Bug 12082 - REGRESSION (r18333): Crash in RenderFrameSet::layOutAxis()
Summary: REGRESSION (r18333): Crash in RenderFrameSet::layOutAxis()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 420+
Hardware: Macintosh Intel OS X 10.4
: P1 Normal
Assignee: Nobody
URL:
Keywords: HasReduction, PlatformOnly, Regression
Depends on:
Blocks:
 
Reported: 2007-01-02 14:00 PST by Jesse Costello-Good
Modified: 2007-01-03 21:36 PST (History)
2 users (show)

See Also:


Attachments
zipped crash log (52.80 KB, application/zip)
2007-01-02 14:03 PST, Jesse Costello-Good
no flags Details
jsunit-testRunner.webarchive (crashes Intel) (76.55 KB, application/x-webarchive)
2007-01-02 20:55 PST, David Kilzer (:ddkilzer)
no flags Details
Reduction (will crash) (199 bytes, text/html)
2007-01-03 12:51 PST, mitz
no flags Details
Patch (3.23 KB, patch)
2007-01-03 13:41 PST, mitz
no flags Details | Formatted Diff | Diff
Treat negative availableLength as zero (3.12 KB, patch)
2007-01-03 13:59 PST, mitz
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Costello-Good 2007-01-02 14:00:48 PST
Starting with WebKit-SVN-r18333.dmg, JsUnit's testRunner.html (v 2.1) page causes WebKit to crash.

1. Download JsUnit: http://downloads.sourceforge.net/jsunit/jsunit2_1.zip?modtime=1091836800&big_mirror=0
2. Open testRunner.html
3. Observe crash
Comment 1 Jesse Costello-Good 2007-01-02 14:03:04 PST
Created attachment 12174 [details]
zipped crash log
Comment 2 Matt Lilek 2007-01-02 15:09:19 PST
I can't reproduce this with the r18333 nightly or my locally built copy of r18517 - perhaps this is an Intel-only bug? (I'm on a G4)
Comment 3 David Kilzer (:ddkilzer) 2007-01-02 15:28:57 PST
Thanks for the bug report, Jesse!  A couple of items:

1. Could you attach the testRunner.html file to this bug (if it's not too big and there's no license restriction against doing that)?  That would speed up the bug resolution process.

2. When attaching a crash log, please note that you only need to include the "last" crash log in Safari.crash.log.  Crash logs are separated by "**********", so just make a copy of the file and delete everything above the last "**********" line.
Comment 4 David Kilzer (:ddkilzer) 2007-01-02 15:31:53 PST
(In reply to comment #2)
> I can't reproduce this with the r18333 nightly or my locally built copy of
> r18517 - perhaps this is an Intel-only bug? (I'm on a G4)

The last stack trace indicates a division-by-zero error, which (as I recall) is "more fatal" on x86 than it is on PPC, so that jibes with your findings Matt!  Here's the top of the stack trace:

Exception:  EXC_ARITHMETIC (0x0003)
Codes:      EXC_I386_DIV (divide by zero)

Thread 0 Crashed:
0   com.apple.WebCore              	0x01263488 WebCore::RenderFrameSet::layOutAxis(WebCore::RenderFrameSet::GridAxis&, WebCore::Length const*, int) + 1028
1   com.apple.WebCore              	0x0126385a WebCore::RenderFrameSet::layout() + 156
2   com.apple.WebCore              	0x0114973f WebCore::RenderBlock::layoutBlockChildren(bool) + 701
3   com.apple.WebCore              	0x01149f25 WebCore::RenderBlock::layoutBlock(bool) + 1141
4   com.apple.WebCore              	0x0113f912 WebCore::RenderBlock::layout() + 28
5   com.apple.WebCore              	0x0114973f WebCore::RenderBlock::layoutBlockChildren(bool) + 701
6   com.apple.WebCore              	0x01149f25 WebCore::RenderBlock::layoutBlock(bool) + 1141
7   com.apple.WebCore              	0x0113f912 WebCore::RenderBlock::layout() + 28
8   com.apple.WebCore              	0x01153ac8 WebCore::RenderView::layout() + 60
9   com.apple.WebCore              	0x010d6915 WebCore::FrameView::layout(bool) + 327
10  com.apple.WebCore              	0x012627c9 WebCore::RenderPart::updateWidgetPosition() + 533
11  com.apple.WebCore              	0x0115429a WebCore::RenderView::updateWidgetPositions() + 94
12  com.apple.WebCore              	0x010d6d4d WebCore::FrameView::layout(bool) + 1407
13  com.apple.WebCore              	0x010d8645 WebCore::Document::updateLayout() + 81
14  com.apple.WebCore              	0x010cf4fe WebCore::Frame::setIsActive(bool) + 558
15  com.apple.WebKit               	0x00332f94 -[WebHTMLView resignFirstResponder] + 156
16  com.apple.AppKit               	0x932b9406 -[NSWindow makeFirstResponder:] + 107
17  com.apple.Safari               	0x00013d4d 0x1000 + 77133
18  com.apple.Safari               	0x0002e346 0x1000 + 185158
19  libobjc.A.dylib                	0x90a57c56 objc_msgSendv + 54
[...]
Comment 5 David Kilzer (:ddkilzer) 2007-01-02 20:51:32 PST
Confirmed.  This crashes on Intel 10.4.8 (8N1037), but not on PowerPC 10.4.8 (8L127).

Comment 6 David Kilzer (:ddkilzer) 2007-01-02 20:55:36 PST
Created attachment 12177 [details]
jsunit-testRunner.webarchive (crashes Intel)

Test case saved as webarchive on PowerPC Mac.  Will crash Intel Mac.
Comment 7 mitz 2007-01-03 12:51:11 PST
Created attachment 12196 [details]
Reduction (will crash)

RenderFrameSet::layOutAxis() gets called with negative availableLength since the very little width that there is gets eaten up by borders.
Comment 8 mitz 2007-01-03 13:41:22 PST
Created attachment 12199 [details]
Patch

Before r18333, RenderFrameSet had logic to change a negative available width to zero before laying out the grid. The end result in that case was just a vector of zeros.
Comment 9 Geoffrey Garen 2007-01-03 13:58:02 PST
Comment on attachment 12199 [details]
Patch

Mitz is going to submit a new patch.
Comment 10 mitz 2007-01-03 13:59:20 PST
Created attachment 12201 [details]
Treat negative availableLength as zero

This just restores the old behavior.
Comment 11 Darin Adler 2007-01-03 14:00:16 PST
Comment on attachment 12201 [details]
Treat negative availableLength as zero

r=me (my bad, thanks for the fix)
Comment 12 David Kilzer (:ddkilzer) 2007-01-03 21:36:34 PST
Committed revision 18571.