Bug 116613

Summary: [Qt] New editing/selection/contains-node-crash.html fails with crash.
Product: WebKit Reporter: Gábor Ábrahám <h944478>
Component: Tools / TestsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: hausmann, hyatt, jturcotte, kadam, kling, ossy, rniwa, simon.fraser, zarvai
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 79668    

Description Gábor Ábrahám 2013-05-22 06:55:31 PDT 
After r150498 this test crashes.

Could you check is please?

Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3f91878 in WebCore::RenderObject::RenderObjectBitfields::isAnonymous (this=0x34)
    at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderObject.h:1109
1109	        ADD_BOOLEAN_BITFIELD(isAnonymous, IsAnonymous);
(gdb) bt
#0  0x00007ffff3f91878 in WebCore::RenderObject::RenderObjectBitfields::isAnonymous (this=0x34)
    at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderObject.h:1109
#1  0x00007ffff3f91800 in WebCore::RenderObject::isAnonymous (this=0x0)
    at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderObject.h:516
#2  0x00007ffff3f91856 in WebCore::RenderObject::node (this=0x0) at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderObject.h:638
#3  0x00007ffff425bd0c in WebCore::RenderLayerModelObject::node (this=0x0)
    at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderLayerModelObject.h:54
#4  0x00007ffff4643ec0 in WebCore::highestAncestorToWrapMarkup (range=0x7f8000, shouldAnnotate=WebCore::AnnotateForInterchange)
    at /home/abrhm/webkit/WebKit/Source/WebCore/editing/markup.cpp:531
#5  0x00007ffff46443aa in WebCore::createMarkupInternal (document=0x7be990, range=0x7f8000, updatedRange=0x7f8000, nodes=0x0, 
    shouldAnnotate=WebCore::AnnotateForInterchange, convertBlocksToInlines=false, shouldResolveURLs=WebCore::ResolveNonLocalURLs)
    at /home/abrhm/webkit/WebKit/Source/WebCore/editing/markup.cpp:575
#6  0x00007ffff4644bba in WebCore::createMarkup (range=0x7f8000, nodes=0x0, shouldAnnotate=WebCore::AnnotateForInterchange, 
    convertBlocksToInlines=false, shouldResolveURLs=WebCore::ResolveNonLocalURLs)
    at /home/abrhm/webkit/WebKit/Source/WebCore/editing/markup.cpp:665
#7  0x00007ffff4db2fe5 in WebCore::Pasteboard::writeSelection (this=0x819be0, selectedRange=0x7f8000, canSmartCopyOrDelete=false, frame=
    0x6e80c0, shouldSerializeSelectedTextForClipboard=WebCore::DefaultSelectedTextType)
    at /home/abrhm/webkit/WebKit/Source/WebCore/platform/qt/PasteboardQt.cpp:69
#8  0x00007ffff3ed43c6 in WebCore::EditorClientQt::respondToChangedSelection (this=0x6c0fd0, frame=0x6e80c0)
    at /home/abrhm/webkit/WebKit/Source/WebKit/qt/WebCoreSupport/EditorClientQt.cpp:209
#9  0x00007ffff461174a in WebCore::Editor::notifyComponentsOnChangedSelection (this=0x6d7df0, oldSelection=..., options=6)
    at /home/abrhm/webkit/WebKit/Source/WebCore/editing/Editor.cpp:539
#10 0x00007ffff461e236 in WebCore::Editor::respondToChangedSelection (this=0x6d7df0, oldSelection=..., options=6)
    at /home/abrhm/webkit/WebKit/Source/WebCore/editing/Editor.cpp:3022
#11 0x00007ffff4629fe8 in WebCore::FrameSelection::setSelection (this=0x6e85d0, newSelection=..., options=6, 
    align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity)
    at /home/abrhm/webkit/WebKit/Source/WebCore/editing/FrameSelection.cpp:330
#12 0x00007ffff4629219 in WebCore::FrameSelection::moveTo (this=0x6e85d0, base=..., extent=..., userTriggered=WebCore::NotUserTriggered)
    at /home/abrhm/webkit/WebKit/Source/WebCore/editing/FrameSelection.cpp:157
#13 0x00007ffff4965036 in WebCore::DOMSelection::setBaseAndExtent (this=0x818c60, baseNode=0x7be990, baseOffset=0, extentNode=0x7be990, 
    extentOffset=2, ec=@0x7fffffffc49c: 0) at /home/abrhm/webkit/WebKit/Source/WebCore/page/DOMSelection.cpp:264
#14 0x00007ffff49661a3 in WebCore::DOMSelection::selectAllChildren (this=0x818c60, n=0x7be990, ec=@0x7fffffffc49c: 0)
    at /home/abrhm/webkit/WebKit/Source/WebCore/page/DOMSelection.cpp:486
#15 0x00007ffff539e88d in WebCore::jsDOMSelectionPrototypeFunctionSelectAllChildren (exec=0x7fffe18c30b8) at generated/JSDOMSelection.cpp:391
#16 0x00007fff9bfff0e5 in ?? ()
#17 0x00007fffffffc570 in ?? ()
