184390 2018-04-07 19:23:52 -0700 REGRESSION (r226138): WebCore::subdivide() may return an empty vector; Web process can crash when performing find in Epiphany 2018-08-29 16:46:18 -0700 1 1 1 Unclassified WebKit WebKitGTK Other All All RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=189119 InRadar P2 Major --- 1 bouanto dbates beau.adkins bugs-noreply darin dbates hyatt mcatanzaro mmaxfield pnormand rniwa sabouhallawa simon.fraser webkit-bug-importer zalan zan oldest_to_newest 1412656 0 bouanto 2018-04-07 19:23:52 -0700 Hi. Since recently, searching text in a web page can crash the process. For instance, on this web page (http://gtk-rs.org/docs/gtk/trait.WidgetExt.html) I search for "event" in Epiphany and press down the Enter key (without releasing it) and it will eventually crash. Thanks to fix this issue. 1412714 1 mcatanzaro 2018-04-08 08:27:40 -0700 Please post a backtrace 1415185 2 mcatanzaro 2018-04-17 09:47:22 -0700 Closing since no backtrace was provided 1415205 3 pnormand 2018-04-17 10:28:49 -0700 I can reproduce the issue in Debian Sid, webkit2gtk 2.20.0 (gdb) bt #0 0x00007f2acc0e40fc in WTFCrash() () at ./Source/WTF/wtf/Assertions.cpp:271 #1 0x00007f2ad134f0bd in WTF::VectorBufferBase<WebCore::InlineTextBox::StyledMarkedText, WTF::FastMalloc>::allocateBuffer(unsigned long) (newCapacity=<optimized out>, this=<optimized out>) at ./obj-x86_64-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Vector.h:267 #2 0x00007f2ad134f0bd in WTF::Vector<WebCore::InlineTextBox::StyledMarkedText, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveInitialCapacity(unsigned long) (initialCapacity=<optimized out>, this=<optimized out>) at ./obj-x86_64-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Vector.h:1216 #3 0x00007f2ad134f0bd in WebCore::InlineTextBox::subdivideAndResolveStyle(WTF::Vector<WebCore::MarkedText, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::InlineTextBox::MarkedTextStyle const&, WebCore::PaintInfo const&) (this=this@entry=0x7f2a03e009a0, textsToSubdivide=..., baseStyle=..., paintInfo=...) at ./Source/WebCore/rendering/InlineTextBox.cpp:790 #4 0x00007f2ad1356bf5 in WebCore::InlineTextBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (this=0x7f2a03e009a0, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/InlineTextBox.cpp:519 #5 0x00007f2ad1355959 in WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (this=this@entry=0x7f2a03003678, paintInfo=..., paintOffset=..., lineTop=..., lineBottom=...) at ./Source/WebCore/rendering/InlineFlowBox.cpp:1208 #6 0x00007f2ad150a2fc in WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (this=0x7f2a03003678, paintInfo=..., paintOffset=..., lineTop=..., lineBottom=...) at ./Source/WebCore/rendering/RootInlineBox.cpp:170 #7 0x00007f2ad1476431 in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const (this=0x7f2a30a001f8, renderer=0x7f2a30a00108, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderLineBoxList.cpp:260 #8 0x00007f2ad1366bd7 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1111 #9 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a30a00108, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #10 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a30a00108, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #11 0x00007f2ad1366cc5 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (this=this@entry=0x7f2a38300738, child=..., paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=usePrintRect@entry=false, paintType=WebCore::RenderBlock::PaintAsBlock) at ./Source/WebCore/rendering/RenderBlock.cpp:1167 #12 0x00007f2ad1367086 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (this=0x7f2a38300738, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at ./Source/WebCore/rendering/RenderBlock.cpp:1131 #13 0x00007f2ad1366bb5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1124 #14 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300738, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #15 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300738, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #16 0x00007f2ad1366cc5 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (this=this@entry=0x7f2a38300528, child=..., paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=usePrintRect@entry=false, paintType=WebCore::RenderBlock::PaintAsBlock) at ./Source/WebCore/rendering/RenderBlock.cpp:1167 #17 0x00007f2ad1367086 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (this=0x7f2a38300528, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at ./Source/WebCore/rendering/RenderBlock.cpp:1131 #18 0x00007f2ad1366bb5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1124 #19 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300528, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #20 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300528, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #21 0x00007f2ad1366cc5 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (this=this@entry=0x7f2a38300420, child=..., paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=usePrintRect@entry=false, paintType=WebCore::RenderBlock::PaintAsBlock) at ./Source/WebCore/rendering/RenderBlock.cpp:1167 #22 0x00007f2ad1367086 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (this=0x7f2a38300420, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at ./Source/WebCore/rendering/RenderBlock.cpp:1131 #23 0x00007f2ad1366bb5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) ---Type <return> to continue, or q <return> to quit--- at ./Source/WebCore/rendering/RenderBlock.cpp:1124 #24 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300420, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #25 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300420, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #26 0x00007f2ad1366cc5 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (this=this@entry=0x7f2a38300210, child=..., paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=usePrintRect@entry=false, paintType=WebCore::RenderBlock::PaintAsBlock) at ./Source/WebCore/rendering/RenderBlock.cpp:1167 #27 0x00007f2ad1367086 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (this=0x7f2a38300210, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at ./Source/WebCore/rendering/RenderBlock.cpp:1131 #28 0x00007f2ad1366bb5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1124 #29 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300210, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #30 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300210, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #31 0x00007f2ad143440b in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (this=this@entry= 0x7f2a590a0480, phase=phase@entry=WebCore::PaintPhaseForeground, layerFragments=..., context=..., localPaintingInfo=..., paintBehavior=paintBehavior@entry=2048, subtreePaintRootForRenderer=0x0) at ./Source/WebCore/rendering/RenderLayer.cpp:4847 #32 0x00007f2ad14436e2 