95380 2012-08-29 14:28:52 -0700 REGRESSION(r126780): Crash using StringImpl::is8Bit before checking if there is an impl 2012-08-29 20:55:53 -0700 1 1 1 Unclassified WebKit Web Template Framework 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 jberlin benjamin benjamin jberlin msaboff sam webkit-bug-importer webkit.review.bot oldest_to_newest 707873 0 jberlin 2012-08-29 14:28:52 -0700 No crash: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r126778%20(282)/results.html Crash: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r126780%20(283)/http/tests/security/xss-DENIED-xsl-document-crash-log.txt Process: WebProcess [71736] Path: /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.6+) Code Type: X86-64 (Native) Parent Process: ??? [1] User ID: 501 Date/Time: 2012-08-27 12:27:59.687 -0700 OS Version: Mac OS X 10.8 (12A269) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000018 VM Regions Near 0x18: --> __TEXT 000000010aa55000-000000010aa56000 [ 4K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010baa187c WTF::StringImpl::is8Bit() const + 12 (StringImpl.h:375) 1 com.apple.JavaScriptCore 0x000000010bb3b7bd WTF::String::is8Bit() const + 29 (WTFString.h:204) 2 com.apple.JavaScriptCore 0x000000010bee1c36 WTF::String::ascii() const + 54 (WTFString.cpp:607) 3 com.apple.WebCore 0x000000010d11b8b0 WebCore::IconController::continueLoadWithDecision(WebCore::IconLoadDecision) + 240 (IconController.cpp:217) 4 com.apple.WebCore 0x000000010cc8ced3 WebCore::DocumentLoader::continueIconLoadWithDecision(WebCore::IconLoadDecision) + 195 (DocumentLoader.cpp:921) 5 com.apple.WebCore 0x000000010cc8ce04 WebCore::iconLoadDecisionCallback(WebCore::IconLoadDecision, void*) + 36 (DocumentLoader.cpp:905) 6 com.apple.WebKit2 0x000000010ac8a730 WebCore::EnumCallback<WebCore::IconLoadDecision>::performCallback(WebCore::IconLoadDecision) + 80 (IconDatabaseBase.h:97) 7 com.apple.WebKit2 0x000000010ac89d9d WebKit::WebIconDatabaseProxy::receivedIconLoadDecision(int, unsigned long long) + 93 (WebIconDatabaseProxy.cpp:124) 8 com.apple.WebKit2 0x000000010ac8d9f1 void CoreIPC::callMemberFunction<WebKit::WebIconDatabaseProxy, void (WebKit::WebIconDatabaseProxy::*)(int, unsigned long long), int, unsigned long long>(CoreIPC::Arguments2<int, unsigned long long> const&, WebKit::WebIconDatabaseProxy*, void (WebKit::WebIconDatabaseProxy::*)(int, unsigned long long)) + 145 (HandleMessage.h:26) 9 com.apple.WebKit2 0x000000010ac8d8ff void CoreIPC::handleMessage<Messages::WebIconDatabaseProxy::ReceivedIconLoadDecision, WebKit::WebIconDatabaseProxy, void (WebKit::WebIconDatabaseProxy::*)(int, unsigned