Bug 70546

Summary:	[test case] css related crash: combination of first-letter, :before and span
Product:	[Applications] konqueror	Reporter:	Magnus Kessler <magnus.kessler>
Component:	khtml renderer	Assignee:	Konqueror Developers <konq-bugs>
Status:	RESOLVED FIXED
Severity:	crash	CC:	arne.schmitz
Priority:	NOR
Version:	unspecified
Target Milestone:	---
Platform:	Compiled Sources
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	testcase

Description Magnus Kessler 2003-12-16 00:03:06 UTC

Version:            (using KDE Devel)
Installed from:    Compiled sources
OS:          Linux

The attached test case is distilled down from http://www.csszengarden.com/?cssfile=/030/030.css

Konqueror (cvs 20031214) crashes due to a combination of first-letter, :before and a span element. Take out any one of these and the page displays.

Comment 1 Magnus Kessler 2003-12-16 00:04:16 UTC

Created attachment 3722 [details]
testcase

Comment 2 Stephan Kulow 2004-01-15 14:30:27 UTC

Incomplete safari merge I'm afraid

#0  0x42670db0 in RenderObject (this=0x863c908, node=0x0)
    at /coolo/prod/kdelibs/khtml/rendering/render_object.cpp:161
#1  0x42681a51 in RenderText (this=0x863c908, node=0x0, _str=0x863abc0)
    at /coolo/prod/kdelibs/khtml/rendering/render_text.cpp:560
#2  0x42662601 in khtml::RenderBlock::addChildToFlow(khtml::RenderObject*, khtml::RenderObject*) (
    this=0x863c618, newChild=0x863c688, beforeChild=0x0)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:144
#3  0x4267f5e1 in khtml::RenderFlow::addChild(khtml::RenderObject*, khtml::RenderObject*) (
    this=0x863c618, newChild=0x863c688, beforeChild=0x0)
    at /coolo/prod/kdelibs/khtml/rendering/render_flow.cpp:130
#4  0x4261b965 in DOM::ElementImpl::attach() (this=0x865cb90)
    at /coolo/prod/kdelibs/khtml/xml/dom_elementimpl.cpp:449
#5  0x4262e05e in khtml::KHTMLParser::insertNode(DOM::NodeImpl*, bool) (this=0x86463e0, n=0x865cb90,
    flat=false) at /coolo/prod/kdelibs/khtml/html/htmlparser.cpp:318
#6  0x4262df5d in khtml::KHTMLParser::parseToken(khtml::Token*) (this=0x86463e0, t=0x86462dc)
    at /coolo/prod/kdelibs/khtml/html/htmlparser.cpp:276
#7  0x426362c8 in khtml::HTMLTokenizer::processToken() (this=0x86462a8)
    at /coolo/prod/kdelibs/khtml/html/htmltokenizer.cpp:1576
#8  0x42634ca1 in khtml::HTMLTokenizer::parseTag(khtml::DOMStringIt&) (this=0x86462a8, src=@0x86463bc)
    at /coolo/prod/kdelibs/khtml/html/htmltokenizer.cpp:1090
#9  0x42635670 in khtml::HTMLTokenizer::write(QString const&, bool) (this=0x86462a8, str=@0xbfffe0c0,
    appendData=true) at /coolo/prod/kdelibs/khtml/html/htmltokenizer.cpp:1344
#10 0x425cd02b in KHTMLPart::write(char const*, int) (this=0x85115c8,

Comment 3 Arne Schmitz 2004-02-11 12:50:35 UTC

KHTML crashes on http://www.w3.org/Status.html with my KDE 3.2.0 whenever I move the mouse over the CSS menu on that site. Does this have anything to do with this? If not, I would file another bug report.

Comment 4 Stephan Kulow 2004-02-17 11:37:52 UTC

Latest CVS the crash changed and I'm puzzled as the end is before the start.

