Bug 150211

Created attachment 263228 [details] crashing test Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html. Stack trace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000004 VM Regions Near 0x4: --> __TEXT 000000010ba77000-000000010bb11000 [ 616K] r-x/rwx SM=COW /Users/USER/* Application Specific Information: CRASHING TEST: blink-tests-that-are-unknown/fast/css/background-repeat-null-y-crash.html ================================================================ ==22030==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0001116375e9 bp 0x7fff54181c70 sp 0x7fff54181c70 T0) #0 0x1116375e8 in WebCore::CSSValue::isValueList() const CSSValue.h:66 #1 0x1134376f1 in WebCore::StyleProperties::getLayeredShorthandValue(WebCore::StylePropertyShorthand const&) const StyleProperties.cpp:426 #2 0x113436aa3 in WebCore::StyleProperties::getPropertyValue(WebCore::CSSPropertyID) const StyleProperties.cpp:130 #3 0x112cd55f3 in WebCore::PropertySetCSSStyleDeclaration::getPropertyValueInternal(WebCore::CSSPropertyID) PropertySetCSSStyleDeclaration.cpp:274 #4 0x11226fdbb in WebCore::getPropertyValueFallback(JSC::ExecState*, WebCore::JSCSSStyleDeclaration*, unsigned int) JSCSSStyleDeclarationCustom.cpp:281 #5 0x11226e180 in WebCore::cssPropertyGetter(JSC::ExecState*, WebCore::JSCSSStyleDeclaration*, unsigned int) JSCSSStyleDeclarationCustom.cpp:307 #6 0x11226d3f4 in WebCore::JSCSSStyleDeclaration::getOwnPropertySlotDelegate(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) JSCSSStyleDeclarationCustom.cpp:319 #7 0x112269b3b in WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) JSCSSStyleDeclaration.cpp:195 #8 0x10c88d969 in llint_slow_path_get_by_id JSObject.h:1123 #9 0x10c8a35ff in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab15ff) #10 0x10c8a0a0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a) #11 0x10c60207d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:80 #12 0x10c5becc6 in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) Interpreter.cpp:961 #13 0x10bf81689 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) Completion.cpp:104 #14 0x1125763ad in WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) JSMainThreadExecState.h:62 #15 0x1131b2410 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) ScriptController.cpp:164 #16 0x1131b2618 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) ScriptController.cpp:180 #17 0x1131c4586 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) ScriptElement.cpp:309 #18 0x1131c1e6a in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) ScriptElement.cpp:242 #19 0x111eb79cb in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) HTMLScriptRunner.cpp:308 #20 0x111eb7705 in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) HTMLScriptRunner.cpp:177 #21 0x111de2a6f in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() HTMLDocumentParser.cpp:195 #22 0x111de2ce3 in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) HTMLDocumentParser.cpp:213 #23 0x111de22a8 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) HTMLDocumentParser.cpp:259 #24 0x111de3c9d in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() HTMLDocumentParser.cpp:496 #25 0x111de3f61 in WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) HTMLDocumentParser.cpp:536 #26 0x111405ca7 in WebCore::CachedResource::checkNotify() CachedResource.cpp:297 #27 0x11348e588 in WebCore::SubresourceLoader::didFinishLoading(double) SubresourceLoader.cpp:372 #28 0x7fff8c4a3850 in __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e850) #29 0x7fff8c4a3765 in -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e765) #30 0x7fff8c4a366a in -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e66a) #31 0x7fff8c4a8491 in ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x33491) #32 0x7fff8c63c976 in ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x1c7976) #33 0x7fff9a99c3c2 in _dispatch_client_callout (/usr/lib/system/libdispatch.dylib+0x23c2) #34 0x7fff9a9aa0bd in _dispatch_block_invoke (/usr/lib/system/libdispatch.dylib+0x100bd) #35 0x7fff8c4a3527 in RunloopBlockContext::_invoke_block(void const*, void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e527) #36 0x7fff96f5ce63 in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x4ce63) #37 0x7fff8c4a3420 in RunloopBlockContext::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e420) #38 0x7fff8c4a32c1 in MultiplexerSource::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e2c1) #39 0x7fff8c4a30e3 in MultiplexerSource::_perform(void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e0e3) #40 0x7fff96fba8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #41 0x7fff96f9a0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #42 0x7fff96f995ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #43 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #44 0x10ba9998d in runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:2030 #45 0x10ba98f39 in runTestingServerLoop() DumpRenderTree.mm:1180 #46 0x10ba98267 in dumpRenderTree(int, char const**) DumpRenderTree.mm:1288 #47 0x10ba9a2b1 in DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1418 #48 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #49 0x1 (<unknown module>)