Bug 8452

Summary: mangleme(0x58c22e11): Random crashes
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mitz
Priority: P1 Keywords: NeedsReduction
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
test case
none
Reduced test case
none
One way to fix this
none
Patch, including layout test and change log darin: review+

Alexey Proskuryakov
Reported 2006-04-17 22:07:27 PDT
run-mangleme-tests 0x58c22e11 or download and open the attached file (if uses a refresh, so opening form Bugzilla won't work). Crashes reliably, but in a different place each time. Using run-mangleme-tests with --guard-malloc could perhaps help to isolate the problem.
Attachments
test case (55.75 KB, application/octet-stream)
2006-04-17 22:34 PDT, Alexey Proskuryakov 		no flags
Details
Reduced test case (18 bytes, text/html)
2006-04-18 09:32 PDT, mitz 		no flags
Details
One way to fix this (1.03 KB, patch)
2006-04-18 10:03 PDT, mitz 		no flags
DetailsFormatted DiffDiff
Patch, including layout test and change log (4.97 KB, patch)
2006-04-24 10:08 PDT, mitz 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2006-04-17 22:34:42 PDT
Created attachment 7793 [details] test case
mitz
Comment 2 2006-04-18 09:32:52 PDT
Created attachment 7802 [details] Reduced test case Memory smashing happens at render_frames.cpp:303 when the column- (or row-)length array is empty: gridLayout[gridLen - 1] += remainingLen[k];
mitz
Comment 3 2006-04-18 10:03:54 PDT
Created attachment 7804 [details] One way to fix this
Darin Adler
Comment 4 2006-04-21 22:14:46 PDT
Comment on attachment 7804 [details] One way to fix this Seems to me that for an empty length array we should return len of 0, not 1. But returning 0 from toLengthArray does seem like a good idea when the string is empty. On the other hand, we could just change if (grid) to if (grid && gridLen) and leave toLengthArray alone, I think.
mitz
Comment 5 2006-04-23 11:07:36 PDT
(In reply to comment #4) > Seems to me that for an empty length array we should return len of 0, not 1. Returning 1 makes WebKit match Firefox and WinIE's behavior when the cols (rows) attribute is an empty string, which is to make one column (row), and leaves everything in the state it would be if the attribute wasn't specified at all. > On the other hand, we could just change if (grid) to if (grid && gridLen) and > leave toLengthArray alone, I think. That alone would not fix the compatibility issue.
mitz
Comment 6 2006-04-24 10:08:59 PDT
Created attachment 7942 [details] Patch, including layout test and change log Please see also my previous comment. I don't think you can test for the memory smasher.
Darin Adler
Comment 7 2006-04-24 20:37:50 PDT
Comment on attachment 7942 [details] Patch, including layout test and change log OK. I'm convinced. r=me
Note You need to log in before you can comment on or make changes to this bug.