that the EditingTextImpl subclass of TextImpl can validly have a renderer even if empty. This is the type of text node that gets inserted in preparation for user typing in a space where there is no text already present. So in addition to straightening out whether empty text nodes have a renderer, you may also have to address the specific circumastances that cause a crash in this case.

Justin Garcia

Comment 10 2005-07-26 21:06:52 PDT

Created attachment 3103 [details] New Patch Maciej's right, it seems OK for zero length render objects to exist. This patch just prevents runs associated with a zero length render object from being larger than they should be.

Justin Garcia

Comment 11 2005-07-26 21:08:37 PDT

Created attachment 3104 [details] layout test for patch

Justin Garcia

Comment 12 2005-07-26 21:11:16 PDT

You'll have to save and view the layout test in a text editor, since it crashes Safari without the patch applied.

Maciej Stachowiak

Comment 13 2005-07-27 23:19:28 PDT

Comment on attachment 3103 [details] New Patch This looks like a good fix, r=me, but since zero-length text nromally doesn't get a renderer, it independently seems like a good idea to maintain this property dynamically. Maybe talk to hyatt about it.

Justin Garcia

Comment 14 2005-07-31 20:36:34 PDT

Landing this ...

Note You need to log in before you can comment on or make changes to this bug.