Bug 150209

Summary:

Null dereference loading Blink layout test editing/execCommand/insert-ordered-list-crash.html

Product:

WebKit

Reporter:

Jon Honeycutt <jhoneycutt>

Component:

HTML Editing

Assignee:

Jiewen Tan <jiewen_tan>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cdumez, commit-queue, jiewen_tan, rniwa, webkit-bug-importer

Priority:

Keywords:

BlinkMergeCandidate, HasReduction, InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
crashing test	none
Patch	none
Patch	none

Jon Honeycutt

Reported 2015-10-15 17:00:13 PDT

Created attachment 263226 [details] crashing test Null dereference loading Blink layout test editing/execCommand/insert-ordered-list-crash.html. Stack trace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000048 VM Regions Near 0x48: --> __TEXT 0000000100196000-0000000100230000 [ 616K] r-x/rwx SM=COW /Users/USER/* Application Specific Information: CRASHING TEST: blink-tests-that-are-unknown/editing/execCommand/insert-ordered-list-crash.html ================================================================ ==21909==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x000105900d91 bp 0x7fff5fa61890 sp 0x7fff5fa61890 T0) #0 0x105900d90 in WebCore::ContainerNode::lastChild() const ContainerNode.h:88 #1 0x105c0954e in WebCore::CompositeEditCommand::insertNodeAfter(WTF::PassRefPtr<WebCore::Node>, WTF::PassRefPtr<WebCore::Node>) CompositeEditCommand.cpp:357 #2 0x10674f054 in WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) InsertListCommand.cpp:309 #3 0x10674de8c in WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) InsertListCommand.cpp:252 #4 0x10674cc88 in WebCore::InsertListCommand::doApply() InsertListCommand.cpp:192 #5 0x105c07b7b in WebCore::CompositeEditCommand::apply() CompositeEditCommand.cpp:229 #6 0x106199c53 in WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) EditorCommand.cpp:518 #7 0x10619685e in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const EditorCommand.cpp:1704 #8 0x105f6e979 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) Document.cpp:4657 #9 0x1069dc260 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) JSDocument.cpp:5093 #10 0x57fbfd401027 (<unknown module>) #11 0x100fcf5dd in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab45dd) #12 0x100fc9a0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a) #13 0x100d2b07d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:80 #14 0x100ce8714 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) Interpreter.cpp:1024 #15 0x1005f99d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) CallData.cpp:39 #16 0x1005f9ac1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) CallData.cpp:44 #17 0x10690c9c7 in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) JSMainThreadExecState.h:56 #18 0x106afef5d in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) JSEventListener.cpp:130 #19 0x106222d21 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) EventTarget.cpp:256 #20 0x106222721 in WebCore::EventTarget::fireEventListeners(WebCore::Event*) EventTarget.cpp:208 #21 0x1061e5897 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const EventContext.cpp:54 #22 0x1061e850c in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&, WebCore::WindowEventContext&) EventDispatcher.cpp:294 #23 0x1061e79b5 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) EventDispatcher.cpp:342 #24 0x1078cda01 in WebCore::ScopedEventQueue::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) const ScopedEventQueue.cpp:59 #25 0x1078cd787 in WebCore::ScopedEventQueue::enqueueEvent(WTF::PassRefPtr<WebCore::Event>) ScopedEventQueue.cpp:51 #26 0x1061e6897 in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WTF::PassRefPtr<WebCore::Event>) EventDispatcher.cpp:210 #27 0x107301c96 in WebCore::Node::dispatchScopedEvent(WTF::PassRefPtr<WebCore::Event>) Node.cpp:2136 #28 0x1073020a7 in WebCore::Node::dispatchSubtreeModifiedEvent() Node.cpp:2161 #29 0x105c2b815 in WebCore::ContainerNode::removeChild(WebCore::Node&, int&) ContainerNode.cpp:566 #30 0x1072f8d24 in WebCore::Node::removeChild(WebCore::Node*, int&) Node.cpp:448 #31 0x107411e4a in WebCore::Range::processAncestorsAndTheirSiblings(WebCore::Range::ActionType, WebCore::Node*, WebCore::Range::ContentsProcessDirection, WTF::PassRefPtr<WebCore::Node>, WebCore::Node*, int&) Range.cpp:806 #32 0x10740e56b