After clicking a submit button on a form on Spamcop (was reporting spam), Safari+WebKit crashed with the stack trace below. I'm using Mac OS X 10.4.6 (8I127/PowerPC) with Safari 2.0.3 (417.9.3) and WebKit r14968. Date/Time: 2006-06-21 23:50:55.774 -0500 OS Version: 10.4.6 (Build 8I127) Report Version: 4 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: bash [263] Version: 2.0.3 (417.9.3) Build Version: 2 Project Name: WebBrowser Source Version: 4170903 PID: 24555 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 com.apple.WebCore 0x012514c0 WebCore::RenderTextField::textWithHardLineBreaks() + 328 (RenderTextField.cpp:277) 1 com.apple.WebCore 0x0110b50c WebCore::HTMLTextAreaElement::appendFormData(WebCore::FormDataList&, bool) + 224 (HTMLTextAreaElement.cpp:176) 2 com.apple.WebCore 0x01106fd0 WebCore::HTMLFormElement::formData(WebCore::FormData&) const + 756 (HTMLFormElement.cpp:214) 3 com.apple.WebCore 0x01107c0c WebCore::HTMLFormElement::submit(bool) + 1008 (HTMLFormElement.cpp:375) 4 com.apple.WebCore 0x01107edc WebCore::HTMLFormElement::prepareSubmit() + 316 (HTMLFormElement.cpp:326) 5 com.apple.WebCore 0x01100c74 WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 720 (HTMLInputElement.cpp:1216) 6 com.apple.WebCore 0x012f9db0 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 2116 (EventTargetNode.cpp:254) 7 com.apple.WebCore 0x012fa7bc WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 348 (EventTargetNode.cpp:290) 8 com.apple.WebCore 0x012faec8 WebCore::EventTargetNode::dispatchUIEvent(WebCore::AtomicString const&, int) + 420 (EventTargetNode.cpp:343) 9 com.apple.WebCore 0x012fb3ec WebCore::EventTargetNode::dispatchMouseEvent(WebCore::AtomicString const&, int, int, int, int, int, int, bool, bool, bool, bool, bool, WebCore::Node*) + 1268 (EventTargetNode.cpp:441) 10 com.apple.WebCore 0x012fb674 WebCore::EventTargetNode::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WebCore::AtomicString const&, int, WebCore::Node*) + 392 (EventTargetNode.cpp:374) 11 com.apple.WebCore 0x01141c68 WebCore::FrameView::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 736 (FrameView.cpp:1043) 12 com.apple.WebCore 0x01142184 WebCore::FrameView::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 628 (FrameView.cpp:737) 13 com.apple.WebCore 0x0112c730 WebCore::FrameMac::mouseUp(NSEvent*) + 508 (FrameMac.mm:2015) 14 com.apple.WebCore 0x01161134 -[WebCoreFrameBridge mouseUp:] + 52 (WebCoreFrameBridge.mm:1034) 15 com.apple.WebKit 0x0037303c -[WebHTMLView mouseUp:] + 292 (WebHTMLView.m:3140) 16 com.apple.AppKit 0x9377bca0 -[NSWindow sendEvent:] + 4728 17 com.apple.Safari 0x00021ca4 0x1000 + 134308 18 com.apple.AppKit 0x93724c74 -[NSApplication sendEvent:] + 4172 19 com.apple.Safari 0x000217a8 0x1000 + 133032 20 com.apple.AppKit 0x9371c0b0 -[NSApplication run] + 508 21 com.apple.AppKit 0x9380cbfc NSApplicationMain + 452 22 com.apple.Safari 0x0005cb98 0x1000 + 375704 23 com.apple.Safari 0x0005ca40 0x1000 + 375360
After reducing a page that crashed, it seems that defining a textarea with a name and a wrap attribute of either "physical" or "hard" will cause Safari to crash when the form is submitted. See attached test case.
Created attachment 8962 [details] Test case Test case that crashes Safari. You must click the "Submit" button before it crashes, though.
The code says this: m_div->firstChild()->renderer()->inlineBox(0, DOWNSTREAM) I think that renderer might be 0.
Definitely the problem == no text, no renderer, nil-deref when trying to make a call on the renderer. Just add a nil check.
Created attachment 9022 [details] Patch v1 Patch and test case.
Comment on attachment 9022 [details] Patch v1 r=me -- even better if we can figure out some day how to do the test without a timeout
Created attachment 9023 [details] Patch v2 Changed test timeout from 200ms to 0ms. Also fixed LayoutTests/fast/forms/textarea-hard-linewrap.html the same way.
Comment on attachment 9023 [details] Patch v2 r=me
Committed revision 15040.