Bug 12625 - REGRESSION: Crash when closing the web inspector with text selected
Summary: REGRESSION: Crash when closing the web inspector with text selected
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
URL:
Keywords: InRadar, Regression
Depends on:
Blocks:
 
Reported: 2007-02-05 18:44 PST by Matt Lilek
Modified: 2007-02-15 14:16 PST (History)
1 user (show)

See Also:


Attachments
Update the render tree at the beginning of RenderView::selectionRect() (1.85 KB, patch)
2007-02-15 02:14 PST, mitz
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Lilek 2007-02-05 18:44:37 PST
1. Open the web inspector on a site
2. Make a selection within the inspector - some CSS from the style pane, an attribute, etc.
3. Close the inspector
4. WebKit crashes:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x72656664

Thread 0 Crashed:
0   <<00000000>> 	0x72656664 0 + 1919247972
1   com.apple.WebCore              	0x011d88bc WebCore::RenderView::selectionRect() const + 456 (RenderView.cpp:249)
2   com.apple.WebCore              	0x0111f7e8 WebCore::Frame::selectionRect() const + 84 (Frame.cpp:918)
3   com.apple.WebCore              	0x0111f888 WebCore::Frame::visibleSelectionRect() const + 88 (Frame.cpp:927)
4   com.apple.WebCore              	0x011210a8 WebCore::Frame::setIsActive(bool) + 208 (Frame.cpp:1233)
5   com.apple.WebKit               	0x0034b2e4 -[WebHTMLView(WebPrivate) _updateActiveState] + 492 (WebHTMLView.mm:1767)
6   com.apple.WebKit               	0x003513d0 -[WebHTMLView windowDidResignKey:] + 336 (WebHTMLView.mm:2771)
7   com.apple.Foundation           	0x9295ead8 _nsnote_callback + 180
8   com.apple.CoreFoundation       	0x90804010 __CFXNotificationPost + 368
9   com.apple.CoreFoundation       	0x907fc0ec _CFXNotificationPostNotification + 684
10  com.apple.Foundation           	0x92948ee0 -[NSNotificationCenter postNotificationName:object:userInfo:] + 92
11  com.apple.AppKit               	0x937ab1f4 -[NSWindow resignKeyWindow] + 340
12  com.apple.AppKit               	0x937ab080 -[NSPanel resignKeyWindow] + 100
13  com.apple.AppKit               	0x937aabcc -[NSWindow _orderOutAndCalcKeyWithCounter:] + 248
14  com.apple.AppKit               	0x93747c7c -[NSWindow _reallyDoOrderWindow:relativeTo:findKey:forCounter:force:isModal:] + 2632
15  com.apple.AppKit               	0x937aa530 -[NSWindow _close] + 280
16  com.apple.AppKit               	0x937aa3e0 -[NSWindow close] + 36
17  com.apple.WebKit               	0x00393adc -[WebDefaultUIDelegate webViewClose:] + 100 (WebDefaultUIDelegate.m:72)
18  libobjc.A.dylib                	0x90a441f4 objc_msgSendv + 180
19  com.apple.Foundation           	0x9295ac88 -[NSInvocation invoke] + 944
20  com.apple.Foundation           	0x9295b238 -[NSInvocation invokeWithTarget:] + 64
21  com.apple.WebKit               	0x00381e18 -[_WebSafeForwarder forwardInvocation:] + 768 (WebView.mm:1432)
22  com.apple.Foundation           	0x92953034 -[NSObject(NSForwardInvocation) forward::] + 408
23  libobjc.A.dylib                	0x90a440b0 _objc_msgForward + 176
24  com.apple.WebKit               	0x0037ef88 -[WebView(WebPrivate) _closeWindow] + 96 (WebView.mm:943)
25  com.apple.Foundation           	0x92969bf8 __NSFireDelayedPerform + 304
26  com.apple.CoreFoundation       	0x907f0550 __CFRunLoopDoTimer + 184
27  com.apple.CoreFoundation       	0x907dcec8 __CFRunLoopRun + 1680
28  com.apple.CoreFoundation       	0x907dc47c CFRunLoopRunSpecific + 268
29  com.apple.HIToolbox            	0x93205740 RunCurrentEventLoopInMode + 264
30  com.apple.HIToolbox            	0x93204dd4 ReceiveNextEventCommon + 380
31  com.apple.HIToolbox            	0x93204c40 BlockUntilNextEventMatchingListInMode + 96
32  com.apple.AppKit               	0x93708ae4 _DPSNextEvent + 384
33  com.apple.AppKit               	0x937087a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
34  com.apple.Safari               	0x00006740 0x1000 + 22336
35  com.apple.AppKit               	0x93704cec -[NSApplication run] + 472
36  com.apple.AppKit               	0x937f587c NSApplicationMain + 452
37  com.apple.Safari               	0x0005c77c 0x1000 + 374652
38  com.apple.Safari               	0x0005c624 0x1000 + 374308
Comment 1 Maciej Stachowiak 2007-02-06 23:25:48 PST
<rdar://problem/4980997>
Comment 2 mitz 2007-02-15 02:14:44 PST
Created attachment 13180 [details]
Update the render tree at the beginning of RenderView::selectionRect()

Includes a change log that also explains why a test isn't included.
Comment 3 Darin Adler 2007-02-15 09:49:00 PST
Comment on attachment 13180 [details]
Update the render tree at the beginning of RenderView::selectionRect()

r=me

Why updateRendering and not updateLayout or updateLayoutIgnorePendingStylesheets?
Comment 4 Darin Adler 2007-02-15 09:52:34 PST
Comment on attachment 13180 [details]
Update the render tree at the beginning of RenderView::selectionRect()

The normal design here is that the code that makes changes is responsible for calling updateRendering -- that's the reason for the various updateDocumentsRendering calls. Maybe we need a better solution for cases like the one in the inspector code where it's not going through JavaScript.
Comment 5 mitz 2007-02-15 09:58:46 PST
(In reply to comment #3)
> Why updateRendering and not updateLayout or
> updateLayoutIgnorePendingStylesheets?

It's the least you can do. I didn't see reason to do more at that point, but I could be wrong.

(In reply to comment #4)
> (From update of attachment 13180 [details] [edit])
> The normal design here is that the code that makes changes is responsible for
> calling updateRendering -- that's the reason for the various
> updateDocumentsRendering calls. Maybe we need a better solution for cases like
> the one in the inspector code where it's not going through JavaScript.

The inspector is going through JavaScript, as a matter of fact: the Obj-C method that receives the notification executes a bit of JavaScript that updates the style. I'm not sure I understand the "normal design" comment. There are several instances where the code that needs up-to-date layout information calls updateLayoutIgnorePendingStylesheets().
Comment 6 Sam Weinig 2007-02-15 14:16:40 PST
Landed in r19644.