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (this=this@entry=0x7f2a590a0480, layerFragments=..., context=..., contextForTransparencyLayer=..., transparencyPaintDirtyRect=..., haveTransparency=haveTransparency@entry=false, localPaintingInfo=..., paintBehavior=2048, subtreePaintRootForRenderer=0x0) at ./Source/WebCore/rendering/RenderLayer.cpp:4824 #33 0x00007f2ad145b96e in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (this=<optimized out>, context=..., paintingInfo=..., paintFlags=paintFlags@entry=96) at ./Source/WebCore/rendering/RenderLayer.cpp:4431 #34 0x00007f2ad145d029 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, unsigned int, unsigned int) (this=0x7f2a333772c0, graphicsLayer=0x7f2a6857f200, context=..., paintDirtyRect=..., paintBehavior=2048, paintingPhase=<optimized out>) at ./Source/WebCore/rendering/RenderLayerBacking.cpp:2525 #35 0x00007f2ad145d2fe in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&, unsigned int) (this=0x7f2a333772c0, graphicsLayer=0x7f2a6857f200, context=..., paintingPhase=3, clip=..., layerPaintBehavior=2) at ./Source/WebCore/rendering/RenderLayerBacking.cpp:2572 #36 0x00007f2ad1253a3e in WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (this=this@entry=0x7f2a6857f200, context=..., clip=..., layerPaintBehavior=layerPaintBehavior@entry=0) at ./Source/WebCore/platform/graphics/GraphicsLayer.cpp:434 #37 0x00007f2ad05694bf in Nicosia::PaintingEngineBasic::<lambda(WebCore::GraphicsContext&)>::operator() (context=..., __closure=0x7ffcf32ee460) at ./Source/WebCore/platform/graphics/nicosia/NicosiaPaintingEngineBasic.cpp:64 #38 0x00007f2ad05694bf in Nicosia::PaintingContext::paint<Nicosia::PaintingEngineBasic::paint(WebCore::GraphicsLayer&, WTF::Ref<Nicosia::Buffer>&&, const WebCore::IntRect&, const WebCore::IntRect&, const WebCore::IntRect&, float)::<lambda(WebCore::GraphicsContext&)> > (paintFunctor=..., buffer=...) at ./Source/WebCore/platform/graphics/nicosia/NicosiaPaintingContext.h:48 #39 0x00007f2ad05694bf in Nicosia::PaintingEngineBasic::paint(WebCore::GraphicsLayer&, WTF::Ref<Nicosia::Buffer, WTF::DumbPtrTraits<Nicosia::Buffer> >&&, WebCore::IntRect const&, WebCore::IntRect const&, WebCore::IntRect const&, float) (this=this@entry=0x7f2a53290b08, layer= ..., buffer=buffer@entry=<unknown type in /usr/lib/debug/.build-id/8f/da266c836ca74e8c2affb15bf7b4081fac83fe.debug, CU 0xfda9219, DIE 0xfe09132>, sourceRect=..., mappedSourceRect=..., targetRect=..., contentsScale=contentsScale@entry=2) at ./Source/WebCore/platform/graphics/nicosia/NicosiaPaintingEngineBasic.cpp:47 #40 0x00007f2ad0564fd3 in WebCore::CoordinatedGraphicsLayer::updateContentBuffers() (this=0x7f2a6857f200) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:977 #41 0x00007f2ad0565183 in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=0x7f2a6857f200) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:927 #42 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #43 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) ---Type <return> to continue, or q <return> to quit--- at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #44 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #45 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #46 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #47 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=this@entry=0x7f2a685c8400) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #48 0x00007f2ad0542e10 in WebKit::CompositingCoordinator::flushPendingLayerChanges() (this=this@entry=0x7f2ab84e53b8) at ./Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:124 #49 0x00007f2ad05430cc in WebKit::CoordinatedLayerTreeHost::layerFlushTimerFired() (this=0x7f2ab84e5380) at ./Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CoordinatedLayerTreeHost.cpp:199 #50 0x00007f2ad05434b8 in WebKit::CoordinatedLayerTreeHost::renderNextFrame() (this=0x7f2ab84e5380) at ./Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CoordinatedLayerTreeHost.cpp:172 #51 0x00007f2ad03efee4 in WebKit::ThreadedCompositor::handleDisplayRefreshMonitorUpdate(bool) (this=0x7f2a52edaa80, hasBeenRescheduled=<optimized out>) at ./Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:354 #52 0x00007f2acc128493 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() (__closure=0x0, userData=0x7f2ab8eb7ae0) at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:170 #53 0x00007f2acc128493 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:176 #54 0x00007f2accf180f5 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #55 0x00007f2accf184c0 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #56 0x00007f2accf187d2 in g_main_loop_run () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #57 0x00007f2acc1288a0 in WTF::RunLoop::run() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:96 #58 0x00007f2ad054d0e8 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=<optimized out>, argv=0x7ffcf32eea98) at ./Source/WebKit/Shared/unix/ChildProcessMain.h:61 #59 0x00007f2acf443a87 in __libc_start_main (main= 0x55dcfc1ca8d0 <main(int, char**)>, argc=3, argv=0x7ffcf32eea98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffcf32eea88) at ../csu/libc-start.c:310 #60 0x000055dcfc1ca95a in _start () (gdb) 1453818 4 beau.adkins 2018-08-26 23:40:25 -0700 I have been tracking this one too. Bisection reveals it was introduced in [226138]. Don't understand the code well enough to offer a correction though. 1453822 5 Ms2ger 2018-08-27 01:10:29 -0700 Daniel, apparently this is related to a patch of yours. Could you take a look? 1454249 6 dbates 2018-08-27 18:02:32 -0700 The stack-trace in comment 3 mens that subdivide() at <https://trac.webkit.org/browser/trunk/Source/WebCore/rendering/InlineTextBox.cpp?rev=235148#L794> is returning an empty Vector. I have not had success reproducing this issue using find-in-page in Safari :( Though I do know of a test case that can trigger the same issue and will post shortly. 1454530 7 348337 dbates 2018-08-28 13:44:55 -0700 Created attachment 348337 Test case - will cause crash 1454541 8 dbates 2018-08-28 14:02:08 -0700 <rdar://problem/41804994> 1454572 9 348349 dbates 2018-08-28 15:12:17 -0700 Created attachment 348349 Patch and layout test 1454613 10 mcatanzaro 2018-08-28 16:16:08 -0700 Thank you Daniel! Nice test. 1454614 11 mcatanzaro 2018-08-28 16:18:28 -0700 (In reply to Beau Adkins from comment #4) > I have been tracking this one too. Bisection reveals it was introduced in > [226138]. Don't understand the code well enough to offer a correction though. Also: good bisection, thanks. 1455000 12 dbates 2018-08-29 16:35:45 -0700 Committed r235485: <https://trac.webkit.org/changeset/235485> 1455004 13 348349 sabouhallawa 2018-08-29 16:37:03 -0700 Comment on attachment 348349 Patch and layout test View in context: https://bugs.webkit.org/attachment.cgi?id=348349&action=review > Source/WebCore/ChangeLog:3 > + REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany "an empty" is repeated twice. > LayoutTests/ChangeLog:3 > + REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany Ditto. 