Bug 9357 - Rendering snafu in production Safari when viewing Bugzilla bugs
Summary: Rendering snafu in production Safari when viewing Bugzilla bugs
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 417.x
Hardware: Mac OS X 10.4
: P2 Normal
Assignee: Nobody
URL: http://bugzilla.opendarwin.org/show_b...
Keywords: InRadar, NeedsReduction
Depends on:
Blocks:
 
Reported: 2006-06-08 05:00 PDT by David Kilzer (:ddkilzer)
Modified: 2006-06-10 12:50 PDT (History)
1 user (show)

See Also:


Attachments
Screenshot of rendering issue (131.65 KB, image/png)
2006-06-08 05:03 PDT, David Kilzer (:ddkilzer)
no flags Details
Source of bugzilla page with rendering issues (30.99 KB, text/html)
2006-06-08 05:10 PDT, David Kilzer (:ddkilzer)
no flags Details
Source of DOM when page renders incorrectly (via "Show DOM Tree") (32.49 KB, text/html)
2006-06-09 20:38 PDT, David Kilzer (:ddkilzer)
no flags Details
Ethereal packet capture in libpcap format of five requests (last one renders incorrectly) (42.67 KB, application/octet-stream)
2006-06-10 05:30 PDT, David Kilzer (:ddkilzer)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2006-06-08 05:00:55 PDT
Steps to Reproduce:

1. Open Safari.
2. Navigate to webkit-unassigned archives.
3. Command-click on mail message.
4. Click on the Bugzilla bug URL near the top of the bug mail.

Expected Results:

The page renders normally.

Actual Results:

The page renders incorrectly (see screenshot that I'll attach in a bit).

Regression:

This occurred in the production release of Safari 2.0.3 (417.9.3) on Mac OS X 10.4.6 (8I127/PowerPC).

Notes:

This is NOT always reproducible.  This is only the second time I've seen this happen.  This bug is probably VERY timing-dependent.
Comment 1 David Kilzer (:ddkilzer) 2006-06-08 05:03:13 PDT
Created attachment 8769 [details]
Screenshot of rendering issue
Comment 2 David Kilzer (:ddkilzer) 2006-06-08 05:09:33 PDT
Here is the bug I was looking at:

http://bugzilla.opendarwin.org/show_bug.cgi?id=9342

After further testing, reloading the same page over and over will recreate the bug approximately 1 in 10 times.
Comment 3 David Kilzer (:ddkilzer) 2006-06-08 05:10:15 PDT
Created attachment 8770 [details]
Source of bugzilla page with rendering issues
Comment 4 David Kilzer (:ddkilzer) 2006-06-08 05:26:30 PDT
After further testing, this probably only happens if there are TWO copies of Safari running.  The second copy of Safari (which was a locally-built WebKit r14767 plus Attachment 8721 [details] on Bug 9217) was started after test failures from run-webkit-tests.

Even then, the bug shows up much less than 1 in 10 times.
Comment 5 David Kilzer (:ddkilzer) 2006-06-08 05:32:17 PDT
This could be a duplicate of Bug 9356.
Comment 6 David Kilzer (:ddkilzer) 2006-06-08 05:34:40 PDT
(In reply to comment #4)
> After further testing, this probably only happens if there are TWO copies of
> Safari running.  The second copy of Safari (which was a locally-built WebKit
> r14767 plus Attachment 8721 [details] [edit] on Bug 9217) was started after test failures from
> run-webkit-tests.

Belay that order.  This bug does NOT require a second copy of Safari running.  I just saw it again without a second Safari running.
Comment 7 mitz 2006-06-08 14:49:30 PDT
Based on the screenshot, I don't think this bug belongs in the Layout and Rendering component. It looks like the loader, tokenizer or parser screwed up (script contents ended up outside a script element).
Comment 8 David Kilzer (:ddkilzer) 2006-06-09 20:38:01 PDT
Created attachment 8791 [details]
Source of DOM when page renders incorrectly (via "Show DOM Tree")

This is the source of the DOM via the HTML element using the old "Show DOM Tree" menu item from the Debug menu.

