Bug 3855

Summary:

Table with Form Field and Hidden DIV crashes Safari

Product:

WebKit

Reporter:

Bryan <bschwegler>

Component:

Forms

Assignee:

Carsten Guenther <carsten>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

kabendroth

Priority:

Version:

420+

Hardware:

Mac

OS:

OS X 10.4

URL:

http://www.pmachine.com/forums/viewthread/24217/P0/

Attachments:

Description	Flags
minimal testcase	none
minimal testcase	none
Proposed fix	hyatt: review-
Merging patch	hyatt: review+

Bryan

Reported 2005-07-04 17:18:22 PDT

The following code is from a test page that always will cause Safari to crash. More discussion on this can be found here: http://www.pmachine.com/forums/viewthread/24217/P0/ <html> <head> <title>test</title> </head> <body> <form> <textarea cols='30' rows='10'></textarea> <div style="display:none;"> <table> <tr> <td>test</td> </tr> </table> </div> <div><input type='text' name='bla' value='' size="33" /></div> </form> </body> </html>

Attachments
minimal testcase (217 bytes, text/html) 2005-07-04 23:02 PDT, Joost de Valk (AlthA)	no flags	Details
minimal testcase (268 bytes, text/html) 2005-07-04 23:06 PDT, Joost de Valk (AlthA)	no flags	Details
Proposed fix (2.48 KB, patch) 2005-07-07 21:34 PDT, Carsten Guenther	hyatt: review-	Details Formatted Diff Diff
Merging patch (2.42 KB, patch) 2005-07-09 15:50 PDT, Carsten Guenther	hyatt: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2005-07-04 21:40:24 PDT

The report is missing a key step to reproduce: the crash only occurs after you begin typing in the bottom text entry field. This occurs with both WebKit 412 and ToT CVS. Crash log from ToT included below: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c Thread 0 Crashed: 0 com.apple.WebCore 0x011dfed4 khtml::RenderTableCell::table() const + 0 (icplusplus.c:28) 1 <<00000000>> 0xbfffe324 0 + -1073749212 2 com.apple.WebCore 0x010204b8 KWQKHTMLPart::searchForLabelsBeforeElement(NSArray*, DOM::ElementImpl*) + 204 (icplusplus.c:28) 3 com.apple.Safari 0x0009956c 0x1000 + 623980 4 com.apple.Safari 0x00098edc 0x1000 + 622300 5 com.apple.Safari 0x000958f8 0x1000 + 608504 6 com.apple.Safari 0x00095b50 0x1000 + 609104 7 com.apple.Safari 0x0004402c 0x1000 + 274476 8 com.apple.Foundation 0x92886d18 __NSFireDelayedPerform + 304 9 com.apple.CoreFoundation 0x9075deb0 __CFRunLoopDoTimer + 184 10 com.apple.CoreFoundation 0x9074a828 __CFRunLoopRun + 1680 11 com.apple.CoreFoundation 0x90749ddc CFRunLoopRunSpecific + 268 12 com.apple.HIToolbox 0x93122ca0 RunCurrentEventLoopInMode + 264 13 com.apple.HIToolbox 0x93122334 ReceiveNextEventCommon + 380 14 com.apple.HIToolbox 0x931221a0 BlockUntilNextEventMatchingListInMode + 96 15 com.apple.AppKit 0x9362b1a4 _DPSNextEvent + 384 16 com.apple.AppKit 0x9362ae68 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 17 com.apple.Safari 0x00007058 0x1000 + 24664 18 com.apple.AppKit 0x936273cc -[NSApplication run] + 472 19 com.apple.AppKit 0x93717c1c NSApplicationMain + 452 20 com.apple.Safari 0x00002700 0x1000 + 5888 21 com.apple.Safari 0x00057190 0x1000 + 352656

Mark Rowe (bdash)

Comment 2 2005-07-04 21:42:18 PDT

A easiliy accessible case for this bug is at http://pmachine.com/misc/safari_crash.html It consists of the HTML included in the initial bug report.

Joost de Valk (AlthA)

Comment 3 2005-07-04 23:02:22 PDT

Created attachment 2799 [details] minimal testcase Removing either the table or the display:none prevents the crash.

Joost de Valk (AlthA)

Comment 4 2005-07-04 23:06:20 PDT

Created attachment 2800 [details] minimal testcase This time the testcase tells hows to recreate the problem.

Carsten Guenther

Comment 5 2005-07-07 21:34:54 PDT

Created attachment 2858 [details] Proposed fix This patch checks for the existence of the cell renderer.

Dave Hyatt

Comment 6 2005-07-09 14:01:36 PDT

Comment on attachment 2858 [details] Proposed fix The fix looks good, but this patch isn't going to merge any more after the changes from 3405. Can you make the fix again and attach a new patch? Thanks.

Carsten Guenther

Comment 7 2005-07-09 15:50:06 PDT

Created attachment 2888 [details] Merging patch Here you go.

Joost de Valk (AlthA)

Comment 8 2005-07-11 06:09:04 PDT

Comment on attachment 2888 [details] Merging patch Changed name of patch, since it could seem now as if you just attached the patch again...

Dave Hyatt

Comment 9 2005-07-12 14:35:08 PDT

Comment on attachment 2888 [details] Merging patch r=me

Vicki Murley

Comment 10 2005-07-14 11:53:16 PDT

I'll commit this

Carsten Guenther

Comment 11 2005-07-18 19:38:27 PDT

Closing since this has been committed.

John Sullivan

Comment 12 2005-09-05 12:07:42 PDT

This is also in Radar as <rdar://problem/4146880>

Note You need to log in before you can comment on or make changes to this bug.