Summary: | Crash in is<> Template due to corrupted/garbage WebCore::HTMLNames::selectTag | ||
---|---|---|---|
Product: | WebKit | Reporter: | Brent Fulgham <bfulgham> |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | NEW --- | ||
Severity: | Major | CC: | bfulgham, mcatanzaro |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | PC | ||
OS: | All | ||
See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=1456612 | ||
Bug Depends on: | 113220 | ||
Bug Blocks: |
May have been introduced in https://bugs.webkit.org/show_bug.cgi?id=113220. I have one report of this from a Linux user. Only one, so I'd say it's low priority. Truncated backtrace: Thread no. 1 (10 frames) #0 WTF::RefPtr<WTF::StringImpl>::get at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/RefPtr.h:64 #1 WTF::String::impl at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/text/WTFString.h:150 #2 WTF::AtomicString::impl at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/text/AtomicString.h:98 #3 WTF::operator== at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/text/AtomicString.h:202 #4 WebCore::Element::hasLocalName at /usr/src/debug/webkitgtk-2.16.2/Source/WebCore/dom/Element.h:214 #5 WebCore::HTMLElement::hasTagName at /usr/src/debug/webkitgtk-2.16.2/Source/WebCore/html/HTMLElement.h:91 #6 WebCore::Node::hasTagName at /usr/src/debug/webkitgtk-2.16.2/Source/WebCore/html/HTMLElement.h:158 #7 WTF::TypeCastTraits<WebCore::HTMLOptionElement const, WebCore::ContainerNode const, false>::checkTagName at /usr/src/debug/webkitgtk-2.16.2/x86_64-redhat-linux-gnu/DerivedSources/WebCore/HTMLElementTypeHelpers.h:619 #8 WTF::TypeCastTraits<WebCore::HTMLOptionElement const, WebCore::ContainerNode const, false>::isOfType at /usr/src/debug/webkitgtk-2.16.2/x86_64-redhat-linux-gnu/DerivedSources/WebCore/HTMLElementTypeHelpers.h:616 #9 WTF::is<WebCore::HTMLOptionElement, WebCore::ContainerNode> at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/TypeCasts.h:59 |
The test 'fast/forms/select/popup-closes-on-blur.html' crash with the following stack trace: DumpRenderTree.dll!std::unique_ptr<WTF::HashMap<int,WTF::RefPtr<JSC::WatchpointSet>,WTF::IntHash<int>,WTF::UnsignedWithZeroKeyHashTraits<int>,WTF::HashTraits<WTF::RefPtr<JSC::WatchpointSet> > >,std::default_delete<WTF::HashMap<int,WTF::RefPtr<JSC::WatchpointSet>,WTF::IntHash<int>,WTF::UnsignedWithZeroKeyHashTraits<int>,WTF::HashTraits<WTF::RefPtr<JSC::WatchpointSet> > > > >::get() Line 1453 C++ DumpRenderTree.dll!WTF::Vector<COMPtr<IUnknown>,0,WTF::CrashOnOverflow>::data() Line 643 C++ DumpRenderTree.dll!WTF::Vector<std::unique_ptr<tagSTGMEDIUM,StgMediumDeleter>,0,WTF::CrashOnOverflow>::begin() Line 647 C++ DumpRenderTree.dll!WTF::operator==(const WTF::AtomicString & a, const WTF::AtomicString & b) Line 224 C++ DumpRenderTree.dll!WebCore::Element::hasLocalName(const WTF::AtomicString & other) Line 260 C++ DumpRenderTree.dll!WebCore::HTMLElement::hasTagName(const WebCore::HTMLQualifiedName & name) Line 99 C++ DumpRenderTree.dll!WebCore::Node::hasTagName(const WebCore::HTMLQualifiedName & name) Line 145 C++ > DumpRenderTree.dll!WTF::TypeCastTraits<WebCore::HTMLSelectElement const ,WebCore::Node const ,0>::checkTagName(const WebCore::Node & node) Line 689 C++ DumpRenderTree.dll!WTF::TypeCastTraits<WebCore::HTMLSelectElement const ,WebCore::Node const ,0>::isOfType(const WebCore::Node & node) Line 686 C++ DumpRenderTree.dll!WTF::is<WebCore::HTMLSelectElement,WebCore::Node>(WebCore::Node & source) Line 59 C++ DumpRenderTree.dll!WebCore::Internals::isSelectPopupVisible(WebCore::Node * node) Line 2166 C++ DumpRenderTree.dll!WebCore::jsInternalsPrototypeFunctionIsSelectPopupVisible(JSC::ExecState * exec) Line 3424 C++ [External Code] [Frames below may be incorrect and/or missing] JavaScriptCore.dll!llint_entry() Line 7211 Unknown