Bug 3855 - Table with Form Field and Hidden DIV crashes Safari
Summary: Table with Form Field and Hidden DIV crashes Safari
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Critical
Assignee: Carsten Guenther
URL: http://www.pmachine.com/forums/viewth...
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-04 17:18 PDT by Bryan
Modified: 2007-02-06 03:45 PST (History)
1 user (show)

See Also:

Attachments
minimal testcase (217 bytes, text/html)
2005-07-04 23:02 PDT, Joost de Valk (AlthA) 		no flags Details
minimal testcase (268 bytes, text/html)
2005-07-04 23:06 PDT, Joost de Valk (AlthA) 		no flags Details
Proposed fix (2.48 KB, patch)
2005-07-07 21:34 PDT, Carsten Guenther 		hyatt: review-
Details | Formatted Diff | Diff
Merging patch (2.42 KB, patch)
2005-07-09 15:50 PDT, Carsten Guenther 		hyatt: review+
Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bryan 2005-07-04 17:18:22 PDT 
The following code is from a test page that always will cause Safari to crash.  More discussion on this 
can be found here:

http://www.pmachine.com/forums/viewthread/24217/P0/

<html>
<head>
<title>test</title>
</head>

<body>

<form>

<textarea cols='30' rows='10'></textarea>

<div style="display:none;">
<table>
     <tr>
        <td>test</td>
      </tr>
   </table>
</div>


<div><input type='text' name='bla' value='' size="33" /></div>

</form>


</body>
</html>
Comment 1 Mark Rowe (bdash) 2005-07-04 21:40:24 PDT 
The report is missing a key step to reproduce:  the crash only occurs after you begin typing in the 
bottom text entry field.  This occurs with both WebKit 412 and ToT CVS.  Crash log from ToT included 
below:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c

Thread 0 Crashed:
0   com.apple.WebCore        	0x011dfed4 khtml::RenderTableCell::table() const + 0 (icplusplus.c:28)
1   <<00000000>> 	0xbfffe324 0 + -1073749212
2   com.apple.WebCore        	0x010204b8 KWQKHTMLPart::searchForLabelsBeforeElement(NSArray*, 
DOM::ElementImpl*) + 204 (icplusplus.c:28)
3   com.apple.Safari         	0x0009956c 0x1000 + 623980
4   com.apple.Safari         	0x00098edc 0x1000 + 622300
5   com.apple.Safari         	0x000958f8 0x1000 + 608504
6   com.apple.Safari         	0x00095b50 0x1000 + 609104
7   com.apple.Safari         	0x0004402c 0x1000 + 274476
8   com.apple.Foundation     	0x92886d18 __NSFireDelayedPerform + 304
9   com.apple.CoreFoundation 	0x9075deb0 __CFRunLoopDoTimer + 184
10  com.apple.CoreFoundation 	0x9074a828 __CFRunLoopRun + 1680
11  com.apple.CoreFoundation 	0x90749ddc CFRunLoopRunSpecific + 268
12  com.apple.HIToolbox      	0x93122ca0 RunCurrentEventLoopInMode + 264
13  com.apple.HIToolbox      	0x93122334 ReceiveNextEventCommon + 380
14  com.apple.HIToolbox      	0x931221a0 BlockUntilNextEventMatchingListInMode + 96
15  com.apple.AppKit         	0x9362b1a4 _DPSNextEvent + 384
16  com.apple.AppKit         	0x9362ae68 -[NSApplication 
nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
17  com.apple.Safari         	0x00007058 0x1000 + 24664
18  com.apple.AppKit         	0x936273cc -[NSApplication run] + 472
19  com.apple.AppKit         	0x93717c1c NSApplicationMain + 452
20  com.apple.Safari         	0x00002700 0x1000 + 5888
21  com.apple.Safari         	0x00057190 0x1000 + 352656
Comment 2 Mark Rowe (bdash) 2005-07-04 21:42:18 PDT 
A easiliy accessible case for this bug is at http://pmachine.com/misc/safari_crash.html  It consists of the 
HTML included in the initial bug report.
Comment 3 Joost de Valk (AlthA) 2005-07-04 23:02:22 PDT 
Created attachment 2799 [details]
minimal testcase

Removing either the table or the display:none prevents the crash.
Comment 4 Joost de Valk (AlthA) 2005-07-04 23:06:20 PDT 
Created attachment 2800 [details]
minimal testcase

This time the testcase tells hows to recreate the problem.
Comment 5 Carsten Guenther 2005-07-07 21:34:54 PDT 
Created attachment 2858 [details]
Proposed fix

This patch checks for the existence of the cell renderer.
Comment 6 Dave Hyatt 2005-07-09 14:01:36 PDT 
Comment on attachment 2858 [details]
Proposed fix

The fix looks good, but this patch isn't going to merge any more after the
changes from 3405.  Can you make the fix again and attach a new patch? Thanks.
Comment 7 Carsten Guenther 2005-07-09 15:50:06 PDT 
Created attachment 2888 [details]
Merging patch

Here you go.
Comment 8 Joost de Valk (AlthA) 2005-07-11 06:09:04 PDT 
Comment on attachment 2888 [details]
Merging patch

Changed name of patch, since it could seem now as if you just attached the
patch again...
Comment 9 Dave Hyatt 2005-07-12 14:35:08 PDT 
Comment on attachment 2888 [details]
Merging patch

r=me
Comment 10 Vicki Murley 2005-07-14 11:53:16 PDT 
I'll commit this
Comment 11 Carsten Guenther 2005-07-18 19:38:27 PDT 
Closing since this has been committed.
Comment 12 John Sullivan 2005-09-05 12:07:42 PDT 
This is also in Radar as <rdar://problem/4146880>