Bug 150209

Summary: Null dereference loading Blink layout test editing/execCommand/insert-ordered-list-crash.html
Product: WebKit Reporter: Jon Honeycutt <jhoneycutt>
Component: HTML EditingAssignee: Jiewen Tan <jiewen_tan>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, commit-queue, jiewen_tan, rniwa, webkit-bug-importer
Priority: P2 Keywords: BlinkMergeCandidate, HasReduction, InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
crashing test
none
Patch
none
Patch none

Description Jon Honeycutt 2015-10-15 17:00:13 PDT
Created attachment 263226 [details]
crashing test

Null dereference loading Blink layout test editing/execCommand/insert-ordered-list-crash.html.

Stack trace:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGABRT)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000048

VM Regions Near 0x48:
--> 
    __TEXT                 0000000100196000-0000000100230000 [  616K] r-x/rwx SM=COW  /Users/USER/*

Application Specific Information:
CRASHING TEST: blink-tests-that-are-unknown/editing/execCommand/insert-ordered-list-crash.html
================================================================
==21909==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x000105900d91 bp 0x7fff5fa61890 sp 0x7fff5fa61890 T0)
    #0 0x105900d90 in WebCore::ContainerNode::lastChild() const ContainerNode.h:88
    #1 0x105c0954e in WebCore::CompositeEditCommand::insertNodeAfter(WTF::PassRefPtr<WebCore::Node>, WTF::PassRefPtr<WebCore::Node>) CompositeEditCommand.cpp:357
    #2 0x10674f054 in WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) InsertListCommand.cpp:309
    #3 0x10674de8c in WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) InsertListCommand.cpp:252
    #4 0x10674cc88 in WebCore::InsertListCommand::doApply() InsertListCommand.cpp:192
    #5 0x105c07b7b in WebCore::CompositeEditCommand::apply() CompositeEditCommand.cpp:229
    #6 0x106199c53 in WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) EditorCommand.cpp:518
    #7 0x10619685e in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const EditorCommand.cpp:1704
    #8 0x105f6e979 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) Document.cpp:4657
    #9 0x1069dc260 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) JSDocument.cpp:5093
    #10 0x57fbfd401027  (<unknown module>)
    #11 0x100fcf5dd in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab45dd)
    #12 0x100fc9a0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a)
    #13 0x100d2b07d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:80
    #14 0x100ce8714 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) Interpreter.cpp:1024
    #15 0x1005f99d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) CallData.cpp:39
    #16 0x1005f9ac1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) CallData.cpp:44
    #17 0x10690c9c7 in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) JSMainThreadExecState.h:56
    #18 0x106afef5d in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) JSEventListener.cpp:130
    #19 0x106222d21 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) EventTarget.cpp:256
    #20 0x106222721 in WebCore::EventTarget::fireEventListeners(WebCore::Event*) EventTarget.cpp:208
    #21 0x1061e5897 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const EventContext.cpp:54
    #22 0x1061e850c in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&, WebCore::WindowEventContext&) EventDispatcher.cpp:294
    #23 0x1061e79b5 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) EventDispatcher.cpp:342
    #24 0x1078cda01 in WebCore::ScopedEventQueue::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) const ScopedEventQueue.cpp:59
    #25 0x1078cd787 in WebCore::ScopedEventQueue::enqueueEvent(WTF::PassRefPtr<WebCore::Event>) ScopedEventQueue.cpp:51
    #26 0x1061e6897 in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WTF::PassRefPtr<WebCore::Event>) EventDispatcher.cpp:210
    #27 0x107301c96 in WebCore::Node::dispatchScopedEvent(WTF::PassRefPtr<WebCore::Event>) Node.cpp:2136
    #28 0x1073020a7 in WebCore::Node::dispatchSubtreeModifiedEvent() Node.cpp:2161
    #29 0x105c2b815 in WebCore::ContainerNode::removeChild(WebCore::Node&, int&) ContainerNode.cpp:566
    #30 0x1072f8d24 in WebCore::Node::removeChild(WebCore::Node*, int&) Node.cpp:448
    #31 0x107411e4a in WebCore::Range::processAncestorsAndTheirSiblings(WebCore::Range::ActionType, WebCore::Node*, WebCore::Range::ContentsProcessDirection, WTF::PassRefPtr<WebCore::Node>, WebCore::Node*, int&) Range.cpp:806
    #32 0x10740e56b in WebCore::Range::processContents(WebCore::Range::ActionType, int&) Range.cpp:626
    #33 0x10740dd75 in WebCore::Range::deleteContents(int&) Range.cpp:492
