Bug 150208

Summary: Null dereference loading Blink layout test editing/execCommand/insert-image-changing-visibility-crash.html
Product: WebKit Reporter: Jon Honeycutt <jhoneycutt>
Component: HTML EditingAssignee: Jiewen Tan <jiewen_tan>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, commit-queue, jiewen_tan, webkit-bug-importer
Priority: P2 Keywords: BlinkMergeCandidate, HasReduction, InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
crashing test
none
Patch
none
Patch
none
Patch none

Jon Honeycutt
Reported 2015-10-15 16:55:39 PDT
Created attachment 263225 [details] crashing test Stack trace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000014 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x14: --> __TEXT 000000010f6c0000-000000010f6c3000 [ 12K] r-x/rwx SM=COW /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: ================================================================ ==8111==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x00011e001ab2 bp 0x7fff50539430 sp 0x7fff50539430 T0) #0 0x11e001ab1 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xaab1) #1 0x11e333c2d in WebCore::canHaveChildrenForEditing(WebCore::Node const*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x33cc2d) #2 0x11e322cb0 in WebCore::CompositeEditCommand::insertNodeAt(WTF::PassRefPtr<WebCore::Node>, WebCore::Position const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x32bcb0) #3 0x11ff44b1c in WebCore::ReplaceSelectionCommand::doApply() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x1f4db1c) #4 0x11e320b7b in WebCore::CompositeEditCommand::apply() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x329b7b) #5 0x11e8b71e5 in WebCore::executeInsertFragment(WebCore::Frame&, WTF::PassRefPtr<WebCore::DocumentFragment>) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8c01e5) #6 0x11e8b74e1 in WebCore::executeInsertNode(WebCore::Frame&, WTF::Ref<WebCore::Node>&&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8c04e1) #7 0x11e8b274d in WebCore::executeInsertImage(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8bb74d) #8 0x11e8af85e in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8b885e) #9 0x11e687979 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x690979) #10 0x11f0f5260 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x10fe260) #11 0x3020bb201027 (<unknown module>) #12 0x11c6cd64f in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab464f) #13 0x11c6c7a0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a) #14 0x11c42907d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x81007d) #15 0x11c3e6714 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x7cd714) #16 0x11bcf79d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xde9d1) #17 0x11bcf7ac1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xdeac1) #18 0x11f0259c7 in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x102e9c7) #19 0x11f217f5d in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x1220f5d) #20 0x11e93bd21 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x944d21) #21 0x11e93b721 in WebCore::EventTarget::fireEventListeners(WebCore::Event*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x944721) #22 0x11e82bbbd in WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x834bbd) #23 0x11e8375db in WebCore::DOMWindow::dispatchLoadEvent() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8405db) #24 0x11e67962f in WebCore::Document::dispatchWindowLoadEvent() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x68262f) #25 0x11e675201 in WebCore::Document::implicitClose() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x67e201) #26 0x11ea7f0ab in WebCore::FrameLoader::checkCompleted() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xa880ab) #27 0x11ea7c35c in WebCore::FrameLoader::finishedParsing() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xa8535c) #28 0x11e68a049 in WebCore::Document::finishedParsing() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x693049) #29 0x11ec1cd3d in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xc25d3d) #30 0x11e71995c in WebCore::DocumentWriter::end() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x72295c) #31 0x11e6e1b67 in WebCore::DocumentLoader::finishedLoading(double) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x6eab67) #32 0x11e240ca7 in WebCore::CachedResource::checkNotify() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x249ca7) #33 0x11e23bff9 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x244ff9) #34 0x1202c9588 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x22d2588) #35 0x11a2547b5 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x8e77b5) #36 0x11a253ca2 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x8e6ca2) #37 0x119bd36ca in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x2666ca) #38 0x1199fd745 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x90745) #39 0x119a04f09 in IPC::Connection::dispatchOneMessage() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x97f09) #40 0x11ca97618 in WTF::RunLoop::performWork() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xe7e618) #41 0x11ca97e6e in WTF::RunLoop::performWork(void*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xe7ee6e) #42 0x7fff96fba8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #43 0x7fff96f9a0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #44 0x7fff96f995ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #45 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #46 0x7fff89713d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54) #47 0x7fff89713b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e) #48 0x7fff897139ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce) #49 0x7fff8d4e6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95) #50 0x7fff8d4e61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4) #51 0x7fff8d4dad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27) #52 0x7fff8d4a3fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd) #53 0x7fff924c44f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1) #54 0x7fff924c2f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d) #55 0x10f6c1266 in main (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001266) #56 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #57 0x0 (<unknown module>)
Attachments
crashing test (681 bytes, text/html)
2015-10-15 16:55 PDT, Jon Honeycutt 		no flags
Details
Patch (4.68 KB, patch)
2015-10-23 14:00 PDT, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
Patch (4.70 KB, patch)
2015-10-26 13:05 PDT, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
Patch (4.70 KB, patch)
2015-10-26 13:21 PDT, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2015-10-15 16:56:14 PDT
<rdar://problem/23137109>
Jiewen Tan
Comment 2 2015-10-23 14:00:05 PDT
Created attachment 263942 [details] Patch
Chris Dumez
Comment 3 2015-10-26 12:04:07 PDT
Comment on attachment 263942 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=263942&action=review r=me with comments. > LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html:25 > + document.write("Pass if not crash."); Passes if it does not crash. > LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html:32 > +<table id="table" ></table> extra space here.
Jiewen Tan
Comment 4 2015-10-26 13:05:15 PDT
Created attachment 264066 [details] Patch
Jiewen Tan
Comment 5 2015-10-26 13:21:35 PDT
Created attachment 264067 [details] Patch
WebKit Commit Bot
Comment 6 2015-10-26 16:06:41 PDT
Comment on attachment 264067 [details] Patch Clearing flags on attachment: 264067 Committed r191608: <http://trac.webkit.org/changeset/191608>
WebKit Commit Bot
Comment 7 2015-10-26 16:06:49 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.