24003 – WebKit crashes on certain rtl pages

Bug 24003 - WebKit crashes on certain rtl pages

Summary: WebKit crashes on certain rtl pages

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Windows XP

Importance:	P2 Major
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-02-18 10:04 PST by Rahul Kuchhal
Modified:	2009-02-26 11:11 PST (History)
CC List:	2 users (show)

See Also:

Attachments
a small test case to reproduce the crash. (154 bytes, text/html) 2009-02-18 10:05 PST, Rahul Kuchhal	no flags	Details
Patch (1.33 KB, patch) 2009-02-18 10:06 PST, Rahul Kuchhal	zwarich: review-	Details \| Formatted Diff \| Diff
New patch (this time with a layout test) (3.04 KB, patch) 2009-02-19 10:54 PST, Rahul Kuchhal	hyatt: review+	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rahul Kuchhal 2009-02-18 10:04:39 PST

Some rtl pages are causing WebKit to crash when it converts an object to RenderInline. The stack trace (from Chromium builds, but I can reproduce the same crash in Safari with latest WebKit):

0x0143e367 	[chrome.dll 	- inlineflowbox.h:107] 
WebCore::InlineFlowBox::borderLeft()
0x01442067 	[chrome.dll 	- renderbox.cpp:2037] 
WebCore::RenderBox::calcAbsoluteHorizontalValues(WebCore::Length,WebCore::RenderBoxModelObject
const
*,WebCore::TextDirection,int,int,WebCore::Length,WebCore::Length,WebCore::Length,WebCore::Length,int
&,int &,int &,int &)
0x01441c6a 	[chrome.dll 	- renderbox.cpp:1816] 
WebCore::RenderBox::calcAbsoluteHorizontal()
0x014408c0 	[chrome.dll 	- renderbox.cpp:1205] 	WebCore::RenderBox::calcWidth()
0x01471787 	[chrome.dll 	- renderblock.cpp:732] 
WebCore::RenderBlock::layoutBlock(bool)
0x014716bc 	[chrome.dll 	- renderblock.cpp:704] 	WebCore::RenderBlock::layout()
0x01472d57 	[chrome.dll 	- renderblock.cpp:1521] 
WebCore::RenderBlock::layoutPositionedObjects(bool)
0x014aa3c8 	[chrome.dll 	- renderflexiblebox.cpp:249] 
WebCore::RenderFlexibleBox::layoutBlock(bool)
0x014716bc 	[chrome.dll 	- renderblock.cpp:704] 	WebCore::RenderBlock::layout()
0x014eed98 	[chrome.dll 	- bidi.cpp:819] 
WebCore::RenderBlock::layoutInlineChildren(bool,int &,int &)
0x0147189c 	[chrome.dll 	- renderblock.cpp:785] 
WebCore::RenderBlock::layoutBlock(bool)
0x014716bc 	[chrome.dll 	- renderblock.cpp:704] 	WebCore::RenderBlock::layout()
0x01474a50 	[chrome.dll 	- renderblock.cpp:2354] 
WebCore::RenderBlock::insertFloatingObject(WebCore::RenderBox *)

Comment 1 Rahul Kuchhal 2009-02-18 10:05:42 PST

Created attachment 27752 [details]
a small test case to reproduce the crash.

Comment 2 Rahul Kuchhal 2009-02-18 10:06:21 PST

Created attachment 27753 [details]
Patch

Comment 3 Cameron Zwarich (cpst) 2009-02-19 08:31:58 PST

Comment on attachment 27753 [details]
Patch

This patch should be accompanied by a layout test.

Comment 4 Rahul Kuchhal 2009-02-19 10:54:28 PST

Created attachment 27796 [details]
New patch (this time with a layout test)

Comment 5 Dave Hyatt 2009-02-24 09:54:24 PST

Comment on attachment 27796 [details]
New patch (this time with a layout test)

r=me

Comment 6 Dimitri Glazkov (Google) 2009-02-26 11:11:50 PST

Landed as http://trac.webkit.org/changeset/41259.