156715 2016-04-18 13:43:03 -0700 Crash in ElementDescendantIterator::operator--() when calling m_ancestorSiblingStack.last() 2016-04-18 15:36:09 -0700 1 1 1 Unclassified WebKit DOM WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 cdumez cdumez commit-queue esprehn+autocc kangil.han kling koivisto webkit-bug-importer oldest_to_newest 1184798 0 cdumez 2016-04-18 13:43:03 -0700 Crash in ElementDescendantIterator::operator--() when calling m_ancestorSiblingStack.last(): Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010f369b57 WTFCrash + 39 (Assertions.cpp:322) 1 com.apple.WebCore 0x000000011158a7d9 WTF::CrashOnOverflow::crash() + 9 2 com.apple.WebCore 0x000000011158a7c9 WTF::CrashOnOverflow::overflowed() + 9 3 com.apple.WebCore 0x00000001115a6f9b WTF::Vector<WebCore::Element*, 16ul, WTF::CrashOnOverflow, 16ul>::at(unsigned long) + 75 (Vector.h:660) 4 com.apple.WebCore 0x00000001115a6e1b WTF::Vector<WebCore::Element*, 16ul, WTF::CrashOnOverflow, 16ul>::last() + 43 (Vector.h:700) 5 com.apple.WebCore 0x00000001115a68c4 WebCore::ElementDescendantIterator::operator--() + 244 (ElementDescendantIterator.h:174) 6 com.apple.WebCore 0x000000011391a674 void WebCore::CollectionTraversal<(WebCore::CollectionTraversalType)0>::traverseBackward<WebCore::HTMLTagCollection>(WebCore::HTMLTagCollection const&, WebCore::ElementDescendantIterator&, unsigned int) + 148 (CollectionTraversal.h:108) 7 com.apple.WebCore 0x000000011391a45b WebCore::CachedHTMLCollection<WebCore::HTMLTagCollection, (WebCore::CollectionTraversalType)0>::collectionTraverseBackward(WebCore::ElementDescendantIterator&, unsigned int) const + 43 (CachedHTMLCollection.h:53) 8 com.apple.WebCore 0x000000011391a30a WebCore::CollectionIndexCache<WebCore::HTMLTagCollection, WebCore::ElementDescendantIterator>::traverseBackwardTo(WebCore::HTMLTagCollection const&, unsigned int) + 586 (CollectionIndexCache.h:125) 9 com.apple.WebCore 0x00000001139197fe WebCore::CollectionIndexCache<WebCore::HTMLTagCollection, WebCore::ElementDescendantIterator>::nodeAt(WebCore::HTMLTagCollection const&, unsigned int) + 302 (CollectionIndexCache.h:181) 10 com.apple.WebCore 0x0000000113916654 WebCore::CachedHTMLCollection<WebCore::HTMLTagCollection, (WebCore::CollectionTraversalType)0>::item(unsigned int) const + 52 (CachedHTMLCollection.h:43) 11 com.apple.WebCore 0x0000000112814009 WebCore::jsHTMLCollectionPrototypeFunctionItem(JSC::ExecState*) + 537 (JSHTMLCollection.cpp:239) 12 ??? 