Bug 9537 - REGRESSION: Reproducible crash in WebCore::RenderTextField::textWithHardLineBreaks()
Summary: REGRESSION: Reproducible crash in WebCore::RenderTextField::textWithHardLineB...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
URL:
Keywords: EasyFix, Regression
Depends on:
Blocks:
 
Reported: 2006-06-21 21:56 PDT by David Kilzer (:ddkilzer)
Modified: 2006-06-25 16:50 PDT (History)
2 users (show)

See Also:

Attachments
Test case (141 bytes, text/html)
2006-06-22 04:32 PDT, David Kilzer (:ddkilzer) 		no flags Details
Patch v1 (4.01 KB, patch)
2006-06-25 15:10 PDT, David Kilzer (:ddkilzer) 		no flags Details | Formatted Diff | Diff
Patch v2 (4.95 KB, patch)
2006-06-25 15:29 PDT, David Kilzer (:ddkilzer) 		darin: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2006-06-21 21:56:07 PDT 
After clicking a submit button on a form on Spamcop (was reporting spam), Safari+WebKit crashed with the stack trace below.  I'm using Mac OS X 10.4.6 (8I127/PowerPC) with Safari 2.0.3 (417.9.3) and WebKit r14968.

Date/Time:      2006-06-21 23:50:55.774 -0500
OS Version:     10.4.6 (Build 8I127)
Report Version: 4

Command: Safari
Path:    /Applications/Safari.app/Contents/MacOS/Safari
Parent:  bash [263]

Version:        2.0.3 (417.9.3)
Build Version:  2
Project Name:   WebBrowser
Source Version: 4170903

PID:    24555
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   com.apple.WebCore        	0x012514c0 WebCore::RenderTextField::textWithHardLineBreaks() + 328 (RenderTextField.cpp:277)
1   com.apple.WebCore        	0x0110b50c WebCore::HTMLTextAreaElement::appendFormData(WebCore::FormDataList&, bool) + 224 (HTMLTextAreaElement.cpp:176)
2   com.apple.WebCore        	0x01106fd0 WebCore::HTMLFormElement::formData(WebCore::FormData&) const + 756 (HTMLFormElement.cpp:214)
3   com.apple.WebCore        	0x01107c0c WebCore::HTMLFormElement::submit(bool) + 1008 (HTMLFormElement.cpp:375)
4   com.apple.WebCore        	0x01107edc WebCore::HTMLFormElement::prepareSubmit() + 316 (HTMLFormElement.cpp:326)
5   com.apple.WebCore        	0x01100c74 WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 720 (HTMLInputElement.cpp:1216)
6   com.apple.WebCore        	0x012f9db0 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 2116 (EventTargetNode.cpp:254)
7   com.apple.WebCore        	0x012fa7bc WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 348 (EventTargetNode.cpp:290)
8   com.apple.WebCore        	0x012faec8 WebCore::EventTargetNode::dispatchUIEvent(WebCore::AtomicString const&, int) + 420 (EventTargetNode.cpp:343)
9   com.apple.WebCore        	0x012fb3ec WebCore::EventTargetNode::dispatchMouseEvent(WebCore::AtomicString const&, int, int, int, int, int, int, bool, bool, bool, bool, bool, WebCore::Node*) + 1268 (EventTargetNode.cpp:441)
10  com.apple.WebCore        	0x012fb674 WebCore::EventTargetNode::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WebCore::AtomicString const&, int, WebCore::Node*) + 392 (EventTargetNode.cpp:374)
11  com.apple.WebCore        	0x01141c68 WebCore::FrameView::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 736 (FrameView.cpp:1043)
12  com.apple.WebCore        	0x01142184 WebCore::FrameView::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 628 (FrameView.cpp:737)
13  com.apple.WebCore        	0x0112c730 WebCore::FrameMac::mouseUp(NSEvent*) + 508 (FrameMac.mm:2015)
14  com.apple.WebCore        	0x01161134 -[WebCoreFrameBridge mouseUp:] + 52 (WebCoreFrameBridge.mm:1034)
15  com.apple.WebKit         	0x0037303c -[WebHTMLView mouseUp:] + 292 (WebHTMLView.m:3140)
16  com.apple.AppKit         	0x9377bca0 -[NSWindow sendEvent:] + 4728
17  com.apple.Safari         	0x00021ca4 0x1000 + 134308
18  com.apple.AppKit         	0x93724c74 -[NSApplication sendEvent:] + 4172
19  com.apple.Safari         	0x000217a8 0x1000 + 133032
20  com.apple.AppKit         	0x9371c0b0 -[NSApplication run] + 508
21  com.apple.AppKit         	0x9380cbfc NSApplicationMain + 452
22  com.apple.Safari         	0x0005cb98 0x1000 + 375704
23  com.apple.Safari         	0x0005ca40 0x1000 + 375360
Comment 1 David Kilzer (:ddkilzer) 2006-06-22 04:30:39 PDT 
After reducing a page that crashed, it seems that defining a textarea with a name and a wrap attribute of either "physical" or "hard" will cause Safari to crash when the form is submitted.  See attached test case.
Comment 2 David Kilzer (:ddkilzer) 2006-06-22 04:32:08 PDT 
Created attachment 8962 [details]
Test case

Test case that crashes Safari.  You must click the "Submit" button before it crashes, though.
Comment 3 Darin Adler 2006-06-25 13:22:04 PDT 
The code says this:

    m_div->firstChild()->renderer()->inlineBox(0, DOWNSTREAM)

I think that renderer might be 0.
Comment 4 Darin Adler 2006-06-25 13:26:16 PDT 
Definitely the problem == no text, no renderer, nil-deref when trying to make a call on the renderer. Just add a nil check.
Comment 5 David Kilzer (:ddkilzer) 2006-06-25 15:10:59 PDT 
Created attachment 9022 [details]
Patch v1

Patch and test case.
Comment 6 Darin Adler 2006-06-25 15:20:15 PDT 
Comment on attachment 9022 [details]
Patch v1

r=me -- even better if we can figure out some day how to do the test without a timeout
Comment 7 David Kilzer (:ddkilzer) 2006-06-25 15:29:54 PDT 
Created attachment 9023 [details]
Patch v2

Changed test timeout from 200ms to 0ms.  Also fixed LayoutTests/fast/forms/textarea-hard-linewrap.html the same way.
Comment 8 Darin Adler 2006-06-25 16:38:25 PDT 
Comment on attachment 9023 [details]
Patch v2

r=me
Comment 9 David Kilzer (:ddkilzer) 2006-06-25 16:50:32 PDT 
Committed revision 15040.