136947 2014-09-19 02:26:14 -0700 Null pointer dereference in WebCore::StyleProperties::findPropertyIndex 2016-08-03 17:04:35 -0700 1 1 1 Unclassified WebKit CSS 528+ (Nightly build) Unspecified Unspecified RESOLVED WORKSFORME P2 Normal --- 116980 1 rhodovan.u-szeged webkit-unassigned bfulgham kling ltilve rego oldest_to_newest 1036098 0 238364 rhodovan.u-szeged 2014-09-19 02:26:14 -0700 Created attachment 238364 Test case The crashing test case: <!DOCTYPE html> <style> * { position:absolute; } </style> <script> onload = function() { document.designMode = 'on'; document.execCommand("selectAll", false, null); document.execCommand("insertParagraph", true, null); document.execCommand("useCSS", true, false); document.execCommand("insertOrderedList", false, null); document.execCommand("insertOrderedList", false, null); document.execCommand("insertOrderedList", false, null); document.execCommand("undo", false, null); document.execCommand("insertOrderedList", false, null); document.execCommand("redo", false, null); } </script> <li> <b> <embed></embed> </b> </li> The backtrace: 0x00007ffff2fb9711 in WebCore::StyleProperties::findPropertyIndex (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.h:291 291 if (m_isMutable) #0 0x00007ffff2fb9711 in WebCore::StyleProperties::findPropertyIndex (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.h:291 #1 0x00007ffff2fb61d8 in WebCore::StyleProperties::getPropertyCSSValue (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.cpp:578 #2 0x00007ffff2fb330c in WebCore::StyleProperties::getPropertyValue (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.cpp:120 #3 0x00007ffff31fd21a in WebCore::RemoveCSSPropertyCommand::doApply (this=0x8931f0) at ../../Source/WebCore/editing/RemoveCSSPropertyCommand.cpp:53 #4 0x00007ffff31a9549 in WebCore::SimpleEditCommand::doReapply (this=0x8931f0) at ../../Source/WebCore/editing/EditCommand.cpp:117 #5 0x00007ffff318d82d in WebCore::EditCommandComposition::reapply (this=0x96ecb0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:146 #6 0x00007ffff2a35584 in WebKit::WebPage::reapplyEditCommand (this=0xaff070, stepID=0x4) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:3112 #7 0x00007ffff2b92dee in IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long), std::tuple<unsigned long>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long), std::tuple<unsigned long>&&, std::index_sequence<0ul>) (object=0xaff070, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ffff2a3552e <WebKit::WebPage::reapplyEditCommand(unsigned long)>, args=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x6da7251, DIE 0x6e79cc3>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:16 #8 0x00007ffff2b90c7e in IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long), std::tuple<unsigned long>, std::make_index_sequence<1ul> >(std::tuple<unsigned long>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long)) (args=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x6da7251, DIE 0x6e79cc3>, object=0xaff070, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ffff2a3552e <WebKit::WebPage::reapplyEditCommand(unsigned long)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:22 #9 0x00007ffff2b8cc6f in IPC::handleMessage<Messages::WebPage::ReapplyEditCommand, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long)> (decoder=..., object=0xaff070, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ffff2a3552e <WebKit::WebPage::reapplyEditCommand(unsigned long)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:120 #10 0x00007ffff2b87f28 in WebKit::WebPage::didReceiveWebPageMessage (this=0xaff070, decoder=...) at DerivedSources/WebKit2/WebPageMessageReceiver.cpp:612 #11 0x00007ffff2a362b0 in WebKit::WebPage::didReceiveMessage (this=0xaff070, connection=0xaa8200, decoder=...) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:3505 #12 0x00007ffff2752042 in IPC::MessageReceiverMap::dispatchMessage (this=0x8ec6e8, connection=0xaa8200, decoder=...) at ../../Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:87 #13 0x00007ffff29203f9 in WebKit::WebProcess::didReceiveMessage (this=0x8ec600, connection=0xaa8200, decoder=...) at ../../Source/WebKit2/WebProcess/WebProcess.cpp:599 #14 0x00007ffff27411be in IPC::Connection::dispatchMessage (this=0xaa8200, decoder=...) