135284 2014-07-25 00:49:12 -0700 ASSERTION FAILED: lineageOfType<HTMLCanvasElement>(*this).first() in WebCore::Element::isFocusable 2016-08-03 14:39:17 -0700 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) Unspecified Unspecified RESOLVED WORKSFORME P2 Normal --- 116980 1 rhodovan.u-szeged webkit-unassigned ap bfulgham darin koivisto oldest_to_newest 1024802 0 235506 rhodovan.u-szeged 2014-07-25 00:49:12 -0700 Created attachment 235506 Test case Test case to reproduce the issue: <s> <canvas> <h3> <svg> <animatemotion onload=""/> <var/> <keygen autofocus/> </s> Backtrace: ASSERTION FAILED: lineageOfType<HTMLCanvasElement>(*this).first() ../../Source/WebCore/dom/Element.cpp(440) : virtual bool WebCore::Element::isFocusable() const 1 0x7ffff3025dd3 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(WTFCrash+0x1e) [0x7ffff3025dd3] 2 0x7ffff35a023a /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZNK7WebCore7Element11isFocusableEv+0xb2) [0x7ffff35a023a] 3 0x7ffff3754fd2 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZNK7WebCore22HTMLFormControlElement11isFocusableEv+0x98) [0x7ffff3754fd2] 4 0x7ffff35a5a13 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore7Element5focusEbNS_14FocusDirectionE+0x9b) [0x7ffff35a5a13] 5 0x7ffff3754a18 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(+0x47cda18) [0x7ffff3754a18] 6 0x7ffff3755ae4 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(+0x47ceae4) [0x7ffff3755ae4] 7 0x7ffff2c0b22a /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZNKSt8functionIFvvEEclEv+0x32) [0x7ffff2c0b22a] 8 0x7ffff4025b3f /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore5Style30PostResolutionCallbackDisablerD1Ev+0x45) [0x7ffff4025b3f] 9 0x7ffff3548421 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore8Document11recalcStyleENS_5Style6ChangeE+0x243) [0x7ffff3548421] 10 0x7ffff3548657 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore8Document19updateStyleIfNeededEv+0x17f) [0x7ffff3548657] 11 0x7ffff3551ff5 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore8Document15finishedParsingEv+0x1b3) [0x7ffff3551ff5] 12 0x7ffff3845215 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore20HTMLConstructionSite15finishedParsingEv+0x1b) [0x7ffff3845215] 13 0x7ffff387f8ad /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore15HTMLTreeBuilder8finishedEv+0xa1) [0x7ffff387f8ad] 14 0x7ffff384cdb0 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser3endEv+0x8e) [0x7ffff384cdb0] 15 0x7ffff384ce9b /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser33attemptToRunDeferredScriptsAndEndEv+0xe9) [0x7ffff384ce9b] 16 0x7ffff384ba09 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser20prepareToStopParsingEv+0xf7) [0x7ffff384ba09] 17 0x7ffff384cede /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser12attemptToEndEv+0x40) [0x7ffff384cede] 18 0x7ffff384cf95 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser6finishEv+0x3f) [0x7ffff384cf95] 19 0x7ffff399c935 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14DocumentWriter3endEv+0x119) [0x7ffff399c935] 20 0x7ffff398998b /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14DocumentLoader15finishedLoadingEd+0x209) [0x7ffff398998b] 21 0x7ffff39896f4 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14DocumentLoader14notifyFinishedEPNS_14CachedResourceE+0x10e) [0x7ffff39896f4] 22 0x7ffff3a2ff8d /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14CachedResource11checkNotifyEv+0x93) [0x7ffff3a2ff8d] 23 0x7ffff3a30074 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14CachedResource13finishLoadingEPNS_14ResourceBufferE+0x3a) [0x7ffff3a30074] 24 0x7ffff3a2d02e /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore17CachedRawResource13finishLoadingEPNS_14ResourceBufferE+0xca) [0x7ffff3a2d02e] 25 0x7ffff39e3cc4 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore17SubresourceLoader16didFinishLoadingEd+0x1de) [0x7ffff39e3cc4] 26 0x7ffff39e01b1 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14ResourceLoader16didFinishLoadingEPNS_14ResourceHandleEd+0x3b) [0x7ffff39e01b1] 27 0x7ffff42a1205 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(+0x531a205) [0x7ffff42a1205] 28 0x7fffec2862ea /home/reni/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0(+0x5a2ea) [0x7fffec2862ea] 29 0x7fffec2a5ceb /home/reni/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0(+0x79ceb) [0x7fffec2a5ceb] 30 0x7fffec2a5d09 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0(+0x79d09) [0x7fffec2a5d09] 31 0x7fffeb4fc2e6 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x146) [0x7fffeb4fc2e6] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff97334700 (LWP 17423)] 0x00007ffff3025dd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 329 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff3025dd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 #1 0x00007ffff35a023a in WebCore::Element::isFocusable (this=0x8e89e0) at ../../Source/WebCore/dom/Element.cpp:440 #2 0x00007ffff3754fd2 in WebCore::HTMLFormControlElement::isFocusable (this=0x8e89e0) at ../../Source/WebCore/html/HTMLFormControlElement.cpp:314 #3 0x00007ffff35a5a13 in WebCore::Element::focus (this=0x8e89e0, restorePreviousSelection=true, direction=WebCore::FocusDirectionNone) at ../../Source/WebCore/dom/Element.cpp:1925 #4 0x00007ffff3754a18 in WebCore::HTMLFormControlElement::__lambda2::operator() (__closure=0x669260) at ../../Source/WebCore/html/HTMLFormControlElement.cpp:224 #5 0x00007ffff3755ae4 in std::_Function_handler<void(), WebCore::HTMLFormControlElement::didAttachRenderers()::__lambda2>::_M_invoke(const std::_Any_data &) (__functor=...) at /usr/include/c++/4.8/functional:2071 #6 0x00007ffff2c0b22a in std::function<void ()>::operator()() const (this=0x87e840) at /usr/include/c++/4.8/functional:2464 #7 0x00007ffff4025b3f in WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler (this=0x7fffffffd2a6, __in_chrg=<optimized out>) at ../../Source/WebCore/style/StyleResolveTree.cpp:1017 #8 0x00007ffff3548421 in WebCore::Document::recalcStyle (this=0x981e00, change=WebCore::Style::NoChange) at ../../Source/WebCore/dom/Document.cpp:1761 #9 0x00007ffff3548657 in WebCore::Document::updateStyleIfNeeded (this=0x981e00) at ../../Source/WebCore/dom/Document.cpp:1794 #10 0x00007ffff3551ff5 in WebCore::Document::finishedParsing (this=0x981e00) at ../../Source/WebCore/dom/Document.cpp:4510 #11 0x00007ffff3845215 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7d3a18) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:395 #12 0x00007ffff387f8ad in WebCore::HTMLTreeBuilder::finished (this=0x7d3a00) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2997 #13 0x00007ffff384cdb0 in WebCore::HTMLDocumentParser::end (this=0xa19ac0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:451 #14 0x00007ffff384ce9b in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0xa19ac0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:462 #15 0x00007ffff384ba09 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xa19ac0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:165 #16 0x00007ffff384cede in WebCore::HTMLDocumentParser::attemptToEnd (this=0xa19ac0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:474 #17 0x00007ffff384cf95 in WebCore::HTMLDocumentParser::finish (this=0xa19ac0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:502 #18 0x00007ffff399c935 in WebCore::DocumentWriter::end (this=0x934570) at ../../Source/WebCore/loader/DocumentWriter.cpp:250 #19 0x00007ffff398998b in WebCore::DocumentLoader::finishedLoading (this=0x9344d0, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441 #20 0x00007ffff39896f4 in WebCore::DocumentLoader::notifyFinished (this=0x9344d0, resource=0x81a8e0) at ../../Source/WebCore/loader/DocumentLoader.cpp:375 #21 0x00007ffff3a2ff8d in WebCore::CachedResource::checkNotify (this=0x81a8e0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:334 #22 0x00007ffff3a30074 in WebCore::CachedResource::finishLoading (this=0x81a8e0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:350 #23 0x00007ffff3a2d02e in WebCore::CachedRawResource::finishLoading (this=0x81a8e0, data=0x774de0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:98 #24 0x00007ffff39e3cc4 in WebCore::SubresourceLoader::didFinishLoading (this=0x81ae10, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:310 #25 0x00007ffff39e01b1 in WebCore::ResourceLoader::didFinishLoading (this=0x81ae10, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:517 #26 0x00007ffff42a1205 in WebCore::readCallback (asyncResult=0x8c69d0, data=0x81beb0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302 #27 0x00007fffec2862ea in async_ready_callback_wrapper (source_object=0x98cb30, res=0x8c69d0, user_data=0x81beb0) at ginputstream.c:519 #28 0x00007fffec2a5ceb in g_task_return_now (task=0x8c69d0) at gtask.c:1108 #29 0x00007fffec2a5d09 in complete_in_idle_cb (task=0x8c69d0) at gtask.c:1117 #30 0x00007fffeb4fc2e6 in g_main_dispatch (context=0x677bb0) at gmain.c:3065 #31 g_main_context_dispatch (context=context@entry=0x677bb0) at gmain.c:3641 #32 0x00007fffeb4fc638 in g_main_context_iterate (context=0x677bb0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3712 #33 0x00007fffeb4fca3a in g_main_loop_run (loop=0x70c750) at gmain.c:3906 #34 0x00007ffff3077542 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #35 0x00007ffff2fb063e in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffda38) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #36 0x00007ffff2fb04a3 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffda38) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73 #37 0x000000000040085d in main (argc=2, argv=0x7fffffffda38) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32 1217209 1 bfulgham 2016-08-03 14:39:17 -0700 This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case. 235506 2014-07-25 00:49:12 -0700 2014-07-25 00:49:12 -0700 Test case crash.html text/html 118 rhodovan.u-szeged PHM+CiAgPGNhbnZhcz4KICAgIDxoMz4KICAgICAgPHN2Zz4KICAgICAgICA8YW5pbWF0ZW1vdGlv biBvbmxvYWQ9IiIvPgogICAgICAgIDx2YXIvPgogICAgICAgIDxrZXlnZW4gYXV0b2ZvY3VzLz4K PC9zPg==