This bug is also in Radar as <rdar://4415273> Summary: Safari hangs when visiting http://cnx.rice.edu/content/m11268/latest/ Steps to Reproduce: 0. MacOS 10.4.4 (8G32) 1. Launch Safari 2. Type "http://cnx.rice.edu/content/m11268/latest/" into address bar and press return Expected Results: Safari should show the page (or at least make an effort) Actual Results: Safari hangs -- must force quit. Regression: Didn't regress. Notes: Firefox 1.5 does not hang on this page, though it does report some missing fonts. 'pwp-pb15.spx' was successfully uploaded ------------------------------------------- <GMT19-Jan-2006 21:54:53GMT> Paul Placeway: Please assign to Developer ADCBugs for further communications with the developer. <GMT21-Jan-2006 02:20:07GMT> Alice Liu: Denver and Glendale hang for long periods. TOT hangs (see attached sample) with KJS::Collector::markStackObjectsConservatively(void*, void*) KJS::SimpleNumber::is(KJS::JSValue const*) at the top when viewed with HotSpotFinder, and then after a while crashes with this trace: Thread 0 Crashed: 0 <<00000000>> 0xffff87c4 __memcpy + 36 (cpu_capabilities.h:189) 1 com.apple.JavaScriptCore 0x015f6dc4 KJS::UString::UString[in-charge](KJS::UString const&, KJS::UString const&) + 948 (ustring.cpp:474) 2 com.apple.JavaScriptCore 0x0163e7ac KJS::operator+(KJS::UString const&, KJS::UString const&) + 52 (ustring.h:500) 3 com.apple.JavaScriptCore 0x015e8fdc KJS::add(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*, char) + 292 (operations.cpp:225) 4 com.apple.JavaScriptCore 0x015d7b28 KJS::AddNode::evaluate(KJS::ExecState*) + 356 (nodes.cpp:1056) 5 com.apple.JavaScriptCore 0x015e10e0 KJS::AssignResolveNode::evaluate(KJS::ExecState*) + 640 (nodes.cpp:1317) 6 com.apple.JavaScriptCore 0x015d6b3c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1605) 7 com.apple.JavaScriptCore 0x015dbd14 KJS::ForNode::execute(KJS::ExecState*) + 1036 (nodes.cpp:1745) 8 com.apple.JavaScriptCore 0x015d59f4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2335) 9 com.apple.JavaScriptCore 0x015d424c KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1582) 10 com.apple.JavaScriptCore 0x015dcd8c KJS::IfNode::execute(KJS::ExecState*) + 500 (nodes.cpp:1624) 11 com.apple.JavaScriptCore 0x015d59f4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2335) 12 com.apple.JavaScriptCore 0x015d424c KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1582) 13 com.apple.JavaScriptCore 0x015bc218 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:339) 14 com.apple.JavaScriptCore 0x015bb914 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 700 (function.cpp:110) 15 com.apple.JavaScriptCore 0x015e7df0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:96) 16 com.apple.JavaScriptCore 0x015df7c4 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 820 (nodes.cpp:570) 17 com.apple.JavaScriptCore 0x015d6b3c KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1605) 18 com.apple.JavaScriptCore 0x015d59f4 KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2335) 19 com.apple.JavaScriptCore 0x015d424c KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1582) 20 com.apple.JavaScriptCore 0x015cbd68 KJS::InterpreterImp::evaluate(KJS::UChar const*, int, KJS::JSValue*, KJS::UString const&, int) + 1028 (internal.cpp:682) 21 com.apple.JavaScriptCore 0x015cc5ec KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 100 (interpreter.cpp:121) 22 com.apple.WebCore 0x01ca2aac KJSProxyImpl::evaluate(WebCore::DOMString const&, int, WebCore::DOMString const&, WebCore::NodeImpl*) + 296 (kjs_proxy.cpp:63) 23 com.apple.WebCore 0x01e381fc Frame::executeScript(QString, int, WebCore::NodeImpl*, QString const&) + 160 (Frame.cpp:2521) 24 com.apple.WebCore 0x01cecd94 WebCore::HTMLTokenizer::scriptExecution(QString const&, WebCore::HTMLTokenizer::State, QString, int) + 496 (htmltokenizer.cpp:485) 25 com.apple.WebCore 0x01cefc2c WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1568 (htmltokenizer.cpp:425) 26 com.apple.WebCore 0x01cf030c WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 1292 (htmltokenizer.cpp:292) 27 com.apple.WebCore 0x01cf2810 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 7732 (htmltokenizer.cpp:1262) 28 com.apple.WebCore 0x01cf3220 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1776 (htmltokenizer.cpp:1467) 29 com.apple.WebCore 0x01ced2b0 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedObject*) + 816 (htmltokenizer.cpp:1784) 30 com.apple.WebCore 0x01e944e0 WebCore::CachedScript::checkNotify() + 140 (CachedScript.cpp:111) 31 com.apple.WebCore 0x01e94670 WebCore::CachedScript::data(QBuffer&, bool) + 276 (CachedScript.cpp:103) 32 com.apple.WebCore 0x01e97368 WebCore::Loader::slotFinished(KIO::Job*, NSData*) + 804 (loader.cpp:168) 33 com.apple.WebCore 0x01d1d368 KWQSlot::callWithData(KIO::Job*, NSData*) const + 108 (KWQSlot.cpp:320) 34 com.apple.WebCore 0x01d1be74 KWQSignal::callWithData(KIO::Job*, NSData*) const + 232 (KWQSignal.cpp:183) 35 com.apple.WebCore 0x01c14898 KIO::TransferJob::emitResult(NSData*) + 72 (KWQKJobClasses.mm:242) 36 com.apple.WebCore 0x01d20440 -[KWQResourceLoader finishJobAndHandle:] + 128 (KWQResourceLoader.mm:95) 37 com.apple.WebCore 0x01d206ec -[KWQResourceLoader finishWithData:] + 200 (KWQResourceLoader.mm:126) 38 com.apple.WebKit 0x01242444 -[WebSubresourceLoader didFinishLoading] + 132 (WebSubresourceLoader.m:218) 39 com.apple.WebKit 0x01251304 -[WebLoader connectionDidFinishLoading:] + 184 (WebLoader.m:663) 40 com.apple.Foundation 0x90b4acdc -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 41 com.apple.Foundation 0x90b48f48 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 42 com.apple.Foundation 0x90b48ca0 _sendCallbacks + 156 43 com.apple.CoreFoundation 0x902b0a68 __CFRunLoopDoSources0 + 384 44 com.apple.CoreFoundation 0x902aff98 __CFRunLoopRun + 452 45 com.apple.CoreFoundation 0x902afa18 CFRunLoopRunSpecific + 268 46 com.apple.HIToolbox 0x920531e0 RunCurrentEventLoopInMode + 264 47 com.apple.HIToolbox 0x92052874 ReceiveNextEventCommon + 380 48 com.apple.HIToolbox 0x920526e0 BlockUntilNextEventMatchingListInMode + 96 49 com.apple.AppKit 0x9253f104 _DPSNextEvent + 384 50 com.apple.AppKit 0x9253edc8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 51 com.apple.Safari 0x00030ec4 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 292 (BrowserApplication.m:152) 52 com.apple.AppKit 0x9253b30c -[NSApplication run] + 472 53 com.apple.AppKit 0x9262be68 NSApplicationMain + 452 54 com.apple.Safari 0x000f7d90 main + 156 (main.m:23) 55 com.apple.Safari 0x00002814 _start + 344 (crt.c:272) 56 com.apple.Safari 0x000026b8 start + 60
Created attachment 5819 [details] OffsetHeight test The given page enters an infinite for loop at http://cnx.rice.edu/pmathmlcss.js:35 for ( i = 3; i <= mrowH / (2*opH) ; i += 1) since opH is zero. opH comes from taking the offsetHeight of an empty <span>. FireFox also gives zero for the height of an empty <span>, but doesn't reach that code at all since it doesn't support accessing DOM nodes as JS variables by id. WinIE gives a positive height even for the empty span.