#18 0x00007ffff58bf2cc in llint_op_call () from /home/abrhm/webkit/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5
#19 0x00007fffe18c3060 in ?? ()
#20 0x000000000072b230 in ?? ()
#21 0x00007fffffffc530 in ?? ()
#22 0x00007ffff5868d39 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0)
    at /home/abrhm/webkit/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
#23 0x00007ffff5867ce0 in JSC::JITCode::execute (this=0x7fffe181f590, stack=0x72b230, callFrame=0x7fffe18c3060, vm=0x71d310)
    at /home/abrhm/webkit/WebKit/Source/JavaScriptCore/jit/JITCode.h:135
#24 0x00007ffff58659bb in JSC::Interpreter::executeCall (this=0x72b220, callFrame=0x7ffff7ebf678, function=0x7ffff7e2ca30, 
    callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...)
    at /home/abrhm/webkit/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1052
#25 0x00007ffff593b843 in JSC::call (exec=0x7ffff7ebf678, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., 
    args=...) at /home/abrhm/webkit/WebKit/Source/JavaScriptCore/runtime/CallData.cpp:40
#26 0x00007ffff427a5ed in WebCore::JSMainThreadExecState::call (exec=0x7ffff7ebf678, functionObject=..., callType=JSC::CallTypeJS, 
    callData=..., thisValue=..., args=...) at /home/abrhm/webkit/WebKit/Source/WebCore/bindings/js/JSMainThreadExecState.h:56
#27 0x00007ffff42a93db in WebCore::JSEventListener::handleEvent (this=0x8117c0, scriptExecutionContext=0x7bea40, event=0x81d9e0)
    at /home/abrhm/webkit/WebKit/Source/WebCore/bindings/js/JSEventListener.cpp:130
#28 0x00007ffff455f792 in WebCore::EventTarget::fireEventListeners (this=0x704390, event=0x81d9e0, d=0x704480, entry=...)
    at /home/abrhm/webkit/WebKit/Source/WebCore/dom/EventTarget.cpp:248
#29 0x00007ffff455f3f5 in WebCore::EventTarget::fireEventListeners (this=0x704390, event=0x81d9e0)
    at /home/abrhm/webkit/WebKit/Source/WebCore/dom/EventTarget.cpp:190
#30 0x00007ffff496eeda in WebCore::DOMWindow::dispatchEvent (this=0x704390, prpEvent=..., prpTarget=...)
    at /home/abrhm/webkit/WebKit/Source/WebCore/page/DOMWindow.cpp:1714
#31 0x00007ffff496ec63 in WebCore::DOMWindow::dispatchLoadEvent (this=0x704390)
    at /home/abrhm/webkit/WebKit/Source/WebCore/page/DOMWindow.cpp:1688
#32 0x00007ffff44f35a6 in WebCore::Document::dispatchWindowLoadEvent (this=0x7be990)
    at /home/abrhm/webkit/WebKit/Source/WebCore/dom/Document.cpp:3679
#33 0x00007ffff44eec2a in WebCore::Document::implicitClose (this=0x7be990) at /home/abrhm/webkit/WebKit/Source/WebCore/dom/Document.cpp:2429
#34 0x00007ffff48e8a73 in WebCore::FrameLoader::checkCallImplicitClose (this=0x6e8148)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/FrameLoader.cpp:838
#35 0x00007ffff48e8807 in WebCore::FrameLoader::checkCompleted (this=0x6e8148)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/FrameLoader.cpp:781
#36 0x00007ffff48e856c in WebCore::FrameLoader::finishedParsing (this=0x6e8148)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/FrameLoader.cpp:714
#37 0x00007ffff44f5d7f in WebCore::Document::finishedParsing (this=0x7be990)
    at /home/abrhm/webkit/WebKit/Source/WebCore/dom/Document.cpp:4458
#38 0x00007ffff474558b in WebCore::HTMLConstructionSite::finishedParsing (this=0x7bdca8)
    at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:344
#39 0x00007ffff4777bc9 in WebCore::HTMLTreeBuilder::finished (this=0x7bdc90)
    at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2923
#40 0x00007ffff474cb70 in WebCore::HTMLDocumentParser::end (this=0x7bd830)
    at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:756
#41 0x00007ffff474cc5b in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7bd830)
    at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:767
#42 0x00007ffff474b8e3 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7bd830)
    at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:211
#43 0x00007ffff474cca0 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7bd830)
    at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:779
#44 0x00007ffff474cd59 in WebCore::HTMLDocumentParser::finish (this=0x7bd830)
    at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:828
