14545 – REGRESSION (r21854-r21869): Repro crash in RenderBlock::updateFirstLetter @ nola.com/rose/

RESOLVED FIXED 14545

REGRESSION (r21854-r21869): Repro crash in RenderBlock::updateFirstLetter @ nola.com/rose/

https://bugs.webkit.org/show_bug.cgi?id=14545

Summary REGRESSION (r21854-r21869): Repro crash in RenderBlock::updateFirstLetter @ n...

Gibbons Burke

Reported 2007-07-06 14:09:53 PDT

Steps to reproduce: 1) Start Webkit.app nightly build (r24064) 2) Type "Chris Rose" in Google search text area 3) Select first hit in google results page CRASH! Full crash report attached. This crash does not occur in Safari 3.0.2. Partial crash report: Date/Time: 2007-07-06 16:02:06.631 -0500 OS Version: 10.4.10 (Build 8R218) Report Version: 4 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: WindowServer [101] Version: r24064 (24064) PID: 6767 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000006c Thread 0 Crashed: 0 com.apple.WebCore 0x0116c5ac WebCore::RenderBlock::updateFirstLetter() + 1276 1 com.apple.WebCore 0x0116d140 WebCore::RenderBlock::calcPrefWidths() + 48 2 com.apple.WebCore 0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60 3 com.apple.WebCore 0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420 4 com.apple.WebCore 0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180 5 com.apple.WebCore 0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60 6 com.apple.WebCore 0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420 7 com.apple.WebCore 0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180 8 com.apple.WebCore 0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60 9 com.apple.WebCore 0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420 10 com.apple.WebCore 0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180 11 com.apple.WebCore 0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60 12 com.apple.WebCore 0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420 13 com.apple.WebCore 0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180 14 com.apple.WebCore 0x011d1488 WebCore::RenderTableCell::calcPrefWidths() + 72 15 com.apple.WebCore 0x012ed10c WebCore::AutoTableLayout::recalcColumn(int) + 604 16 com.apple.WebCore 0x012ed6f0 WebCore::AutoTableLayout::fullRecalc() + 688 17 com.apple.WebCore 0x012ee2e8 WebCore::AutoTableLayout::calcPrefWidths(int&, int&) + 40 18 com.apple.WebCore 0x011d4c4c WebCore::RenderTable::calcPrefWidths() + 92 19 com.apple.WebCore 0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60 20 com.apple.WebCore 0x0116b114 WebCore::RenderBlock::calcBlockPrefWidths() + 420 21 com.apple.WebCore 0x0116d1c4 WebCore::RenderBlock::calcPrefWidths() + 180 22 com.apple.WebCore 0x011d1488 WebCore::RenderTableCell::calcPrefWidths() + 72 23 com.apple.WebCore 0x012ed10c WebCore::AutoTableLayout::recalcColumn(int) + 604 24 com.apple.WebCore 0x012ed6f0 WebCore::AutoTableLayout::fullRecalc() + 688 25 com.apple.WebCore 0x012ee2e8 WebCore::AutoTableLayout::calcPrefWidths(int&, int&) + 40 26 com.apple.WebCore 0x011d4c4c WebCore::RenderTable::calcPrefWidths() + 92 27 com.apple.WebCore 0x0117a4ac WebCore::RenderBox::minPrefWidth() const + 60 28 com.apple.WebCore 0x011d51d0 WebCore::RenderTable::calcWidth() + 288 29 com.apple.WebCore 0x011d5784 WebCore::RenderTable::layout() + 692 30 com.apple.WebCore 0x01177008 WebCore::RenderBlock::layoutBlockChildren(bool) + 1416 31 com.apple.WebCore 0x0117796c WebCore::RenderBlock::layoutBlock(bool) + 1324 32 com.apple.WebCore 0x011678fc WebCore::RenderBlock::layout() + 76 33 com.apple.WebCore 0x01177008 WebCore::RenderBlock::layoutBlockChildren(bool) + 1416 34 com.apple.WebCore 0x0117796c WebCore::RenderBlock::layoutBlock(bool) + 1324 35 com.apple.WebCore 0x011678fc WebCore::RenderBlock::layout() + 76 36 com.apple.WebCore 0x01177008 WebCore::RenderBlock::layoutBlockChildren(bool) + 1416 37 com.apple.WebCore 0x0117796c WebCore::RenderBlock::layoutBlock(bool) + 1324 38 com.apple.WebCore 0x011678fc WebCore::RenderBlock::layout() + 76 39 com.apple.WebCore 0x01185a98 WebCore::RenderView::layout() + 216 40 com.apple.WebCore 0x010e74d4 WebCore::FrameView::layout(bool) + 1364 41 com.apple.WebCore 0x01243ac4 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 180 42 com.apple.WebCore 0x01243b60 WebCore::TimerBase::sharedTimerFired() + 112 43 com.apple.WebCore 0x012432bc WebCore::timerFired(__CFRunLoopTimer*, void*) + 76 44 com.apple.CoreFoundation 0x902c5578 __CFRunLoopDoTimer + 184 45 com.apple.CoreFoundation 0x902b1ef8 __CFRunLoopRun + 1680 46 com.apple.CoreFoundation 0x902b14ac CFRunLoopRunSpecific + 268 47 com.apple.HIToolbox 0x92020b20 RunCurrentEventLoopInMode + 264 48 com.apple.HIToolbox 0x920201b4 ReceiveNextEventCommon + 380 49 com.apple.HIToolbox 0x92020020 BlockUntilNextEventMatchingListInMode + 96 50 com.apple.AppKit 0x92509ae4 _DPSNextEvent + 384 51 com.apple.AppKit 0x925097a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 52 com.apple.Safari 0x00006770 0x1000 + 22384 53 com.apple.AppKit 0x92505cec -[NSApplication run] + 472 54 com.apple.AppKit 0x925f687c NSApplicationMain + 452 55 com.apple.Safari 0x0000244c 0x1000 + 5196 56 com.apple.Safari 0x0004f1b0 0x1000 + 319920

