Bug 15091 - Crash in RenderBlock::skipWhitespace during layout
Summary: Crash in RenderBlock::skipWhitespace during layout
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 523.x (Safari 3)
Hardware: Macintosh OS X 10.5
: P1 Major
Assignee: Nobody
URL: http://www.wherethebloodyhellareyou.com/
Keywords: InRadar, NeedsReduction
Depends on:
Blocks:
 
Reported: 2007-08-27 05:48 PDT by Mark Rowe (bdash)
Modified: 2007-08-27 11:03 PDT (History)
2 users (show)

See Also:


Attachments
Reduction (will crash if Java is disabled) (103 bytes, text/html)
2007-08-27 07:04 PDT, mitz
no flags Details
Create the right renderer for fallback content (31.67 KB, patch)
2007-08-27 09:13 PDT, mitz
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2007-08-27 05:48:48 PDT
Steps to reproduce:
1) Visit http://www.wherethebloodyhellareyou.com/
2) Click "View the TV Ad"
3) *crash*

Backtrace is as follows:
Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000090
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.WebCore             	0x017200b0 WebCore::RenderLayer::setStaticX(int) + 12 (RenderLayer.h:345)
1   com.apple.WebCore             	0x0171bba9 WebCore::RenderBox::setStaticX(int) + 147 (RenderBox.cpp:1516)
2   com.apple.WebCore             	0x016f36d7 WebCore::RenderBlock::skipWhitespace(WebCore::BidiIterator&, WebCore::BidiResolver<WebCore::BidiIterator, WebCore::BidiRun>&) + 549 (bidi.cpp:1297)
3   com.apple.WebCore             	0x016f3833 WebCore::RenderBlock::findNextLineBreak(WebCore::BidiIterator&, WebCore::BidiResolver<WebCore::BidiIterator, WebCore::BidiRun>&) + 43 (bidi.cpp:1317)
4   com.apple.WebCore             	0x016f76e8 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 3010 (bidi.cpp:965)
5   com.apple.WebCore             	0x01711ff9 WebCore::RenderBlock::layoutBlock(bool) + 1307 (RenderBlock.cpp:579)
6   com.apple.WebCore             	0x01702770 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:493)
7   com.apple.WebCore             	0x016f8751 WebCore::RenderObject::layoutIfNeeded() + 41 (RenderObject.h:476)
8   com.apple.WebCore             	0x01710800 WebCore::RenderBlock::layoutBlockChildren(bool) + 1466 (RenderBlock.cpp:1214)
9   com.apple.WebCore             	0x01712011 WebCore::RenderBlock::layoutBlock(bool) + 1331 (RenderBlock.cpp:584)
10  com.apple.WebCore             	0x01702770 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:493)
11  com.apple.WebCore             	0x016f8751 WebCore::RenderObject::layoutIfNeeded() + 41 (RenderObject.h:476)
12  com.apple.WebCore             	0x01710800 WebCore::RenderBlock::layoutBlockChildren(bool) + 1466 (RenderBlock.cpp:1214)
13  com.apple.WebCore             	0x01712011 WebCore::RenderBlock::layoutBlock(bool) + 1331 (RenderBlock.cpp:584)
14  com.apple.WebCore             	0x01702770 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:493)
15  com.apple.WebCore             	0x0172236e WebCore::RenderView::layout() + 310 (RenderView.cpp:114)
16  com.apple.WebCore             	0x0169dc4f WebCore::FrameView::layout(bool) + 1919 (FrameView.cpp:430)
17  com.apple.WebCore             	0x0169df21 WebCore::FrameView::layoutTimerFired(WebCore::Timer<WebCore::FrameView>*) + 25 (FrameView.cpp:646)
18  com.apple.WebCore             	0x0169f9ad WebCore::Timer<WebCore::FrameView>::fired() + 89 (Timer.h:98)
19  com.apple.WebCore             	0x017e5558 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0ul> const&) + 198 (Timer.cpp:339)
20  com.apple.WebCore             	0x017e5600 WebCore::TimerBase::sharedTimerFired() + 110 (Timer.cpp:359)
21  com.apple.WebCore             	0x017e4b94 WebCore::timerFired(__CFRunLoopTimer*, void*) + 78 (SharedTimerMac.cpp:85)
22  com.apple.CoreFoundation      	0x95c70fee CFRunLoopRunSpecific + 4494
23  com.apple.CoreFoundation      	0x95c711a8 CFRunLoopRunInMode + 88
24  com.apple.HIToolbox           	0x95d70758 RunCurrentEventLoopInMode + 283
25  com.apple.HIToolbox           	0x95d70571 ReceiveNextEventCommon + 374
26  com.apple.HIToolbox           	0x95d703e5 BlockUntilNextEventMatchingListInMode + 106
27  com.apple.AppKit              	0x93aeb813 _DPSNextEvent + 657
28  com.apple.AppKit              	0x93aeb159 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
29  com.apple.Safari              	0x000231b1 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 171
30  com.apple.AppKit              	0x93ae430b -[NSApplication run] + 795
31  com.apple.AppKit              	0x93ab1758 NSApplicationMain + 663
32  com.apple.Safari              	0x000aafe1 main + 90
33  com.apple.Safari              	0x000023f2 start + 54
Comment 1 Mark Rowe (bdash) 2007-08-27 05:49:48 PDT
<rdar://problem/5439631>
Comment 2 Mark Rowe (bdash) 2007-08-27 05:50:17 PDT
I should note that I'm seeing this with r25259.
Comment 3 Mark Rowe (bdash) 2007-08-27 06:56:30 PDT
Apparently the fact I have Java disabled is a factor in reproducing this crash.
Comment 4 mitz 2007-08-27 07:04:40 PDT
Created attachment 16131 [details]
Reduction (will crash if Java is disabled)

Reduction:
<applet code=""  style="position: absolute;"></applet>
Comment 5 mitz 2007-08-27 09:13:15 PDT
Created attachment 16133 [details]
Create the right renderer for fallback content
Comment 6 Darin Adler 2007-08-27 09:35:30 PDT
Comment on attachment 16133 [details]
Create the right renderer for fallback content

r=me
Comment 7 Mark Rowe (bdash) 2007-08-27 11:03:08 PDT
Fix landed in r25262.