JavaScriptCore.dll!vmEntryToJavaScript() Line 109 Unknown JavaScriptCore.dll!JSC::JITCode::execute(JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame) Line 77 C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval, JSC::ExecState * callFrame, JSC::JSValue thisValue, JSC::JSScope * scope) Line 1201 C++ JavaScriptCore.dll!JSC::eval(JSC::ExecState * callFrame) Line 134 C++ JavaScriptCore.dll!llint_slow_path_call_eval(JSC::ExecState * exec, JSC::Instruction * pc) Line 1248 C++ JavaScriptCore.dll!llint_entry() Line 7424 Unknown [External Code] JavaScriptCore.dll!llint_entry() Line 7211 Unknown JavaScriptCore.dll!llint_entry() Line 7211 Unknown JavaScriptCore.dll!vmEntryToJavaScript() Line 109 Unknown JavaScriptCore.dll!JSC::JITCode::execute(JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame) Line 77 C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj) Line 914 C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException) Line 83 C++ WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception) Line 62 C++ WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld & world) Line 150 C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode) Line 166 C++ WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode) Line 301 C++ WebKit.dll!WebCore::ScriptElement::prepareScript(const WTF::TextPosition & scriptStartPosition, WebCore::ScriptElement::LegacyTypeSupport supportLegacyTypes) Line 237 C++ WebKit.dll!WebCore::HTMLScriptRunner::runScript(WebCore::Element * script, const WTF::TextPosition & scriptStartPosition) Line 304 C++ WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element> scriptElement, const WTF::TextPosition & scriptStartPosition) Line 177 C++ WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() Line 197 C++ WebKit.dll!WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode mode, WebCore::PumpSession & session) Line 214 C++ WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode) Line 259 C++ WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode mode) Line 167 C++ WebKit.dll!WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() Line 492 C++ WebKit.dll!WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource * cachedResource) Line 532 C++ WebKit.dll!WebCore::CachedResource::checkNotify() Line 294 C++ WebKit.dll!WebCore::CachedResource::finishLoading(WebCore::SharedBuffer * __formal) Line 311 C++ WebKit.dll!WebCore::CachedScript::finishLoading(WebCore::SharedBuffer * data) Line 87 C++ WebKit.dll!WebCore::SubresourceLoader::didFinishLoading(double finishTime) Line 357 C++ WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal, double finishTime) Line 503 C++ WebKit.dll!WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didFinishLoading() Line 181 C++ WebKit.dll!WebCore::ResourceHandleCFURLConnectionDelegate::didFinishLoadingCallback(_CFURLConnection * __formal, const void * clientInfo) Line 88 C++ CFNetwork.dll!URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue * preQ) Line 1739 C++ CFNetwork.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<enum XClientEvent,XClientEventParams> * e, long count) Line 2256 C++ CFNetwork.dll!XConnectionEventQueue<enum XClientEvent,XClientEventParams>::processAllEvents() Line 231 C++ CFNetwork.dll!URLConnectionClient::processEvents() Line 362 C++ CFNetwork.dll!URLConnectionWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 109 C++ [External Code] DumpRenderTree.dll!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & inputLine) Line 1130 C++ DumpRenderTree.dll!main(int argc, const char * * argv) Line 1488 C++ DumpRenderTree.dll!dllLauncherEntryPoint(int argc, const char * * argv) Line 1518 C++ DumpRenderTree.exe!main(int argc, const char * * argv) Line 239 C++ [External Code] The crash is happening because the contents of WebCore::HTMLNames::selectTag is garbage.