0x0000304244001028 0 + 53061166829608 1184799 1 cdumez 2016-04-18 13:43:29 -0700 rdar://problem/25750864 1184815 2 276671 cdumez 2016-04-18 14:32:49 -0700 Created attachment 276671 Patch 1184837 3 276671 commit-queue 2016-04-18 15:36:03 -0700 Comment on attachment 276671 Patch Clearing flags on attachment: 276671 Committed r199693: <http://trac.webkit.org/changeset/199693> 1184838 4 commit-queue 2016-04-18 15:36:09 -0700 All reviewed patches have been landed. Closing bug. 276671 2016-04-18 14:32:49 -0700 2016-04-18 15:36:03 -0700 Patch bug-156715-20160418143307.patch text/plain 4864 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMTk5NjY5CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYTRmYTNhNTE2ZWI0N2Rj NGE3NWMzNjEwMmQ5ZWMxOThkODkwMzk0NS4uYTIzYTEwNWVlOWFjNTljNWI3M2YxNGExMTI2OGI5 MzZhOWI0N2RjMyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSw1ICsxLDI2IEBACiAyMDE2LTA0LTE4ICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CiAKKyAgICAgICAgQ3Jhc2ggaW4gRWxlbWVudERl c2NlbmRhbnRJdGVyYXRvcjo6b3BlcmF0b3ItLSgpIHdoZW4gY2FsbGluZyBtX2FuY2VzdG9yU2li bGluZ1N0YWNrLmxhc3QoKQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1 Zy5jZ2k/aWQ9MTU2NzE1CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yNTc1MDg2ND4KKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBGaXggY29ycmVjdG5l c3Mgb2YgRWxlbWVudERlc2NlbmRhbnRJdGVyYXRvcjo6b3BlcmF0b3ItLSgpLiBUaGUgbGFzdCBl bGVtZW50CisgICAgICAgIGluIHRoZSBtX2FuY2VzdG9yU2libGluZ1N0YWNrIHN0YWNrIGlzIG51 bGxwdHIuIEhvd2V2ZXIsIGlmIG91ciBwYXJlbnQgZG9lcworICAgICAgICBub3QgaGF2ZSBhIHNp YmxpbmcsIG1fY3VycmVudC0+bmV4dFNpYmxpbmcoKSA9PSBtX2FuY2VzdG9yU2libGluZ1N0YWNr Lmxhc3QoKQorICAgICAgICB3b3VsZCBiZSB0cnVlIGFuZCB3ZSB3b3VsZCBlbmQgdXAgcmVtb3Zp bmcgdGhlIG51bGxwdHIgZWxlbWVudCBmcm9tCisgICAgICAgIG1fYW5jZXN0b3JTaWJsaW5nU3Rh Y2suIFdlIHdvdWxkIGNyYXNoIG9uIGEgZm9sbG93LXVwIGNhbGwgdG8gb3BlcmF0b3ItLSgpCisg ICAgICAgIGJlY2F1c2UgbV9hbmNlc3RvclNpYmxpbmdTdGFjay5sYXN0KCkgd291bGQgZG8gYW4g b3V0LW9mLWJvdW5kIGFjY2VzcywgZ2l2ZW4KKyAgICAgICAgdGhhdCBtX2FuY2VzdG9yU2libGlu Z1N0YWNrIGlzIGVtcHR5LgorCisgICAgICAgIFRlc3Q6IGZhc3QvZG9tL2NvbGxlY3Rpb24tYmFj a3dhcmQtdHJhdmVyc2FsLWNyYXNoLmh0bWwKKworICAgICAgICAqIGRvbS9FbGVtZW50RGVzY2Vu ZGFudEl0ZXJhdG9yLmg6CisgICAgICAgIChXZWJDb3JlOjpFbGVtZW50RGVzY2VuZGFudEl0ZXJh dG9yOjpvcGVyYXRvci0tKToKKworMjAxNi0wNC0xOCAgQ2hyaXMgRHVtZXogIDxjZHVtZXpAYXBw bGUuY29tPgorCiAgICAgICAgIFVucmV2aWV3ZWQsIHJvbGxpbmcgb3V0IHIxOTk2NDQuCiAKICAg