#0  0x401b4767 in QChar::latin1() const (this=0x0) at qstring.h:194
#1  0x401c88f8 in QChar::operator char() const (this=0x0) at qstring.h:199
#2  0x401fab92 in khtml::RenderBlock::bidiReorderLine(khtml::BidiIterator const&, khtml::BidiIterator const&) (
    this=0x82171e0, start=@0xbfffd540, end=@0xbfffd530) at /coolo/prod/kdelibs/khtml/rendering/bidi.cpp:969
#3  0x401fb40d in khtml::RenderBlock::layoutInlineChildren(bool) (this=0x82171e0, relayoutChildren=true)
    at /coolo/prod/kdelibs/khtml/rendering/bidi.cpp:1197
#4  0x401ff6e3 in khtml::RenderBlock::layoutBlock(bool) (this=0x82171e0, relayoutChildren=true)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:500
#5  0x401ff2ca in khtml::RenderBlock::layout() (this=0x82171e0)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:421
#6  0x40200a79 in khtml::RenderBlock::layoutBlockChildren(bool) (this=0x821716c, relayoutChildren=true)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:824
#7  0x401ff6fc in khtml::RenderBlock::layoutBlock(bool) (this=0x821716c, relayoutChildren=true)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:502
#8  0x401ff2ca in khtml::RenderBlock::layout() (this=0x821716c)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:421
#9  0x4024e93c in khtml::RenderBody::layout() (this=0x821716c)
    at /coolo/prod/kdelibs/khtml/rendering/render_body.cpp:92
#10 0x40200a79 in khtml::RenderBlock::layoutBlockChildren(bool) (this=0x82170b4, relayoutChildren=true)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:824
#11 0x401ff6fc in khtml::RenderBlock::layoutBlock(bool) (this=0x82170b4, relayoutChildren=true)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:502
#12 0x401ff2ca in khtml::RenderBlock::layout() (this=0x82170b4)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:421
#13 0x40200a79 in khtml::RenderBlock::layoutBlockChildren(bool) (this=0x8216fd0, relayoutChildren=false)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:824
#14 0x401ff6fc in khtml::RenderBlock::layoutBlock(bool) (this=0x8216fd0, relayoutChildren=false)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:502
#15 0x401ff2ca in khtml::RenderBlock::layout() (this=0x8216fd0)
    at /coolo/prod/kdelibs/khtml/rendering/render_block.cpp:421
#16 0x40247168 in khtml::RenderCanvas::layout() (this=0x8216fd0)
    at /coolo/prod/kdelibs/khtml/rendering/render_canvas.cpp:168
#17 0x4014c486 in KHTMLView::layout() (this=0x81ea2c8) at /coolo/prod/kdelibs/khtml/khtmlview.cpp:609

Comment 5 Stephan Kulow 2004-02-17 12:00:19 UTC

This fixes the crash for me, but it's only a workaround

 inline const QChar &BidiIterator::current() const
 {
     if( !isText ) return nbsp; // non breaking space
-    return static_cast<RenderText *>(obj)->text()[pos];
+    RenderText *t = static_cast<RenderText *>(obj);
+    if (pos < t->length())
+       return t->text()[pos];
+    return QChar::null;
 }

Comment 6 Germain Garand 2004-02-18 00:30:33 UTC

CVS commit by ggarand: 


- first-letter: better fix for pure punctuation/single letter text childs.
  Fixes an invalid reference crash (#70546).

I think this might be the cause for #68753 too

CCMAIL: 70546-done@bugs.kde.org
			


  M +6 -0      ChangeLog   1.210
  M +3 -6      rendering/render_block.cpp   1.26


--- kdelibs/khtml/ChangeLog  #1.209:1.210
@@ -1,2 +1,8 @@
+2004-02-17  Germain Garand  <germain@ebooksfrance.org>
+
+        * rendering/render_block.cpp (addChildToFlow): first-letter:
+        better fix for pure punctuation/single letter text childs.
+        Fixes an invalid reference crash (#70546). 
+
 2004-02-16  Germain Garand  <germain@ebooksfrance.org>
 

--- kdelibs/khtml/rendering/render_block.cpp  #1.25:1.26
@@ -122,5 +122,4 @@ void RenderBlock::addChildToFlow(RenderO
 
             RenderText* newTextChild = static_cast<RenderText*>(textChild);
-        //kdDebug( 6040 ) << "first letter" << endl;
 
             // Force inline display (except for floating first-letters)
@@ -140,9 +139,7 @@ void RenderBlock::addChildToFlow(RenderO
                 length++;
                 kdDebug( 6040 ) << "letter= '" << DOMString(oldText->substring(0,length)).string() << "'" << endl;
+                newTextChild->setText( oldText->l > length ? 
+                                       oldText->substring(length,oldText->l-length) : new DOMStringImpl(""));
                 NodeImpl* letterElement = newTextChild->element() ? (NodeImpl*) newTextChild->element() : (NodeImpl*) document(); 
-                if (!(oldText->l-length))
-                    firstLetterContainer->removeChild(newTextChild);
-                else
-                    newTextChild->setText(oldText->substring(length,oldText->l-length));
                 RenderText* letter = new (renderArena()) RenderText(letterElement, oldText->substring(0,length));
                 RenderStyle* newStyle = new RenderStyle();
@@ -2395,5 +2392,5 @@ const char *RenderBlock::renderName() co
 }
 
-#ifdef ENABLE_DUMP
+#ifndef NDEBUG
 void RenderBlock::printTree(int indent) const
 {