in WebCore::Range::processContents(WebCore::Range::ActionType, int&) Range.cpp:626 #33 0x10740dd75 in WebCore::Range::deleteContents(int&) Range.cpp:492 #34 0x1060f1f83 in WebCore::DOMSelection::deleteFromDocument() DOMSelection.cpp:439 #35 0x106a2ae7a in WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocument(JSC::ExecState*) JSDOMSelection.cpp:454 #36 0x57fbfd401027 (<unknown module>) #37 0x100fcf64f in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab464f) #38 0x100fc9a0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a) #39 0x100d2b07d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:80 #40 0x100ce8714 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) Interpreter.cpp:1024 #41 0x1005f99d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) CallData.cpp:39 #42 0x1005f9ac1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) CallData.cpp:44 #43 0x10690c9c7 in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) JSMainThreadExecState.h:56 #44 0x106afef5d in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) JSEventListener.cpp:130 #45 0x106222d21 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) EventTarget.cpp:256 #46 0x106222721 in WebCore::EventTarget::fireEventListeners(WebCore::Event*) EventTarget.cpp:208 #47 0x1061e5897 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const EventContext.cpp:54 #48 0x1061e8453 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&, WebCore::WindowEventContext&) EventDispatcher.cpp:280 #49 0x1061e79b5 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) EventDispatcher.cpp:342 #50 0x107301e14 in WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) Node.cpp:2145 #51 0x105f70f3c in WebCore::Document::finishedParsing() Document.cpp:4880 #52 0x106503d3d in WebCore::HTMLDocumentParser::prepareToStopParsing() HTMLDocumentParser.cpp:132 #53 0x10600095c in WebCore::DocumentWriter::end() DocumentWriter.cpp:247 #54 0x105fc8b67 in WebCore::DocumentLoader::finishedLoading(double) DocumentLoader.cpp:437 #55 0x105b27ca7 in WebCore::CachedResource::checkNotify() CachedResource.cpp:297 #56 0x105b22ff9 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) CachedRawResource.cpp:103 #57 0x107bb0588 in WebCore::SubresourceLoader::didFinishLoading(double) SubresourceLoader.cpp:372 #58 0x7fff8c4a3850 in __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e850) #59 0x7fff8c4a3765 in -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e765) #60 0x7fff8c4a366a in -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e66a) #61 0x7fff8c4a8491 in ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x33491) #62 0x7fff8c63c976 in ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x1c7976) #63 0x7fff9a99c3c2 in _dispatch_client_callout (/usr/lib/system/libdispatch.dylib+0x23c2) #64 0x7fff9a9aa0bd in _dispatch_block_invoke (/usr/lib/system/libdispatch.dylib+0x100bd) #65 0x7fff8c4a3527 in RunloopBlockContext::_invoke_block(void const*, void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e527) #66 0x7fff96f5ce63 in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x4ce63) #67 0x7fff8c4a3420 in RunloopBlockContext::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e420) #68 0x7fff8c4a32c1 in MultiplexerSource::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e2c1) #69 0x7fff8c4a30e3 in MultiplexerSource::_perform(void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e0e3) #70 0x7fff96fba8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #71 0x7fff96f9a0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #72 0x7fff96f995ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #73 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #74 0x1001b898d in runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:2030 #75 0x1001b7f39 in runTestingServerLoop() DumpRenderTree.mm:1180 #76 0x1001b7267 in dumpRenderTree(int, char const**) DumpRenderTree.mm:1288 #77 0x1001b92b1 in DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1418 #78 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #79 0x1 (<unknown module>)

Attachments
crashing test (780 bytes, text/html) 2015-10-15 17:00 PDT, Jon Honeycutt	no flags	Details
Patch (4.51 KB, patch) 2015-10-22 19:12 PDT, Jiewen Tan	no flags	Details Formatted Diff Diff
Patch (4.51 KB, patch) 2015-10-22 19:13 PDT, Jiewen Tan	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.