158273 2016-06-01 14:03:49 -0700 Crash under eventTargetRespectingTargetRules() 2016-06-01 14:41:57 -0700 1 1 1 Unclassified WebKit DOM WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 cdumez cdumez achristensen cdumez commit-queue esprehn+autocc kangil.han rniwa webkit-bug-importer oldest_to_newest 1198275 0 cdumez 2016-06-01 14:03:49 -0700 Crash under eventTargetRespectingTargetRules(): Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000014) [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::Node::getFlag(WebCore::Node::NodeFlags) const at Node.h:625:49 621 622 DefaultNodeFlags = IsParsingChildrenFinishedFlag 623 }; 624 -> 625 bool getFlag(NodeFlags mask) const { return m_nodeFlags & mask; } 626 void setFlag(bool f, NodeFlags mask) const { m_nodeFlags = (m_nodeFlags & ~mask) | (-(int32_t)f & mask); } 627 void setFlag(NodeFlags mask) const { m_nodeFlags |= mask; } 628 void clearFlag(NodeFlags mask) const { m_nodeFlags &= ~mask; } 629 0x00007fff8b85798a: testb %al, %al 0x00007fff8b85798c: movq %r15, %r14 0x00007fff8b85798f: je 0x5b3995 ; <+117> [inlined] WebCore::Node::getFlag(WebCore::Node::NodeFlags) const at Node.h:217 0x00007fff8b857991: movq 0x60(%r15), %r14 -> 0x00007fff8b857995: movl 0x14(%r14), %eax 0x00007fff8b857999: movl %eax, %ecx 0x00007fff8b85799b: andl $0x100004, %ecx ; imm = 0x100004 0x00007fff8b8579a1: cmpl $0x100004, %ecx ; imm = 0x100004 0x00007fff8b8579a7: jne 0x5b39cf ; <+175> [inlined] WebCore::Node::getFlag(WebCore::Node::NodeFlags) const + 4 at Node.h:221 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::Node::isElementNode() const at Node.h:217 213 WEBCORE_EXPORT void remove(ExceptionCode&); 214 215 // Other methods (not part of DOM) 216 -> 217 bool isElementNode() const { return getFlag(IsElementFlag); } 218 bool isContainerNode() const { return getFlag(IsContainerFlag); } 219 bool isTextNode() const { return getFlag(IsTextFlag); } 220 bool isHTMLElement() const { return getFlag(IsHTMLFlag); } 221 bool isSVGElement() const { return getFlag(IsSVGFlag); } [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::Node::pseudoId() const at Node.h:227 223 224 bool isPseudoElement() const { return pseudoId() != NOPSEUDO; } 225 bool isBeforePseudoElement() const { return pseudoId() == BEFORE; } 226 bool isAfterPseudoElement() const { return pseudoId() == AFTER; } -> 227 PseudoId pseudoId() const { return (isElementNode() && hasCustomStyleResolveCallbacks()) ? customPseudoId() : NOPSEUDO; } 228 229 virtual bool isMediaControlElement() const { return false; } 230 virtual bool isMediaControls() const { return false; } 231 #if ENABLE(VIDEO_TRACK) [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::Node::isPseudoElement() const at Node.h:224 220 bool isHTMLElement() const { return getFlag(IsHTMLFlag); } 221 bool isSVGElement() const { return getFlag(IsSVGFlag); } 222 bool isMathMLElement() const { return getFlag(IsMathMLFlag); } 223 -> 224 bool isPseudoElement() const { return pseudoId() != NOPSEUDO; } 225 bool isBeforePseudoElement() const { return pseudoId() == BEFORE; } 226 bool isAfterPseudoElement() const { return pseudoId() == AFTER; } 227 PseudoId pseudoId() const { return (isElementNode() && hasCustomStyleResolveCallbacks()) ? customPseudoId() : NOPSEUDO; } 228 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WTF::TypeCastTraits<WebCore::PseudoElement const, WebCore::Node const, false>::isType(WebCore::Node const&) at PseudoElement.h:83 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WTF::TypeCastTraits<WebCore::PseudoElement const, WebCore::Node const, false>::isOfType(WebCore::Node const&) at PseudoElement.h:82 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] bool WTF::is<WebCore::PseudoElement, WebCore::Node>(WebCore::Node&) at TypeCasts.h:59 