There is simply a chunk of the page missing between these two lines in the file:

      <P id="banner-name">
reply&lt;' + '/a&gt;]');
Comment 9 David Kilzer (:ddkilzer) 2006-06-09 20:51:11 PDT
New Steps to Reproduce (works 1 in 5 times):

1. Open this exact bug:  http://bugzilla.opendarwin.org/show_bug.cgi?id=9342
2. Command-Shift-Click on the linked "9342" after "Bug#:" to open up a new tab and change focus to it.
3. Repeat Step 2 for each "good" rendered page until you hit a "bad" one.
Comment 10 David Kilzer (:ddkilzer) 2006-06-09 20:54:05 PDT
(In reply to comment #9)
> New Steps to Reproduce (works 1 in 5 times):
> 
> 1. Open this exact bug:  http://bugzilla.opendarwin.org/show_bug.cgi?id=9342
> 2. Command-Shift-Click on the linked "9342" after "Bug#:" to open up a new tab
> and change focus to it.
> 3. Repeat Step 2 for each "good" rendered page until you hit a "bad" one.

Of course, as soon as I say this, it stops reproducing.

I was rebuilding WebKit and checking out a new copy of WebKit from SVN at the same time (CPU was pegged at 100%).  Try doing the above steps with the CPU pegged (compile WebKit or be creative).
Comment 11 David Kilzer (:ddkilzer) 2006-06-09 21:18:50 PDT
<rdar://problem/4581377>
Comment 12 David Kilzer (:ddkilzer) 2006-06-10 05:30:21 PDT
Created attachment 8795 [details]
Ethereal packet capture in libpcap format of five requests (last one renders incorrectly)

Attaching a packet trace of five HTTP requests for this URL:

http://bugzilla.opendarwin.org/show_bug.cgi?id=9342

The last request renders incorrectly per this bug.

The only thing that stands out to me is that chunked encoding is used for all of the requests, and the second chunk starts on a new TCP/IP packet in all but the last request.   (It looks like an interesting boundary condition without knowing anything else.)

I need to test this bug on a WebKit nightly (since if it's a network-layer issue, it should be reproducible) and then try to reproduce it 100% using some kind of packet-replay software or writing a daemon (in Perl?) that always sends this web page the same way (with the second chunk starting in the middle of a packet).
Comment 13 David Kilzer (:ddkilzer) 2006-06-10 05:41:07 PDT
Comment on attachment 8795 [details]
Ethereal packet capture in libpcap format of five requests (last one renders incorrectly)

(In reply to comment #12)
> Created an attachment (id=8795) [edit]
> The only thing that stands out to me is that chunked encoding is used for all
> of the requests, and the second chunk starts on a new TCP/IP packet in all but
> the last request.   (It looks like an interesting boundary condition without
> knowing anything else.)

The network layer has been eliminated as the problem.  I just captured a trace where the second chunked encoding fell on a packet boundary (started in a new packet), but the page rendered incorrectly.

> I need to test this bug on a WebKit nightly (since if it's a network-layer
> issue, it should be reproducible) and then try to reproduce it 100% using some
> kind of packet-replay software or writing a daemon (in Perl?) that always sends
> this web page the same way (with the second chunk starting in the middle of a
> packet).

I could not reproduce this on a nightly, but easily reproduced it on production Safari (the same version listed in Comment #0).

The bug must lie somewhere in the parser/tokenizer, but it looks like it's been fixed in WebKit ToT.
Comment 14 David Kilzer (:ddkilzer) 2006-06-10 05:43:17 PDT
(In reply to comment #13)
> I could not reproduce this on a nightly, but easily reproduced it on production
> Safari (the same version listed in Comment #0).

Another way to reproduce this problem:

1. Open this exact bug:  http://bugzilla.opendarwin.org/show_bug.cgi?id=9342
2. Command-Click on the linked "9342" after "Bug#:" as fast as possible for a few seconds to open tens of new tabs.  One or a few of them should have the rendering bug displayed.
Comment 15 David Kilzer (:ddkilzer) 2006-06-10 11:44:57 PDT
(In reply to comment #10)
> I was rebuilding WebKit and checking out a new copy of WebKit from SVN at the
> same time (CPU was pegged at 100%).  Try doing the above steps with the CPU
> pegged (compile WebKit or be creative).

CPU load has nothing to do with this bug.  It will reproduce without loading the CPU.
Comment 16 David Kilzer (:ddkilzer) 2006-06-10 12:50:36 PDT
A binary search of WebKit nightlies shows:

 Fixed: r14121
Broken: r14095

Looking at the changelog entries between r14095 and r14121, revision r14106 (Bug 5855) looks like it may have fixed this.

I'm marking this as RESOLVED/FIXED for WebKit ToT, but I'm guessing Apple may want to consider fixing this for the production Safari 2.0.x releases if they're not going to pull WebKit from ToT anytime soon.