    #34 0x1060f1f83 in WebCore::DOMSelection::deleteFromDocument() DOMSelection.cpp:439
    #35 0x106a2ae7a in WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocument(JSC::ExecState*) JSDOMSelection.cpp:454
    #36 0x57fbfd401027  (<unknown module>)
    #37 0x100fcf64f in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab464f)
    #38 0x100fc9a0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a)
    #39 0x100d2b07d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:80
    #40 0x100ce8714 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) Interpreter.cpp:1024
    #41 0x1005f99d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) CallData.cpp:39
    #42 0x1005f9ac1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) CallData.cpp:44
    #43 0x10690c9c7 in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) JSMainThreadExecState.h:56
    #44 0x106afef5d in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) JSEventListener.cpp:130
    #45 0x106222d21 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) EventTarget.cpp:256
    #46 0x106222721 in WebCore::EventTarget::fireEventListeners(WebCore::Event*) EventTarget.cpp:208
    #47 0x1061e5897 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const EventContext.cpp:54
    #48 0x1061e8453 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&, WebCore::WindowEventContext&) EventDispatcher.cpp:280
    #49 0x1061e79b5 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) EventDispatcher.cpp:342
    #50 0x107301e14 in WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) Node.cpp:2145
    #51 0x105f70f3c in WebCore::Document::finishedParsing() Document.cpp:4880
    #52 0x106503d3d in WebCore::HTMLDocumentParser::prepareToStopParsing() HTMLDocumentParser.cpp:132
    #53 0x10600095c in WebCore::DocumentWriter::end() DocumentWriter.cpp:247
    #54 0x105fc8b67 in WebCore::DocumentLoader::finishedLoading(double) DocumentLoader.cpp:437
    #55 0x105b27ca7 in WebCore::CachedResource::checkNotify() CachedResource.cpp:297
    #56 0x105b22ff9 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) CachedRawResource.cpp:103
    #57 0x107bb0588 in WebCore::SubresourceLoader::didFinishLoading(double) SubresourceLoader.cpp:372
    #58 0x7fff8c4a3850 in __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e850)
    #59 0x7fff8c4a3765 in -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e765)
    #60 0x7fff8c4a366a in -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e66a)
    #61 0x7fff8c4a8491 in ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x33491)
    #62 0x7fff8c63c976 in ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x1c7976)
    #63 0x7fff9a99c3c2 in _dispatch_client_callout (/usr/lib/system/libdispatch.dylib+0x23c2)
    #64 0x7fff9a9aa0bd in _dispatch_block_invoke (/usr/lib/system/libdispatch.dylib+0x100bd)
    #65 0x7fff8c4a3527 in RunloopBlockContext::_invoke_block(void const*, void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e527)
    #66 0x7fff96f5ce63 in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x4ce63)
    #67 0x7fff8c4a3420 in RunloopBlockContext::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e420)
    #68 0x7fff8c4a32c1 in MultiplexerSource::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e2c1)
    #69 0x7fff8c4a30e3 in MultiplexerSource::_perform(void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e0e3)
    #70 0x7fff96fba8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0)
    #71 0x7fff96f9a0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab)
    #72 0x7fff96f995ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce)
    #73 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7)
    #74 0x1001b898d in runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:2030
    #75 0x1001b7f39 in runTestingServerLoop() DumpRenderTree.mm:1180
    #76 0x1001b7267 in dumpRenderTree(int, char const**) DumpRenderTree.mm:1288
    #77 0x1001b92b1 in DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1418
    #78 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #79 0x1  (<unknown module>)
Comment 1 Radar WebKit Bug Importer 2015-10-15 17:00:35 PDT
<rdar://problem/23137198>
Comment 2 Jiewen Tan 2015-10-22 19:12:17 PDT
Created attachment 263886 [details]
Patch
Comment 3 Jiewen Tan 2015-10-22 19:13:49 PDT
Created attachment 263887 [details]
Patch
Comment 4 Chris Dumez 2015-10-26 13:23:34 PDT
Comment on attachment 263887 [details]
Patch

r=me
Comment 5 WebKit Commit Bot 2015-10-26 15:50:36 PDT
Comment on attachment 263887 [details]
Patch

Clearing flags on attachment: 263887

Committed r191605: <http://trac.webkit.org/changeset/191605>
Comment 6 WebKit Commit Bot 2015-10-26 15:50:42 PDT
All reviewed patches have been landed.  Closing bug.