ICAgICAgU2VlbXMgdG8gaGF2ZSBjYXVzZWQgYSAxLTIlIHJlZ3Jlc3Npb24gb24gd2FybSBQTFQK ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2RvbS9FbGVtZW50RGVzY2VuZGFudEl0ZXJhdG9y LmggYi9Tb3VyY2UvV2ViQ29yZS9kb20vRWxlbWVudERlc2NlbmRhbnRJdGVyYXRvci5oCmluZGV4 IDEyYTIyYWY5MzNmODA3NzU4NmY0MjdjOGM4MWY2ZmQ2YTZkYjJmMjUuLjgzZmVmYmY1YmNhYmNh YWRkMzk4MTM5ZTI0NjU1ZTdhNmZkY2JjYzcgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2Rv bS9FbGVtZW50RGVzY2VuZGFudEl0ZXJhdG9yLmgKKysrIGIvU291cmNlL1dlYkNvcmUvZG9tL0Vs ZW1lbnREZXNjZW5kYW50SXRlcmF0b3IuaApAQCAtMTcxLDcgKzE3MSw3IEBAIEFMV0FZU19JTkxJ TkUgRWxlbWVudERlc2NlbmRhbnRJdGVyYXRvciYgRWxlbWVudERlc2NlbmRhbnRJdGVyYXRvcjo6 b3BlcmF0b3ItLSgpCiAgICAgaWYgKCFwcmV2aW91c1NpYmxpbmcpIHsKICAgICAgICAgbV9jdXJy ZW50ID0gbV9jdXJyZW50LT5wYXJlbnRFbGVtZW50KCk7CiAgICAgICAgIC8vIFRoZSBzdGFjayBv cHRpbWl6ZXMgZm9yIGZvcndhcmQgdHJhdmVyc2FsIG9ubHksIHRoaXMganVzdCBtYWludGFpbnMg Y29uc2lzdGVuY3kuCi0gICAgICAgIGlmIChtX2N1cnJlbnQtPm5leHRTaWJsaW5nKCkgPT0gbV9h bmNlc3RvclNpYmxpbmdTdGFjay5sYXN0KCkpCisgICAgICAgIGlmIChtX2N1cnJlbnQtPm5leHRT aWJsaW5nKCkgJiYgbV9jdXJyZW50LT5uZXh0U2libGluZygpID09IG1fYW5jZXN0b3JTaWJsaW5n U3RhY2subGFzdCgpKQogICAgICAgICAgICAgbV9hbmNlc3RvclNpYmxpbmdTdGFjay5yZW1vdmVM YXN0KCk7CiAgICAgICAgIHJldHVybiAqdGhpczsKICAgICB9CmRpZmYgLS1naXQgYS9MYXlvdXRU ZXN0cy9DaGFuZ2VMb2cgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKaW5kZXggMGEzYjhhY2I3NTg1 ZDkyY2M5OTE1NTBmYWI4ODVhMjc3ODNmYTRmOS4uMDJlYjEzNTBiNTY4NzkyODNiM2Q3NzZhNTdj YTEwMmI2MTgyODI2YSAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCisrKyBiL0xh eW91dFRlc3RzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDE2LTA0LTE4ICBDaHJpcyBE dW1leiAgPGNkdW1lekBhcHBsZS5jb20+CisKKyAgICAgICAgQ3Jhc2ggaW4gRWxlbWVudERlc2Nl bmRhbnRJdGVyYXRvcjo6b3BlcmF0b3ItLSgpIHdoZW4gY2FsbGluZyBtX2FuY2VzdG9yU2libGlu Z1N0YWNrLmxhc3QoKQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5j Z2k/aWQ9MTU2NzE1CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yNTc1MDg2ND4KKworICAgICAg ICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBBZGQgcmVncmVzc2lvbiB0 ZXN0IHRoYXQgcmVwcm9kdWNlZCB0aGUgY3Jhc2guCisKKyAgICAgICAgKiBmYXN0L2RvbS9jb2xs ZWN0aW9uLWJhY2t3YXJkLXRyYXZlcnNhbC1jcmFzaC1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAg ICAgICAqIGZhc3QvZG9tL2NvbGxlY3Rpb24tYmFja3dhcmQtdHJhdmVyc2FsLWNyYXNoLmh0bWw6 IEFkZGVkLgorCiAyMDE2LTA0LTE4ICBFcmljIENhcmxzb24gIDxlcmljLmNhcmxzb25AYXBwbGUu Y29tPgogCiAgICAgICAgIE1lZGlhIGVsZW1lbnQgInVzZXIgZ2VzdHVyZSBmb3IgZnVsbHNjcmVl