long long)>(CoreIPC::ArgumentDecoder*, WebKit::WebIconDatabaseProxy*, void (WebKit::WebIconDatabaseProxy::*)(int, unsigned long long)) + 111 (HandleMessage.h:303) 10 com.apple.WebKit2 0x000000010ac8d750 WebKit::WebIconDatabaseProxy::didReceiveWebIconDatabaseProxyMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 160 (WebIconDatabaseProxyMessageReceiver.cpp:43) 11 com.apple.WebKit2 0x000000010ac89f51 WebKit::WebIconDatabaseProxy::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 49 (WebIconDatabaseProxy.cpp:149) 12 com.apple.WebKit2 0x000000010ad783e1 WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 449 (WebProcess.cpp:669) 13 com.apple.WebKit2 0x000000010ac1ab4e WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 350 (WebConnectionToUIProcess.cpp:88) 14 com.apple.WebKit2 0x000000010ac1ab9d non-virtual thunk to WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 61 15 com.apple.WebKit2 0x000000010aab92bc CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder>&) + 348 (Connection.cpp:691) 16 com.apple.WebKit2 0x000000010aabba6b CoreIPC::Connection::dispatchOneMessage() + 203 (Connection.cpp:718) 17 com.apple.WebKit2 0x000000010aac2572 WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>::operator()(CoreIPC::Connection*) + 114 (Functional.h:173) 18 com.apple.WebKit2 0x000000010aac24f5 WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() + 53 (Functional.h:405) 19 com.apple.WebCore 0x000000010dcc0bd5 WTF::Function<void ()>::operator()() const + 133 (Functional.h:613) 20 com.apple.WebCore 0x000000010dcc081f WebCore::RunLoop::performWork() + 207 (RunLoop.cpp:89) 21 com.apple.WebCore 0x000000010dcc1d0e WebCore::RunLoop::performWork(void*) + 62 (RunLoopCF.cpp:66) 22 com.apple.CoreFoundation 0x00007fff9682f841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 23 com.apple.CoreFoundation 0x00007fff9682f22d __CFRunLoopDoSources0 + 445 24 com.apple.CoreFoundation 0x00007fff968524e5 __CFRunLoopRun + 789 25 com.apple.CoreFoundation 0x00007fff96851dd2 CFRunLoopRunSpecific + 290 26 com.apple.HIToolbox 0x00007fff91c7b774 RunCurrentEventLoopInMode + 209 27 com.apple.HIToolbox 0x00007fff91c7b512 ReceiveNextEventCommon + 356 28 com.apple.HIToolbox 0x00007fff91c7b3a3 BlockUntilNextEventMatchingListInMode + 62 29 com.apple.AppKit 0x00007fff9077ffa3 _DPSNextEvent + 685 30 com.apple.AppKit 0x00007fff9077f862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 31 com.apple.AppKit 0x00007fff90776c03 -[NSApplication run] + 517 32 com.apple.WebCore 0x000000010dcc296c WebCore::RunLoop::run() + 92 (RunLoopMac.mm:37) 33 com.apple.WebKit2 