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::EventPath::eventTargetRespectingTargetRules(WebCore::Node&) at EventPath.h:55 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) + 117 at EventPath.cpp:94 [ 1] 0x00007fff8b84f47d WebCore`WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::Event&) + 77 at EventDispatcher.cpp:157:15 [ 2] 0x00007fff8b40cad3 WebCore`WebCore::AnimationControllerPrivate::fireEventsAndUpdateStyle() + 355 at AnimationController.cpp:208:13 [ 3] 0x00007fff8b581e66 WebCore`WebCore::AnimationControllerPrivate::animationTimerFired() + 182 at AnimationController.cpp:272:5 [ 4] 0x00007fff8b2b760f WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal() + 175 at ThreadTimers.cpp:121:9 [ 5] 0x00007fff8b2b754e WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*) + 30 at MainThreadSharedTimerCF.cpp:74:5 1198276 1 cdumez 2016-06-01 14:04:08 -0700 <rdar://problem/26343998> 1198280 2 280266 cdumez 2016-06-01 14:07:53 -0700 Created attachment 280266 Patch 1198294 3 280266 cdumez 2016-06-01 14:41:50 -0700 Comment on attachment 280266 Patch Clearing flags on attachment: 280266 Committed r201571: <http://trac.webkit.org/changeset/201571> 1198295 4 cdumez 2016-06-01 14:41:57 -0700 All reviewed patches have been landed. Closing bug. 280266 2016-06-01 14:07:53 -0700 2016-06-01 14:41:50 -0700 Patch bug-158273-20160601140911.patch text/plain 1805 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjAxNTU2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNGIxYWIxMmMyOTgxNTQ4 YmI5NGJjNGEyYmJlZTAxZDkxNDk5Yzc2Yy4uOWVjMzM2MzkwMWFhZjIyZWIxZTJjMmRlNzg2OWUw ZThhY2VjZmFhNCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIxIEBACisyMDE2LTA2LTAxICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CisKKyAgICAgICAgQ3Jhc2ggdW5kZXIgZXZlbnRU YXJnZXRSZXNwZWN0aW5nVGFyZ2V0UnVsZXMoKQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU4MjczCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yNjM0 Mzk5OD4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBU aGUgY29kZSB3b3VsZCBjYWxsIG5vZGVPckhvc3RJZlBzZXVkb0VsZW1lbnQoKSwgd2hpY2ggY2Fu IHJldHVybiBudWxsCisgICAgICAgIGFuZCB0aGVuIGRlcmVmZXJlbmNlIGl0IGluIGV2ZW50VGFy Z2V0UmVzcGVjdGluZ1RhcmdldFJ1bGVzKCkgd2l0aG91dAorICAgICAgICBudWxsIGNoZWNrLiBU aGlzIHBhdGNoIGFkZHMgYSBudWxsIGNoZWNrLiBXaGVuIHRoZSBub2RlIGlzIG51bGwsIHRoZQor ICAgICAgICB3aGlsZSBsb29wIGFmdGVyIHdpbGwgZG8gbm90aGluZyBhbmQgdGh1cyB0aGUgdGFy Z2V0IHdpbGwgbm90IGJlIHVzZWQuCisKKyAgICAgICAgTm8gbmV3IHRlc3RzLCB3ZSBkbyBub3Qg aGF2ZSBhIGdvb2QgcmVwcm9kdWN0aW9uIGNhc2UuCisKKyAgICAgICAgKiBkb20vRXZlbnRQYXRo LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkV2ZW50UGF0aDo6RXZlbnRQYXRoKToKKwogMjAxNi0w Ni0wMSAgWW91ZW5uIEZhYmxldCAgPHlvdWVubi5mYWJsZXRAY3JmLmNhbm9uLmZyPgogCiAgICAg ICAgIFJlbW92ZSBhbGxvY2F0aW9uIG9mIFN1YnJlc291cmNlTG9hZGVyOjptX3JlcXVlc3RDb3Vu dFRyYWNrZXIKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2RvbS9FdmVudFBhdGguY3BwIGIv U291cmNlL1dlYkNvcmUvZG9tL0V2ZW50UGF0aC5jcHAKaW5kZXggYmI5YzM2MzI5OTIxZWUwNjdl ZmVlOTcyZjVhNjQ2ZjYwZWUzODYwZC4uN2VlNGJlOWRlNWFiYzM4MTY1ZDE1ZmE4YWQ4NWY1MDU4 ZTM5ZjBkNyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvZG9tL0V2ZW50UGF0aC5jcHAKKysr IGIvU291cmNlL1dlYkNvcmUvZG9tL0V2ZW50UGF0aC5jcHAKQEAgLTkxLDcgKzkxLDcgQEAgRXZl bnRQYXRoOjpFdmVudFBhdGgoTm9kZSYgb3JpZ2luYWxUYXJnZXQsIEV2ZW50JiBldmVudCkKICAg ICBib29sIGlzVG91Y2hFdmVudCA9IGV2ZW50LmlzVG91Y2hFdmVudCgpOwogI2VuZGlmCiAgICAg Tm9kZSogbm9kZSA9IG5vZGVPckhvc3RJZlBzZXVkb0VsZW1lbnQoJm9yaWdpbmFsVGFyZ2V0KTsK LSAgICBOb2RlKiB0YXJnZXQgPSBldmVudFRhcmdldFJlc3BlY3RpbmdUYXJnZXRSdWxlcygqbm9k ZSk7CisgICAgTm9kZSogdGFyZ2V0ID0gbm9kZSA/IGV2ZW50VGFyZ2V0UmVzcGVjdGluZ1Rhcmdl dFJ1bGVzKCpub2RlKSA6IG51bGxwdHI7CiAgICAgd2hpbGUgKG5vZGUpIHsKICAgICAgICAgd2hp bGUgKG5vZGUpIHsKICAgICAgICAgICAgIEV2ZW50VGFyZ2V0KiBjdXJyZW50VGFyZ2V0ID0gZXZl bnRUYXJnZXRSZXNwZWN0aW5nVGFyZ2V0UnVsZXMoKm5vZGUpOwo=