biIgcmVzdHJpY3Rpb24gaXMgbmV2ZXIgbGlmdGVkCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9m YXN0L2RvbS9jb2xsZWN0aW9uLWJhY2t3YXJkLXRyYXZlcnNhbC1jcmFzaC1leHBlY3RlZC50eHQg Yi9MYXlvdXRUZXN0cy9mYXN0L2RvbS9jb2xsZWN0aW9uLWJhY2t3YXJkLXRyYXZlcnNhbC1jcmFz aC1leHBlY3RlZC50eHQKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uMTllYjBjYjRiYjM2MzNlYjgwNzRkYzRiMDc3MDM2 ZDllZGY2YWU1NwotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2Zhc3QvZG9tL2NvbGxl Y3Rpb24tYmFja3dhcmQtdHJhdmVyc2FsLWNyYXNoLWV4cGVjdGVkLnR4dApAQCAtMCwwICsxLDEz IEBACitUZXN0cyB0aGF0IGJhY2t3YXJkIHRyYXZlcnNhbCBvZiBhbiBIVE1MQ29sbGVjdGlvbiB3 b3JrcyBhcyBleHBlY3RlZCBhbmQgZG9lcyBub3QgY3Jhc2guCisKK09uIHN1Y2Nlc3MsIHlvdSB3 aWxsIHNlZSBhIHNlcmllcyBvZiAiUEFTUyIgbWVzc2FnZXMsIGZvbGxvd2VkIGJ5ICJURVNUIENP TVBMRVRFIi4KKworCitQQVNTIGRpdnMuaXRlbSgzKS5pZCBpcyAiRCIKK1BBU1MgZGl2cy5pdGVt KDIpLmlkIGlzICJDIgorUEFTUyBkaXZzLml0ZW0oMSkuaWQgaXMgIkIiCitQQVNTIGRpdnMuaXRl bSgwKS5pZCBpcyAiQSIKK1BBU1Mgc3VjY2Vzc2Z1bGx5UGFyc2VkIGlzIHRydWUKKworVEVTVCBD T01QTEVURQorCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9mYXN0L2RvbS9jb2xsZWN0aW9uLWJh Y2t3YXJkLXRyYXZlcnNhbC1jcmFzaC5odG1sIGIvTGF5b3V0VGVzdHMvZmFzdC9kb20vY29sbGVj dGlvbi1iYWNrd2FyZC10cmF2ZXJzYWwtY3Jhc2guaHRtbApuZXcgZmlsZSBtb2RlIDEwMDY0NApp bmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLi43Zjk2ZjI2ZjBi YTQyMzc4NjhhMGQ2NjVmZjcyZWRkYmY5ODY0ODZhCi0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0 VGVzdHMvZmFzdC9kb20vY29sbGVjdGlvbi1iYWNrd2FyZC10cmF2ZXJzYWwtY3Jhc2guaHRtbApA QCAtMCwwICsxLDE4IEBACis8IURPQ1RZUEUgaHRtbD4KKzxodG1sPgorPGJvZHk+Cis8c2NyaXB0 IHNyYz0iLi4vLi4vcmVzb3VyY2VzL2pzLXRlc3QtcHJlLmpzIj48L3NjcmlwdD4KKzxkaXYgaWQ9 InRlc3RBcmVhIj48ZGl2IGlkPSJBIj48ZGl2IGlkPSJCIj48ZGl2IGlkPSJDIj48ZGl2IGlkPSJE Ij48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj4KKzxzY3JpcHQ+CitkZXNjcmlwdGlvbigi VGVzdHMgdGhhdCBiYWNrd2FyZCB0cmF2ZXJzYWwgb2YgYW4gSFRNTENvbGxlY3Rpb24gd29ya3Mg YXMgZXhwZWN0ZWQgYW5kIGRvZXMgbm90IGNyYXNoLiIpOworCit2YXIgdGVzdEFyZWEgPSBkb2N1 bWVudC5nZXRFbGVtZW50QnlJZCgidGVzdEFyZWEiKTsKK3ZhciBkaXZzID0gdGVzdEFyZWEuZ2V0 RWxlbWVudHNCeVRhZ05hbWUoImRpdiIpOworc2hvdWxkQmVFcXVhbFRvU3RyaW5nKCJkaXZzLml0 ZW0oMykuaWQiLCAiRCIpOworc2hvdWxkQmVFcXVhbFRvU3RyaW5nKCJkaXZzLml0ZW0oMikuaWQi LCAiQyIpOworc2hvdWxkQmVFcXVhbFRvU3RyaW5nKCJkaXZzLml0ZW0oMSkuaWQiLCAiQiIpOwor c2hvdWxkQmVFcXVhbFRvU3RyaW5nKCJkaXZzLml0ZW0oMCkuaWQiLCAiQSIpOworPC9zY3JpcHQ+ Cis8c2NyaXB0IHNyYz0iLi4vLi4vcmVzb3VyY2VzL2pzLXRlc3QtcG9zdC5qcyI+PC9zY3JpcHQ+ Cis8L2JvZHk+Cis8L2h0bWw+Cg==