WebKit Bugzilla
You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=92077) [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=74876 Two repros have been found that appear to trigger the same crash: Repro1: <canvas><ins><p></p></ins></canvas> Triggers a crash on linux in older versions of Chrome Repro2 (attached): <header style="-webkit-columns:5pc auto"><marquee><legend style="-webkit-column-span:all;"> id: chrome.dll!WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8) description: Attempt to read from unallocated NULL pointer+0x8 in chrome.dll!WebCore::RenderBlock::deleteLineBoxTree stack: chrome.dll!WebCore::RenderBlock::deleteLineBoxTree chrome.dll!WebCore::RenderBlock::splitFlow chrome.dll!WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks chrome.dll!WebCore::RenderBlock::addChildIgnoringContinuation chrome.dll!WebCore::RenderBlock::addChild chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::HTMLFormControlElement::attach chrome.dll!WebCore::HTMLConstructionSite::attach<...> chrome.dll!WebCore::HTMLConstructionSite::attachToCurrent chrome.dll!WebCore::HTMLConstructionSite::insertHTMLElement chrome.dll!WebCore::HTMLTreeBuilder::processStartTagForInBody chrome.dll!WebCore::HTMLTreeBuilder::processStartTag chrome.dll!WebCore::HTMLTreeBuilder::processToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible chrome.dll!WebCore::HTMLDocumentParser::insert chrome.dll!WebCore::Document::write chrome.dll!WebCore::V8HTMLDocument::writeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Created an attachment (id=96496) [details] Patch
(From update of attachment 96496 [details]) r=me
(From update of attachment 96496 [details]) Rejecting attachment 96496 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-03', '--port..." exit_code: 2 Last 500 characters of output: Tests to be fixed (1221): 6 DumpRenderTree crashes ( 0.5%) 4 tests timed out ( 0.3%) 55 text diff mismatch ( 4.5%) 325 skipped (26.6%) => Tests that will only be fixed if they crash (WONTFIX) (8107): 1 test timed out ( 0.0%) 109 text diff mismatch ( 1.3%) 7948 skipped (98.0%) Regressions: Unexpected text diff mismatch : (1) fast/multicol/span/span-as-nested-inline-block-child.html = TEXT Full output: http://queues.webkit.org/results/8825461
Created an attachment (id=96776) [details] Archive of layout-test-results from ec2-cq-03 The attached test failures were seen while running run-webkit-tests on the commit-queue. Bot: ec2-cq-03 Port: Chromium Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
Created an attachment (id=96832) [details] Patch
(From update of attachment 96832 [details]) View in context: https://bugs.webkit.org/attachment.cgi?id=96832&action=review > LayoutTests/ChangeLog:5 > + WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8) This summary line is meaningless. "ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)" is not understandable for everyone. > LayoutTests/ChangeLog:13 > + * fast/multicol/span/span-as-nested-inline-block-child.html: Added. > + * platform/chromium/test_expectations.txt: > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.png: Added. > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.txt: Added. This is a test for crash, right? So, dumpAsText() is enough. We don't need the render tree and the image.
(In reply to comment #6) > (From update of attachment 96832 [details] [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=96832&action=review > > > LayoutTests/ChangeLog:5 > > + WebCore::RenderBlock::deleteLineBoxTree ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8) > > This summary line is meaningless. "ReadAV@NULL (760cd30cf928f45d54f8689f33c505c8)" is not understandable for everyone. I changed the title of the bug to something more descriptive, I'll change the summary line with the next iteration of the patch. > > LayoutTests/ChangeLog:13 > > + * fast/multicol/span/span-as-nested-inline-block-child.html: Added. > > + * platform/chromium/test_expectations.txt: > > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.png: Added. > > + * platform/mac/fast/multicol/span/span-as-nested-inline-block-child-expected.txt: Added. > > This is a test for crash, right? > So, dumpAsText() is enough. We don't need the render tree and the image. It prevents a crash, but it also tests a specific behavior for how spanning elements should behave in specific cases. The case is not defined in the W3C standard. Given a discussion I had with I believe Dave Hyatt, it seemed like the case was well defined in WebKit, and this test also tests the specified behavior. This might be more appropriate for another test case, however, and I can simplify the test to just be a crashing test.
<rdar://problem/9030928>
This isn't just about a crash. It's testing the behavior of a spanning element inside an inline-block. I want a pixel test for this (like we have with other column spanning tests). I agree the ChangeLog should make it more clear what the patch is about (that it's not just fixing a crash but is making sure our behavior is correct as well).
Created an attachment (id=97151) [details] Patch
(From update of attachment 97151 [details]) Rejecting attachment 97151 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-01', '--port..." exit_code: 1 Last 500 characters of output: f6acd52cadfb5acdddff4ce589229df2e78c11a2 r88841 = ebf7685ad816b854d59abe81da5acf6eb7a15e51 Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc First, rewinding head to replay your work on top of it... Fast-forwarded master to refs/remotes/origin/master. Updating chromium port dependencies using gclient... ________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' Updating webkit projects from gyp files... Full output: http://queues.webkit.org/results/8843272
(From update of attachment 97151 [details]) r=me
(From update of attachment 97151 [details]) Rejecting attachment 97151 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-03', '--port..." exit_code: 1 Last 500 characters of output: 127714e485617c54f40567829327a2b27d46365b r88844 = 5a589ccf5f21d1b83d2d5023a101500e1d149ae7 Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc First, rewinding head to replay your work on top of it... Fast-forwarded master to refs/remotes/origin/master. Updating chromium port dependencies using gclient... ________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' Updating webkit projects from gyp files... Full output: http://queues.webkit.org/results/8787117
Created an attachment (id=97165) [details] Patch
(From update of attachment 97165 [details]) r=me
(From update of attachment 97165 [details]) Clearing flags on attachment: 97165 Committed r88854: <http://trac.webkit.org/changeset/88854>
All reviewed patches have been landed. Closing bug.
It seems like we just need a rebaseline? http://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=fast%2Fmulticol%2Fspan%2Fspan-as-nested-inline-block-child.html&showExpectations=true