Attachments
Crash report (36.17 KB, text/plain) 2007-07-06 14:10 PDT, Gibbons Burke	no flags	Details
Reduction (will crash) (195 bytes, text/html) 2007-07-06 15:00 PDT, mitz	no flags	Details
Allow :first-letter and text-transform:capitalize to coexist (41.70 KB, patch) 2007-07-06 16:47 PDT, mitz	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Gibbons Burke

Comment 1 2007-07-06 14:10:27 PDT

Created attachment 15422 [details] Crash report

Geoffrey Garen

Comment 2 2007-07-06 14:25:17 PDT

To repro, all you need is to navigate to http://www.nola.com/rose/.

Geoffrey Garen

Comment 3 2007-07-06 14:27:02 PDT

<rdar://problem/5317892>

Beth Dakin

Comment 4 2007-07-06 14:46:30 PDT

This is a recent regression. The site loads fine with the version of Safari that is part of the WWDC Leopard seed.

mitz

Comment 5 2007-07-06 15:00:59 PDT

Created attachment 15423 [details] Reduction (will crash) I suspect this regressed in <http://trac.webkit.org/projects/webkit/changeset/21742>. Note that on the beta, while WebKit doesn't crash, it doesn't render correctly either (it capitalizes the second letter).

mitz

Comment 6 2007-07-06 15:16:20 PDT

(In reply to comment #5) > I suspect this regressed in > <http://trac.webkit.org/projects/webkit/changeset/21742>. False suspicion.

mitz

Comment 7 2007-07-06 15:32:33 PDT

Regressed between r21854 and r21869. The change most likely to have caused the regression is <http://trac.webkit.org/projects/webkit/changeset/21861>.

mitz

Comment 8 2007-07-06 16:47:22 PDT

Created attachment 15424 [details] Allow :first-letter and text-transform:capitalize to coexist No layout test regressions, and a new test. Finding the real previous character in the remaining text fragment case may be an overkill (i.e. maybe ' ' will do) but I'm taking the conservative approach since I don't know for a fact that every character that is not fit to serve as a first letter (meaning: punctuation and spaces) is also a word separator.

Darin Adler

Comment 9 2007-07-06 18:38:50 PDT

Comment on attachment 15424 [details] Allow :first-letter and text-transform:capitalize to coexist r=me

Mark Rowe (bdash)

Comment 10 2007-07-06 19:39:05 PDT

Landed in r24084.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Major

Classification Unclassified

Version 523.x (Safari 3)

Hardware Mac

OS OS X 10.4

Product WebKit

Component New Bugs

Assignee

Nobody

Reported

2007-07-06 14:09 PDT

Modified

2007-07-06 19:39 PDT History

CC List

2 users Show

URL

http://www.nola.com/rose/

Keywords InRadar

Depends on

Blocks