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:809 #15 0x00007ffff274128a in IPC::Connection::dispatchMessage (this=0xaa8200, message=...) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:828 #16 0x00007ffff273d30d in IPC::Connection::SyncMessageState::dispatchMessages (this=0xacd600, allowedConnection=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:201 #17 0x00007ffff273f51d in IPC::Connection::waitForSyncReply (this=0xaa8200, syncRequestID=0x7, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:537 #18 0x00007ffff273ef7a in IPC::Connection::sendSyncMessage (this=0xaa8200, syncRequestID=0x7, encoder=..., timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:478 #19 0x00007ffff29e8cbb in IPC::Connection::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, Messages::WebPageProxy::ExecuteUndoRedo::Reply&&, unsigned long, std::chrono::duration<long, std::ratio<1l, 1000l> >, unsigned int) (this=0xaa8200, message=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d34>, reply=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4207c50>, destinationID=0x1, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.h:359 #20 0x00007ffff29e8030 in IPC::MessageSender::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, Messages::WebPageProxy::ExecuteUndoRedo::Reply&&, unsigned long, std::chrono::duration<long, std::ratio<1l, 1000l> >, unsigned int) (this=0xaff088, message=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d34>, reply=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x42065fb>, destinationID=0x1, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/MessageSender.h:66 #21 0x00007ffff29e741a in IPC::MessageSender::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, Messages::WebPageProxy::ExecuteUndoRedo::Reply&&, std::chrono::duration<long, std::ratio<1l, 1000l> >, unsigned int) (this=0xaff088, message=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d34>, reply=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d39>, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/MessageSender.h:58 #22 0x00007ffff29e5812 in WebKit::WebEditorClient::redo (this=0x6ffa80) at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebEditorClient.cpp:280 #23 0x00007ffff31bde1e in WebCore::Editor::redo (this=0xa84360) at ../../Source/WebCore/editing/Editor.cpp:1617 #24 0x00007ffff31d3277 in WebCore::executeRedo (frame=...) at ../../Source/WebCore/editing/EditorCommand.cpp:977 #25 0x00007ffff31d5121 in WebCore::Editor::Command::execute (this=0x7fffffffc780, parameter=..., triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1726 #26 0x00007ffff3068d82 in WebCore::Document::execCommand (this=0xabf430, commandName=..., userInterface=0x0, value=...) at ../../Source/WebCore/dom/Document.cpp:4284 #27 0x00007ffff4064ccf in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffffffc880) at DerivedSources/WebCore/JSDocument.cpp:4526 #28 0x00007fff9b2060b4 in ?? () #29 0x00007fffffffc8e0 in ?? () #30 0x00007fffedbda6ae in llint_entry () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 1217283 1 bfulgham 2016-08-03 17:04:35 -0700 This problem does not reproduce under GuardMalloc or ASAN under r204037. If you believe there is still a problem, please reopen this bug and provide an updated test case. 238364 2014-09-19 02:26:14 -0700 2014-09-19 02:26:14 -0700 Test case crash.html text/html 682 rhodovan.u-szeged PCFET0NUWVBFIGh0bWw+CjxzdHlsZT4KKiB7CiAgICBwb3NpdGlvbjphYnNvbHV0ZTsKfQo8L3N0 eWxlPgo8c2NyaXB0PgpvbmxvYWQgPSBmdW5jdGlvbigpIHsKICAgIGRvY3VtZW50LmRlc2lnbk1v ZGUgPSAnb24nOwogICAgZG9jdW1lbnQuZXhlY0NvbW1hbmQoInNlbGVjdEFsbCIsIGZhbHNlLCBu dWxsKTsKICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJpbnNlcnRQYXJhZ3JhcGgiLCB0cnVlLCBu dWxsKTsKICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJ1c2VDU1MiLCB0cnVlLCBmYWxzZSk7CiAg ICBkb2N1bWVudC5leGVjQ29tbWFuZCgiaW5zZXJ0T3JkZXJlZExpc3QiLCBmYWxzZSwgbnVsbCk7 CiAgICBkb2N1bWVudC5leGVjQ29tbWFuZCgiaW5zZXJ0T3JkZXJlZExpc3QiLCBmYWxzZSwgbnVs bCk7CiAgICBkb2N1bWVudC5leGVjQ29tbWFuZCgiaW5zZXJ0T3JkZXJlZExpc3QiLCBmYWxzZSwg bnVsbCk7CiAgICBkb2N1bWVudC5leGVjQ29tbWFuZCgidW5kbyIsIGZhbHNlLCBudWxsKTsKICAg IGRvY3VtZW50LmV4ZWNDb21tYW5kKCJpbnNlcnRPcmRlcmVkTGlzdCIsIGZhbHNlLCBudWxsKTsK ICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJyZWRvIiwgIGZhbHNlLCBudWxsKTsKfQo8L3Njcmlw dD4KPGxpPgogICAgPGI+CiAgICAgICAgPGVtYmVkPjwvZW1iZWQ+CiAgICA8L2I+CjwvbGk+Cg==