I know this is a hang, but we don't need separate P1 bugs for each page where there's an infinite JavaScript loop. There are two ways to look at this: 1) we need to "finesse" this difference from WinIE so we don't hang on this page 2) we need to make sure that infinite JavaScript loops don't hang the entire browser Item (2) is something we're planning to do as part of the "tree code" project. It's not clear how to do (1) at all. I think I'd like to bump this down to P2 soon.
Bug 7080 has been filed for the infinite loop part, renaming this one to track how we handle offsetHeight. Lowering to p2 in the process.
Created attachment 115394 [details] Prepares an alert message showing the offset discrepency between the same anchor tag vertical offset when inline and when set with display:block
I'd like to see this one fixed. It also impacts empty anchor elements. Positioning elements programmatically in relation to empty anchor elements is basic and necessary functionality. I'm including a related thread here which may shed additional light on the issue: http://stackoverflow.com/questions/8126648/how-to-get-the-correct-offset-top-value-from-webkit-chrome-safari-with-jquery/8126822#8126822 Thanks for your help!
The bug is about offsetHeight, but that last comment seems to be about offsetTop. Are you sure this is the same issue?
(In reply to comment #6) > The bug is about offsetHeight, but that last comment seems to be about offsetTop. Are you sure this is the same issue? Thanks for the head up! Sorry, I should have seen that. I'll search for the correct place for this update or log a new bug.
(In reply to comment #6) > The bug is about offsetHeight, but that last comment seems to be about offsetTop. Are you sure this is the same issue? Okay, I did another search and didn't find this exact issue. I logged the following bug: https://bugs.webkit.org/show_bug.cgi?id=72524
On "OffsetHeight test" - all browsers: *** Safari 15.6 on macOS 12.5 *** Empty span offsetHeight: 18 Non-empty span offsetHeight: 18 *** Chrome Canary 106 *** Empty span offsetHeight: 19 Non-empty span offsetHeight: 19 *** Firefox Nightly 105 *** Empty span offsetHeight: 0 Non-empty span offsetHeight: 16 _____ On "Prepares..." - all browsers: *** Safari 15.6 on macOS 12.5 *** displayCss=[inline] alteredOffset.top=[427.8125] offsetAlert(calledBy=[jQuery.ready]) anchor.offset().top=[427.8125] subheading.offset().top=[427.8125] displayCss=[inline] alteredOffset.top=[427.8125] offsetAlert(calledBy=[body.onload]) anchor.offset().top=[427.8125] subheading.offset().top=[427.8125] *** Chrome Canary 106 *** displayCss=[inline] alteredOffset.top=[437.328125] offsetAlert(calledBy=[jQuery.ready]) anchor.offset().top=[437.328125] subheading.offset().top=[437.328125] displayCss=[inline] alteredOffset.top=[437.328125] offsetAlert(calledBy=[body.onload]) anchor.offset().top=[437.328125] subheading.offset().top=[437.328125] *** Firefox Nightly 105 *** displayCss=[inline] alteredOffset.top=[452.6333312988281] offsetAlert(calledBy=[jQuery.ready]) anchor.offset().top=[454.23333740234375] subheading.offset().top=[454.23333740234375] displayCss=[inline] alteredOffset.top=[452.6333312988281] offsetAlert(calledBy=[body.onload]) anchor.offset().top=[454.23333740234375] subheading.offset().top=[454.23333740234375] _________ Just wanted to share updated test results. Thanks!
Looks like it's working now.