1455012 14 dbates 2018-08-29 16:46:18 -0700 (In reply to Said Abou-Hallawa from comment #13) > Comment on attachment 348349 [details] > Patch and layout test > > View in context: > https://bugs.webkit.org/attachment.cgi?id=348349&action=review > > > Source/WebCore/ChangeLog:3 > > + REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany > > "an empty" is repeated twice. > > > LayoutTests/ChangeLog:3 > > + REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany > > Ditto. I fixed this before landing. 348337 2018-08-28 13:44:55 -0700 2018-08-28 13:45:23 -0700 Test case - will cause crash test.html text/html 456 dbates PGh0bWw+DQo8aGVhZD4NCjxzdHlsZT4NCiNmaXJzdCB7DQogICAgd3JpdGluZy1tb2RlOiB2ZXJ0 aWNhbC1ybDsNCiAgICAtd2Via2l0LXRleHQtY29tYmluZTogaG9yaXpvbnRhbDsNCn0NCjwvc3R5 bGU+DQo8c2NyaXB0Pg0KZnVuY3Rpb24gcnVuVGVzdCgpDQp7DQogICAgdmFyIHNlY29uZCA9IGRv Y3VtZW50LmdldEVsZW1lbnRCeUlkKCJzZWNvbmQiKTsNCiAgICB2YXIgcmFuZ2UgPSBkb2N1bWVu dC5jYXJldFJhbmdlRnJvbVBvaW50KCk7DQogICAgcmFuZ2Uuc3Vycm91bmRDb250ZW50cyhzZWNv bmQpOyAvLyBDcmFzaA0KfQ0KPC9zY3JpcHQ+DQo8L2hlYWQ+DQo8Ym9keSBvbmxvYWQ9InJ1blRl c3QoKSI+DQo8ZGl2IGlkPSJmaXJzdCI+QTwvZGl2Pg0KPHNwYW4gaWQ9InNlY29uZCI+PC9zcGFu PiA8IS0tIE11c3QgYmUgYW4gaW5saW5lIGVsZW1lbnQuIC0tPg0KPC9ib2R5Pg0KPC9odG1sPg0K 348349 2018-08-28 15:12:17 -0700 2018-08-28 16:09:59 -0700 Patch and layout test bug-184390-20180828151216.patch text/plain 4210 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMjM1MzgxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYTBiOWEwMmQ0OTFkM2M3 NDQwYWNlOGEyMjQxYzRlNTM1MGM1ZjUxNC4uMzhhMTdhMjJmOTVmYjc4ODliZWNmZDg4ZGVjMDVm NTU3OTFkNzljZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI0IEBACisyMDE4LTA4LTI4ICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAgICAgICBSRUdSRVNTSU9OIChyMjI2 MTM4KTogV2ViQ29yZTo6c3ViZGl2aWRlKCkgbWF5IHJldHVybiBhbiBlbXB0eSBhbiBlbXB0eSB2 ZWN0b3I7IFdlYiBwcm9jZXNzIGNhbiBjcmFzaCB3aGVuIHBlcmZvcm1pbmcgZmluZCBpbiBFcGlw aGFueQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTg0 MzkwCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS80MTgwNDk5ND4KKyAgICAgICAgQW5kCisgICAg ICAgIDxyZGFyOi8vcHJvYmxlbS8zOTc3MTg2Nz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBTcGVjdWxhdGl2ZSBmaXggZm9yIEVwaXBoYW55LgorCisg ICAgICAgIFRoZSBpbmxpbmUgdGV4dCBib3ggY2FuIGJlIGVtcHR5IGZvciBjb21iaW5lZCB0ZXh0 IChpLmUuIFJlbmRlckNvbWJpbmVUZXh0Ojpjb21iaW5lZFN0cmluZ0ZvclJlbmRlcmluZygpCisg ICAgICAgIHJldHVybnMgdGhlIGVtcHR5IHN0cmluZykuIFdoZW4gdGhpcyBoYXBwZW5zIFdlYkNv cmU6OnN1YmRpdmlkZSgpIHdpbGwgcmV0dXJuIGFuIGVtcHR5IHZlY3RvciAoc2luY2UKKyAgICAg ICAgdGhlcmUgaXMgbm90aGluZyB0byBzdWJkaXZpZGUpLiBXZSBuZWVkIHRvIHRha2UgY2FyZSB0 byBoYW5kbGUgdGhpcyBjYXNlLgorCisgICAgICAgIFRlc3Q6IGZhc3QvdGV4dC90ZXh0LWNvbWJp bmUtc3Vycm91bmRDb250ZW50cy1jcmFzaC5odG1sCisKKyAgICAgICAgKiByZW5kZXJpbmcvSW5s aW5lVGV4dEJveC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpJbmxpbmVUZXh0Qm94OjpzdWJkaXZp ZGVBbmRSZXNvbHZlU3R5bGUpOgorCiAyMDE4LTA4LTI3ICBLZWl0aCBSb2xsaW4gIDxrcm9sbGlu QGFwcGxlLmNvbT4KIAogICAgICAgICBCdWlsZCBzeXN0ZW0gc3VwcG9ydCBmb3IgTFRPCmRpZmYg LS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvSW5saW5lVGV4dEJveC5jcHAgYi9Tb3Vy Y2UvV2ViQ29yZS9yZW5kZXJpbmcvSW5saW5lVGV4dEJveC5jcHAKaW5kZXggMGE3ODRjY2MzNGFm MDFkYjEwNjQ4NmZiYzc3MzUxMzNhNTA0YzZkNC4uNTlhNzU2NTY1MmNmZThjMWQ2NWZiYTYwYmQ0 NjlkZWIyYzMyNmMxMCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvcmVuZGVyaW5nL0lubGlu ZVRleHRCb3guY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3JlbmRlcmluZy9JbmxpbmVUZXh0Qm94 LmNwcApAQCAtNzkyLDYgKzc5Miw4IEBAIGF1dG8gSW5saW5lVGV4dEJveDo6c3ViZGl2aWRlQW5k