0x000000010ad8e3ea WebKit::WebProcessMain(WebKit::CommandLine const&) + 3386 (WebProcessMainMac.mm:228) 34 com.apple.WebKit2 0x000000010ac9f3a8 WebKitMain(WebKit::CommandLine const&) + 200 (WebKitMain.cpp:50) 35 com.apple.WebKit2 0x000000010ac9f2c4 WebKitMain + 148 (WebKitMain.cpp:74) 36 com.apple.WebProcess 0x000000010aa55da2 main + 274 37 libdyld.dylib 0x00007fff923477e1 start + 1 707875 1 webkit-bug-importer 2012-08-29 14:29:18 -0700 <rdar://problem/12201121> 707876 2 jberlin 2012-08-29 14:30:01 -0700 http://trac.webkit.org/changeset/126780 707901 3 msaboff 2012-08-29 14:51:34 -0700 In the case of a null m_impl in a WTFString, a length check should be done before call int is8Bit(). I think that is the source of the issue here. 707923 4 161327 benjamin 2012-08-29 15:09:35 -0700 Created attachment 161327 Patch 708263 5 161327 webkit.review.bot 2012-08-29 20:55:50 -0700 Comment on attachment 161327 Patch Clearing flags on attachment: 161327 Committed r127093: <http://trac.webkit.org/changeset/127093> 708264 6 webkit.review.bot 2012-08-29 20:55:53 -0700 All reviewed patches have been landed. Closing bug. 161327 2012-08-29 15:09:35 -0700 2012-08-29 20:55:50 -0700 Patch bug-95380-20120829150924.patch text/plain 3126 benjamin SW5kZXg6IFNvdXJjZS9XVEYvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XVEYvQ2hh bmdlTG9nCShyZXZpc2lvbiAxMjcwNTMpCisrKyBTb3VyY2UvV1RGL0NoYW5nZUxvZwkod29ya2lu ZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBACisyMDEyLTA4LTI5ICBCZW5qYW1pbiBQb3VsYWluICA8 YnBvdWxhaW5AYXBwbGUuY29tPgorCisgICAgICAgIFJFR1JFU1NJT04ocjEyNjc4MCk6IENyYXNo IHVzaW5nIFN0cmluZ0ltcGw6OmlzOEJpdCBiZWZvcmUgY2hlY2tpbmcgaWYgdGhlcmUgaXMgYW4g aW1wbAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9OTUz ODAKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBCbGlu ZGx5IGNvcHlpbmcgY29kZSBmcm9tIFVTdHJpbmcgaW4gcjEyNjc4MCB3YXMgc3R1cGlkLiBJIGp1 c3QgYnJvdWdodCBvdmVyIGEgYnVnLgorICAgICAgICBUaGlzIHBhdGNoIGFkZHMgdGhlIHplcm8g bGVuZ3RoIGJyYW5jaCBiYWNrIHNvIHRoYXQgbnVsbCBzdHJpbmdzIGFyZSBoYW5kbGVkIGNvcnJl Y3RseS4KKworICAgICAgICAqIHd0Zi90ZXh0L1dURlN0cmluZy5jcHA6CisgICAgICAgIChXVEY6 OlN0cmluZzo6YXNjaWkpOiBSZXR1cm4gYSBlbXB0eSBDU3RyaW5nIGlmIHRoZSBTdHJpbmcgaXMg bnVsbCBvciBlbXB0eS4KKwogMjAxMi0wOC0yOSAgRG9taW5payBSw7Z0dHNjaGVzICA8ZG9taW5p ay5yb3R0c2NoZXNAaW50ZWwuY29tPgogCiAgICAgICAgIFRoZSAyZC5pbWFnZURhdGEub2JqZWN0 LnJvdW5kIGNhbnZhcyB0ZXN0IGlzIGZhaWxpbmcKSW5kZXg6IFNvdXJjZS9XVEYvd3RmL3RleHQv V1RGU3RyaW5nLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV1RGL3d0Zi90ZXh0L1dURlN0cmlu Zy5jcHAJKHJldmlzaW9uIDEyNzA1MSkKKysrIFNvdXJjZS9XVEYvd3RmL3RleHQvV1RGU3RyaW5n