Created attachment 92077 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=74876 Two repros have been found that appear to trigger the same crash: Repro1: <canvas><ins><p></p></ins></canvas> Triggers a crash on linux in older versions of Chrome Repro2 (attached): <header style="-webkit-columns:5pc auto"><marquee><legend style="-webkit-column-span:all;"> id: chrome.dll!WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8) description: Attempt to read from unallocated NULL pointer+0x8 in chrome.dll!WebCore::RenderBlock::deleteLineBoxTree stack: chrome.dll!WebCore::RenderBlock::deleteLineBoxTree chrome.dll!WebCore::RenderBlock::splitFlow chrome.dll!WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks chrome.dll!WebCore::RenderBlock::addChildIgnoringContinuation chrome.dll!WebCore::RenderBlock::addChild chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::HTMLFormControlElement::attach chrome.dll!WebCore::HTMLConstructionSite::attach<...> chrome.dll!WebCore::HTMLConstructionSite::attachToCurrent chrome.dll!WebCore::HTMLConstructionSite::insertHTMLElement chrome.dll!WebCore::HTMLTreeBuilder::processStartTagForInBody chrome.dll!WebCore::HTMLTreeBuilder::processStartTag chrome.dll!WebCore::HTMLTreeBuilder::processToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible chrome.dll!WebCore::HTMLDocumentParser::insert chrome.dll!WebCore::Document::write chrome.dll!WebCore::V8HTMLDocument::writeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Created attachment 96496 [details] Patch
Comment on attachment 96496 [details] Patch r=me
Comment on attachment 96496 [details] Patch Rejecting attachment 96496 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-03', '--port..." exit_code: 2 Last 500 characters of output: Tests to be fixed (1221): 6 DumpRenderTree crashes ( 0.5%) 4 tests timed out ( 0.3%) 55 text diff mismatch ( 4.5%) 325 skipped (26.6%) => Tests that will only be fixed if they crash (WONTFIX) (8107): 1 test timed out ( 0.0%) 109 text diff mismatch ( 1.3%) 7948 skipped (98.0%) Regressions: Unexpected text diff mismatch : (1) fast/multicol/span/span-as-nested-inline-block-child.html = TEXT Full output: http://queues.webkit.org/results/8825461
Created attachment 96776 [details] Archive of layout-test-results from ec2-cq-03 The attached test failures were seen while running run-webkit-tests on the commit-queue. Bot: ec2-cq-03 Port: Chromium Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
Created attachment 96832 [details] Patch
Comment on attachment 96832 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=96832&action=review > LayoutTests/ChangeLog:5 > + WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8) This summary line is meaningless. "ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)" is not understandable for everyone. > LayoutTests/ChangeLog:13 > + * fast/multicol/span/span-as-nested-inline-block-child.html: Added. > + * platform/chromium/test_expectations.txt: > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.png: Added. > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.txt: Added. This is a test for crash, right? So, dumpAsText() is enough. We don't need the render tree and the image.
(In reply to comment #6) > (From update of attachment 96832 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=96832&action=review > > > LayoutTests/ChangeLog:5 > > + WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8) > > This summary line is meaningless. "ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)" is not understandable for everyone. I changed the title of the bug to something more descriptive, I'll change the summary line with the next iteration of the patch. > > LayoutTests/ChangeLog:13 > > + * fast/multicol/span/span-as-nested-inline-block-child.html: Added. > > + * platform/chromium/test_expectations.txt: > > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.png: Added. > > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.txt: Added. > > This is a test for crash, right? > So, dumpAsText() is enough. We don't need the render tree and the image. It prevents a crash, but it also tests a specific behavior for how spanning elements should behave in specific cases. The case is not defined in the W3C standard. Given a discussion I had with I believe Dave Hyatt, it seemed like the case was well defined in WebKit, and this test also tests the specified behavior. This might be more appropriate for another test case, however, and I can simplify the test to just be a crashing test.
<rdar://problem/9030928>
This isn't just about a crash. It's testing the behavior of a spanning element inside an inline-block. I want a pixel test for this (like we have with other column spanning tests). I agree the ChangeLog should make it more clear what the patch is about (that it's not just fixing a crash but is making sure our behavior is correct as well).
Created attachment 97151 [details] Patch
Comment on attachment 97151 [details] Patch Rejecting attachment 97151 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-01', '--port..." exit_code: 1 Last 500 characters of output: f6acd52cadfb5acdddff4ce589229df2e78c11a2 r88841 = ebf7685ad816b854d59abe81da5acf6eb7a15e51 Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc First, rewinding head to replay your work on top of it... Fast-forwarded master to refs/remotes/origin/master. Updating chromium port dependencies using gclient... ________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' Updating webkit projects from gyp files... Full output: http://queues.webkit.org/results/8843272
Comment on attachment 97151 [details] Patch r=me
Comment on attachment 97151 [details] Patch Rejecting attachment 97151 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-03', '--port..." exit_code: 1 Last 500 characters of output: 127714e485617c54f40567829327a2b27d46365b r88844 = 5a589ccf5f21d1b83d2d5023a101500e1d149ae7 Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc First, rewinding head to replay your work on top of it... Fast-forwarded master to refs/remotes/origin/master. Updating chromium port dependencies using gclient... ________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' Updating webkit projects from gyp files... Full output: http://queues.webkit.org/results/8787117
Created attachment 97165 [details] Patch
Comment on attachment 97165 [details] Patch r=me
Comment on attachment 97165 [details] Patch Clearing flags on attachment: 97165 Committed r88854: <http://trac.webkit.org/changeset/88854>
All reviewed patches have been landed. Closing bug.
It seems like we just need a rebaseline? http://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=fast%2Fmulticol%2Fspan%2Fspan-as-nested-inline-block-child.html&showExpectations=true