RESOLVED FIXED 73116
Crash in BidiRunList<Run>::replaceRunWithRuns with an empty bdi element 
https://bugs.webkit.org/show_bug.cgi?id=73116
Summary Crash in BidiRunList<Run>::replaceRunWithRuns with an empty bdi element
Ryosuke Niwa
Reported 2011-11-25 00:02:51 PST
Open: <!DOCTYPE html> <html> <body> <keygen> <bdi></bdi> </body> </html> then we hit: ASSERTION FAILED: newRuns.runCount() /Users/rniwa/webkit/Source/WebCore/platform/text/BidiRunList.h(146) : void WebCore::BidiRunList<Run>::replaceRunWithRuns(Run*, WebCore::BidiRunList<Run>&) [with Run = WebCore::BidiRun] 1 0x1034d0df7 WebCore::BidiRunList<WebCore::BidiRun>::replaceRunWithRuns(WebCore::BidiRun*, WebCore::BidiRunList<WebCore::BidiRun>&) 2 0x1034bfb43 WebCore::constructBidiRuns(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::VisualDirectionOverride, bool) 3 0x1034c4832 WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) 4 0x1034c5459 WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) 5 0x1034c5999 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) 6 0x10349a3ae WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 7 0x10348e45d WebCore::RenderBlock::layout() 8 0x103497e62 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) 9 0x103498e12 WebCore::RenderBlock::layoutBlockChildren(bool, int&) 10 0x10349a3c7 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 11 0x10348e45d WebCore::RenderBlock::layout() 12 0x103497e62 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) 13 0x103498e12 WebCore::RenderBlock::layoutBlockChildren(bool, int&) 14 0x10349a3c7 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 15 0x10348e45d WebCore::RenderBlock::layout() 16 0x10363b4a0 WebCore::RenderView::layout() 17 0x102d4b6e2 WebCore::FrameView::layout(bool) 18 0x102b52ff3 WebCore::Document::implicitClose() 19 0x102d28549 WebCore::FrameLoader::checkCallImplicitClose() 20 0x102d2bde8 WebCore::FrameLoader::checkCompleted() 21 0x102d2c664 WebCore::FrameLoader::finishedParsing() 22 0x102b54b6c WebCore::Document::finishedParsing() 23 0x102e6afaa WebCore::HTMLTreeBuilder::finished() 24 0x102de9798 WebCore::HTMLDocumentParser::end() 25 0x102de988d WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 26 0x102deb399 WebCore::HTMLDocumentParser::prepareToStopParsing() 27 0x102de9454 WebCore::HTMLDocumentParser::attemptToEnd() 28 0x102de96ec WebCore::HTMLDocumentParser::finish() 29 0x102b923fe WebCore::DocumentWriter::endIfNotLoadingMainResource() 30 0x102b92445 WebCore::DocumentWriter::end() 31 0x102b7bd1b WebCore::DocumentLoader::finishedLoading()
Attachments
demo (67 bytes, text/html)
2011-11-25 00:03 PST, Ryosuke Niwa 		no flags
Details
fixes the failure (3.15 KB, patch)
2011-11-25 01:59 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2011-11-25 00:03:06 PST
Created attachment 116572 [details] demo
Ryosuke Niwa
Comment 2 2011-11-25 00:04:19 PST
Also see the bug 71737.
Ryosuke Niwa
Comment 3 2011-11-25 00:56:30 PST
Apparently this is nothing to do with keygen. We just need some text rendered on the page and an empty bdi element.
Ryosuke Niwa
Comment 4 2011-11-25 01:48:56 PST
Just realized that this actually crashes WebKit :(
Ryosuke Niwa
Comment 5 2011-11-25 01:59:00 PST
Created attachment 116583 [details] fixes the failure
Eric Seidel (no email)
Comment 6 2011-11-25 11:09:44 PST
Comment on attachment 116583 [details] fixes the failure Thanks!
WebKit Review Bot
Comment 7 2011-11-25 12:21:23 PST
Comment on attachment 116583 [details] fixes the failure Clearing flags on attachment: 116583 Committed r101180: <http://trac.webkit.org/changeset/101180>
WebKit Review Bot
Comment 8 2011-11-25 12:21:29 PST
All reviewed patches have been landed. Closing bug.
Ryosuke Niwa
Comment 9 2011-11-25 12:21:45 PST
*** Bug 71737 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.