UmVzb2x2ZVN0eWxlKGNvbnN0IFZlY3RvcjxNYXJrZWRUZXh0PiYgdGV4dHNUb1N1CiAgICAgICAg IHJldHVybiB7IH07CiAKICAgICBhdXRvIG1hcmtlZFRleHRzID0gc3ViZGl2aWRlKHRleHRzVG9T dWJkaXZpZGUpOworICAgIGlmIChtYXJrZWRUZXh0cy5pc0VtcHR5KCkpCisgICAgICAgIHJldHVy biB7IH07CiAKICAgICAvLyBDb21wdXRlIGZyb250bW9zdCBvdmVybGFwcGluZyBzdHlsZWQgbWFy a2VkIHRleHRzLgogICAgIFZlY3RvcjxTdHlsZWRNYXJrZWRUZXh0PiBmcm9udG1vc3RNYXJrZWRU ZXh0czsKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0No YW5nZUxvZwppbmRleCBjZDEyYzhkNzdmYWJjYjlkMzkyYzg2NWMzM2NlNmUzY2FjMTFkNTRjLi4z MjgwYjYyN2QyYTlhYjJmMTVhM2FkNzhmY2NlNGZjOWMzYzQ1OWE2IDEwMDY0NAotLS0gYS9MYXlv dXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEs MTggQEAKKzIwMTgtMDgtMjggIERhbmllbCBCYXRlcyAgPGRhYmF0ZXNAYXBwbGUuY29tPgorCisg ICAgICAgIFJFR1JFU1NJT04gKHIyMjYxMzgpOiBXZWJDb3JlOjpzdWJkaXZpZGUoKSBtYXkgcmV0 dXJuIGFuIGVtcHR5IGFuIGVtcHR5IHZlY3RvcjsgV2ViIHByb2Nlc3MgY2FuIGNyYXNoIHdoZW4g cGVyZm9ybWluZyBmaW5kIGluIEVwaXBoYW55CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0xODQzOTAKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzQxODA0 OTk0PgorICAgICAgICBBbmQKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzM5NzcxODY3PgorCisg ICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEFkZCBhIHRlc3Qg dG8gZW5zdXJlIHRoYXQgd2UgZG8gbm90IGNyYXNoIHdoZW4gcGFpbnRpbmcgYW4gZW1wdHkgaW5s aW5lIHRleHQgYm94LgorCisgICAgICAgICogZmFzdC90ZXh0L3RleHQtY29tYmluZS1zdXJyb3Vu ZENvbnRlbnRzLWNyYXNoLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZmFzdC90ZXh0 L3RleHQtY29tYmluZS1zdXJyb3VuZENvbnRlbnRzLWNyYXNoLmh0bWw6IEFkZGVkLgorCiAyMDE4 LTA4LTI3ICBQZXIgQXJuZSBWb2xsYW4gIDxwdm9sbGFuQGFwcGxlLmNvbT4KIAogICAgICAgICBM YXlvdXQgVGVzdCBmYXN0L2V2ZW50cy9kYmxjbGljay1ldmVudC1nZXRNb2RpZmllclN0YXRlLmh0 bWwgaXMgZmFpbGluZwpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvZmFzdC90ZXh0L3RleHQtY29t YmluZS1zdXJyb3VuZENvbnRlbnRzLWNyYXNoLWV4cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2Zh c3QvdGV4dC90ZXh0LWNvbWJpbmUtc3Vycm91bmRDb250ZW50cy1jcmFzaC1leHBlY3RlZC50eHQK bmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMC4uOTVjYzFiYzAyZGVlMTU3OWRkZjliNDM4NjhjMDkzNTI1YTgwOTYwNAotLS0g L2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2Zhc3QvdGV4dC90ZXh0LWNvbWJpbmUtc3Vycm91 bmRDb250ZW50cy1jcmFzaC1leHBlY3RlZC50eHQKQEAgLTAsMCArMSwyIEBACivvv7zvv7wKK1BB U1MsIGRpZCBub3QgY3Jhc2guCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9mYXN0L3RleHQvdGV4 dC1jb21iaW5lLXN1cnJvdW5kQ29udGVudHMtY3Jhc2guaHRtbCBiL0xheW91dFRlc3RzL2Zhc3Qv dGV4dC90ZXh0LWNvbWJpbmUtc3Vycm91bmRDb250ZW50cy1jcmFzaC5odG1sCm5ldyBmaWxlIG1v ZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAu LmJmNzA1NmM5YzA4ZWZhOWY5NzU3ZDJlZTMxMjAyNTg5M2FhYzdmNTkKLS0tIC9kZXYvbnVsbAor KysgYi9MYXlvdXRUZXN0cy9mYXN0L3RleHQvdGV4dC1jb21iaW5lLXN1cnJvdW5kQ29udGVudHMt Y3Jhc2guaHRtbApAQCAtMCwwICsxLDI3IEBACis8IURPQ1RZUEUgaHRtbD4NCis8aHRtbD4NCis8 aGVhZD4NCis8c3R5bGU+DQorI2ZpcnN0IHsNCisgICAgd3JpdGluZy1tb2RlOiB2ZXJ0aWNhbC1y bDsNCisgICAgLXdlYmtpdC10ZXh0LWNvbWJpbmU6IGhvcml6b250YWw7DQorfQ0KKzwvc3R5bGU+ DQorPHNjcmlwdD4NCitpZiAod2luZG93LnRlc3RSdW5uZXIpDQorCXRlc3RSdW5uZXIuZHVtcEFz VGV4dCgpOw0KKw0KK2Z1bmN0aW9uIHJ1blRlc3QoKQ0KK3sNCisgICAgdmFyIHNlY29uZCA9IGRv Y3VtZW50LmdldEVsZW1lbnRCeUlkKCJzZWNvbmQiKTsNCisgICAgdmFyIHJhbmdlID0gZG9jdW1l bnQuY2FyZXRSYW5nZUZyb21Qb2ludCgpOw0KKyAgICByYW5nZS5zdXJyb3VuZENvbnRlbnRzKHNl Y29uZCk7IC8vIENyYXNoDQorfQ0KKzwvc2NyaXB0Pg0KKzwvaGVhZD4NCis8Ym9keSBvbmxvYWQ9 InJ1blRlc3QoKSI+DQorPGRpdiBpZD0iZmlyc3QiPiZuYnNwOzwvZGl2Pg0KKzxzcGFuIGlkPSJz ZWNvbmQiPjwvc3Bhbj4gPCEtLSBNdXN0IGJlIGFuIGlubGluZSBlbGVtZW50LiAtLT4NCis8ZGl2 PlBBU1MsIGRpZCBub3QgY3Jhc2guPC9kaXY+DQorPC9ib2R5Pg0KKzwvaHRtbD4NCg==