LmNwcAkod29ya2luZyBjb3B5KQpAQCAtNjA5LDYgKzYwOSwxMCBAQCBDU3RyaW5nIFN0cmluZzo6 YXNjaWkoKSBjb25zdAogICAgIC8vIHByZXNlcnZlZCwgY2hhcmFjdGVycyBvdXRzaWRlIG9mIHRo aXMgcmFuZ2UgYXJlIGNvbnZlcnRlZCB0byAnPycuCiAKICAgICB1bnNpZ25lZCBsZW5ndGggPSB0 aGlzLT5sZW5ndGgoKTsKKyAgICBpZiAoIWxlbmd0aCkgeyAKKyAgICAgICAgY2hhciogY2hhcmFj dGVyQnVmZmVyOworICAgICAgICByZXR1cm4gQ1N0cmluZzo6bmV3VW5pbml0aWFsaXplZChsZW5n dGgsIGNoYXJhY3RlckJ1ZmZlcik7CisgICAgfQogCiAgICAgaWYgKHRoaXMtPmlzOEJpdCgpKSB7 CiAgICAgICAgIGNvbnN0IExDaGFyKiBjaGFyYWN0ZXJzID0gdGhpcy0+Y2hhcmFjdGVyczgoKTsK SW5kZXg6IFRvb2xzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBUb29scy9DaGFuZ2VMb2cJKHJl dmlzaW9uIDEyNzA1MykKKysrIFRvb2xzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwz ICsxLDE0IEBACisyMDEyLTA4LTI5ICBCZW5qYW1pbiBQb3VsYWluICA8YnBvdWxhaW5AYXBwbGUu Y29tPgorCisgICAgICAgIFJFR1JFU1NJT04ocjEyNjc4MCk6IENyYXNoIHVzaW5nIFN0cmluZ0lt cGw6OmlzOEJpdCBiZWZvcmUgY2hlY2tpbmcgaWYgdGhlcmUgaXMgYW4gaW1wbAorICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9OTUzODAKKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIFRlc3RXZWJLaXRBUEkvVGVz dHMvV1RGL1dURlN0cmluZy5jcHA6CisgICAgICAgIEFkZCB2ZXJ5IGJhc2ljIHRlc3RzIGZvciBT dHJpbmc6OmFzY2lpKCkuIFRoaXMgY292ZXJzIHRoZSBjYXNlIG9mIG51bGwgc3RyaW5ncyB0aGF0 IGNhdXNlZAorICAgICAgICB0aGUgY3Jhc2guCisKIDIwMTItMDgtMjkgIEJyYWR5IEVpZHNvbiAg PGJlaWRzb25AYXBwbGUuY29tPgogCiAgICAgICAgIFJFR1JFU1NJT046IE5vdCBzZW5kaW5nIE5Q UF9TZXRXaW5kb3cgaXMgY2F1c2luZyBGbGFzaCB0byBub3QgdGhyb3R0bGUgaXRzZWxmCkluZGV4 OiBUb29scy9UZXN0V2ViS2l0QVBJL1Rlc3RzL1dURi9XVEZTdHJpbmcuY3BwCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIFRvb2xzL1Rlc3RXZWJLaXRBUEkvVGVzdHMvV1RGL1dURlN0cmluZy5jcHAJKHJldmlzaW9u IDEyNzA1MSkKKysrIFRvb2xzL1Rlc3RXZWJLaXRBUEkvVGVzdHMvV1RGL1dURlN0cmluZy5jcHAJ KHdvcmtpbmcgY29weSkKQEAgLTQ5LDYgKzQ5LDIzIEBAIFRFU1QoV1RGLCBTdHJpbmdDcmVhdGlv bkZyb21MaXRlcmFsKQogICAgIEFTU0VSVF9UUlVFKFN0cmluZygiVGVtcGxhdGUgTGl0ZXJhbCIp ID09IHN0cmluZ1dpdGhUZW1wbGF0ZSk7CiB9CiAKK1RFU1QoV1RGLCBTdHJpbmdBU0NJSSkKK3sK KyAgICBDU3RyaW5nIG91dHB1dDsKKworICAgIC8vIE51bGwgU3RyaW5nLgorICAgIG91dHB1dCA9 IFN0cmluZygpLmFzY2lpKCk7CisgICAgQVNTRVJUX1NUUkVRKCIiLCBvdXRwdXQuZGF0YSgpKTsK KworICAgIC8vIEVtcHR5IFN0cmluZy4KKyAgICBvdXRwdXQgPSBlbXB0eVN0cmluZygpLmFzY2lp KCk7CisgICAgQVNTRVJUX1NUUkVRKCIiLCBvdXRwdXQuZGF0YSgpKTsKKworICAgIC8vIFJlZ3Vs YXIgU3RyaW5nLgorICAgIG91dHB1dCA9IFN0cmluZyhBU0NJSUxpdGVyYWwoImZvb2JhciIpKS5h c2NpaSgpOworICAgIEFTU0VSVF9TVFJFUSgiZm9vYmFyIiwgb3V0cHV0LmRhdGEoKSk7Cit9CisK IHN0YXRpYyB2b2lkIHRlc3ROdW1iZXJUb1N0cmluZ0VDTUFTY3JpcHQoZG91YmxlIG51bWJlciwg Y29uc3QgY2hhciogcmVmZXJlbmNlKQogewogICAgIENTdHJpbmcgbnVtYmVyU3RyaW5nID0gU3Ry aW5nOjpudW1iZXJUb1N0cmluZ0VDTUFTY3JpcHQobnVtYmVyKS5sYXRpbjEoKTsK