#45 0x00007ffff48e03bc in WebCore::DocumentWriter::end (this=0x79a810)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/DocumentWriter.cpp:248
#46 0x00007ffff48d3285 in WebCore::DocumentLoader::finishedLoading (this=0x79a770, finishTime=0)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/DocumentLoader.cpp:398
#47 0x00007ffff48d2ff8 in WebCore::DocumentLoader::notifyFinished (this=0x79a770, resource=0x79b810)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/DocumentLoader.cpp:340
#48 0x00007ffff48ba7c6 in WebCore::CachedResource::checkNotify (this=0x79b810)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:362
#49 0x00007ffff48ba824 in WebCore::CachedResource::data (this=0x79b810, allDataReceived=true)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:371
#50 0x00007ffff48b6fc8 in WebCore::CachedRawResource::data (this=0x79b810, data=..., allDataReceived=true)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/cache/CachedRawResource.cpp:71
#51 0x00007ffff491b3e0 in WebCore::SubresourceLoader::didFinishLoading (this=0x79bd10, finishTime=0)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/SubresourceLoader.cpp:282
#52 0x00007ffff4911df1 in WebCore::ResourceLoader::didFinishLoading (this=0x79bd10, finishTime=0)
    at /home/abrhm/webkit/WebKit/Source/WebCore/loader/ResourceLoader.cpp:491
#53 0x00007ffff4da051c in WebCore::QNetworkReplyHandler::finish (this=0x79cb20)
    at /home/abrhm/webkit/WebKit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516
#54 0x00007ffff4d9f139 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x79cb58)
    at /home/abrhm/webkit/WebKit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250
#55 0x00007ffff4d9ee37 in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x79cb58, method=
    (void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4da0360 <WebCore::QNetworkReplyHandler::finish()>)
#56 0x00007ffff4d9fe0a in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x79e770)
    at /home/abrhm/webkit/WebKit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409
#57 0x00007ffff4da2790 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x79e770, _c=QMetaObject::InvokeMetaMethod, _id=1, 
    _a=0x7fffffffd300) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:175
#58 0x00007ffff222a0e1 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#59 0x00007ffff222b73e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#60 0x00007ffff32a81f4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#61 0x00007ffff32ab5d1 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#62 0x00007ffff2204a24 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#63 0x00007ffff2206961 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#64 0x00007ffff224c1f3 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#65 0x00007fffef026d53 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#66 0x00007fffef0270a0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#67 0x00007fffef027164 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#68 0x00007ffff224c634 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#69 0x00007ffff22038fb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#70 0x00007ffff2206e9e in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#71 0x0000000000439b89 in main (argc=2, argv=0x7fffffffe088) at /home/abrhm/webkit/WebKit/Tools/DumpRenderTree/qt/DumpRenderTreeMain.cpp:199
Comment 1 Csaba Osztrogonác 2013-05-22 07:00:47 PDT 
The original https://bugs.webkit.org/show_bug.cgi?id=116468 seems to be a security bug. Isn't this crash security bug too?
Comment 2 Ryosuke Niwa 2013-05-22 10:10:27 PDT 
It seems like this is an unrelated crash since it's happening inside getSelection().selectAllChildren.  I'm not certain if this is a security bug or not.  Someone who has access to Qt build needs to debug it.
Comment 3 Jocelyn Turcotte 2014-02-03 03:25:45 PST 
=== Bulk closing of Qt bugs ===

If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary.

If you believe that this is still an important QtWebKit bug, please fill a new report at https://bugreports.qt-project.org and add a link to this issue. See http://qt-project.org/wiki/ReportingBugsInQt for additional guidelines.