Bug 46770 - crash at lineBreakExistsAtPosition
Summary: crash at lineBreakExistsAtPosition
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: All OS X 10.5
: P2 Normal
Assignee: Enrica Casucci
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2010-09-28 17:23 PDT by Enrica Casucci
Modified: 2010-09-29 17:13 PDT (History)
2 users (show)

See Also:

Attachments
Patch (1.62 KB, patch)
2010-09-28 17:27 PDT, Enrica Casucci 		darin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Enrica Casucci 2010-09-28 17:23:28 PDT 
This bug has been reported by several people.
We don't have a repro case, but it seems related to typing in form controls.
Here is the stacktrace:


Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.WebCore             	0x9282476d WebCore::lineBreakExistsAtPosition(WebCore::Position const&) + 125
1   com.apple.WebCore             	0x928236c6 WebCore::InsertTextCommand::input(WebCore::String const&, bool) + 294
2   com.apple.WebCore             	0x92822e8c WebCore::TypingCommand::insertTextRunWithoutNewlines(WebCore::String const&, bool) + 140
3   com.apple.WebCore             	0x92822ddf WebCore::TypingCommand::insertText(WebCore::String const&, bool) + 351
4   com.apple.WebCore             	0x928215c3 WebCore::TypingCommand::insertText(WebCore::Document*, WebCore::String const&, WebCore::VisibleSelection const&, bool, bool) + 659
5   com.apple.WebCore             	0x92820c78 WebCore::Editor::insertTextWithoutSendingTextEvent(WebCore::String const&, bool, WebCore::Event*) + 1048
6   com.apple.WebCore             	0x92820835 WebCore::EventHandler::defaultTextInputEventHandler(WebCore::TextEvent*) + 197
7   com.apple.WebCore             	0x9263ddbb WebCore::Node::defaultEventHandler(WebCore::Event*) + 379
8   com.apple.WebCore             	0x927026b8 WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 600
9   com.apple.WebCore             	0x9263d8f1 WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>) + 1297
10  com.apple.WebCore             	0x9263d2a1 WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 225
11  com.apple.WebCore             	0x928205ce WebCore::EventHandler::handleTextInputEvent(WebCore::String const&, WebCore::Event*, bool, bool) + 238
12  com.apple.WebCore             	0x928204d9 WebCore::Editor::insertText(WebCore::String const&, WebCore::Event*) + 57
13  com.apple.WebKit              	0x932588bd -[WebHTMLView(WebNSTextInputSupport) insertText:] + 1229
14  com.apple.WebKit              	0x9325830a -[WebHTMLView(WebInternal) _interceptEditingKeyEvent:shouldSaveCommand:] + 682
15  com.apple.WebKit              	0x93258b4c WebEditorClient::handleKeyboardEvent(WebCore::KeyboardEvent*) + 108
16  com.apple.WebCore             	0x9281fc99 WebCore::EventHandler::defaultKeyboardEventHandler(WebCore::KeyboardEvent*) + 217
17  com.apple.WebCore             	0x9263dcaa WebCore::Node::defaultEventHandler(WebCore::Event*) + 106
18  com.apple.WebCore             	0x927025f6 WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 406
19  com.apple.WebCore             	0x9263d8f1 WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>) + 1297
20  com.apple.WebCore             	0x9263d2a1 WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 225
21  com.apple.WebCore             	0x9281f3f3 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 1827
22  com.apple.WebCore             	0x9281d068 WebCore::EventHandler::keyEvent(NSEvent*) + 296
23  com.apple.WebKit              	0x93257ebd -[WebHTMLView keyDown:] + 269
Comment 1 Enrica Casucci 2010-09-28 17:27:17 PDT 
Created attachment 69141 [details]
Patch
Comment 2 Darin Adler 2010-09-28 17:29:55 PDT 
Comment on attachment 69141 [details]
Patch

Normally we require a test for any bug fix. I am saying review+ on this even without a test, but it seems that given you understanding of the cause you could construct a test.
Comment 3 Enrica Casucci 2010-09-29 11:48:39 PDT 
(In reply to comment #2)
> (From update of attachment 69141 [details])
> Normally we require a test for any bug fix. I am saying review+ on this even without a test, but it seems that given you understanding of the cause you could construct a test.

I still want to spend some more time trying to create a test. What makes me feel comfortable landing this patch without a test, is the fact that this is the only case of dereferencing of a render object that is performed without checking for null that I could find in Webcore.
Comment 4 Tony Chang 2010-09-29 12:00:23 PDT 
If it helps, many of the crash dumps in Chromium have http://www.netflix.com/WiHome as the crashing URL.

The chromium crash report is here: http://code.google.com/p/chromium/issues/detail?id=29253

Ryosuke also suspects that this null check is all that we need to do, but a repro would still be nice.
Comment 5 Ryosuke Niwa 2010-09-29 12:06:42 PDT 
(In reply to comment #4)
> If it helps, many of the crash dumps in Chromium have http://www.netflix.com/WiHome as the crashing URL.
> 
> The chromium crash report is here: http://code.google.com/p/chromium/issues/detail?id=29253
> 
> Ryosuke also suspects that this null check is all that we need to do, but a repro would still be nice.

Oh yeah, I spent sometime investigating that bug and it's to do with input element.  I remembre it was hard to reproduce.  But every time I could reproduce, it was right after the page load.  I had to move back & forth between pages to reproduce it.
Comment 6 Enrica Casucci 2010-09-29 12:08:46 PDT 
This is the only place I could find where we dereference the renderer without checking for null.
Comment 7 Enrica Casucci 2010-09-29 17:13:12 PDT 
Committed revision 68727.