Bug 156715

Summary: Crash in ElementDescendantIterator::operator--() when calling m_ancestorSiblingStack.last()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, esprehn+autocc, kangil.han, kling, koivisto, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Chris Dumez 2016-04-18 13:43:03 PDT
Crash in ElementDescendantIterator::operator--() when calling m_ancestorSiblingStack.last():
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010f369b57 WTFCrash + 39 (Assertions.cpp:322)
1   com.apple.WebCore             	0x000000011158a7d9 WTF::CrashOnOverflow::crash() + 9
2   com.apple.WebCore             	0x000000011158a7c9 WTF::CrashOnOverflow::overflowed() + 9
3   com.apple.WebCore             	0x00000001115a6f9b WTF::Vector<WebCore::Element*, 16ul, WTF::CrashOnOverflow, 16ul>::at(unsigned long) + 75 (Vector.h:660)
4   com.apple.WebCore             	0x00000001115a6e1b WTF::Vector<WebCore::Element*, 16ul, WTF::CrashOnOverflow, 16ul>::last() + 43 (Vector.h:700)
5   com.apple.WebCore             	0x00000001115a68c4 WebCore::ElementDescendantIterator::operator--() + 244 (ElementDescendantIterator.h:174)
6   com.apple.WebCore             	0x000000011391a674 void WebCore::CollectionTraversal<(WebCore::CollectionTraversalType)0>::traverseBackward<WebCore::HTMLTagCollection>(WebCore::HTMLTagCollection const&, WebCore::ElementDescendantIterator&, unsigned int) + 148 (CollectionTraversal.h:108)
7   com.apple.WebCore             	0x000000011391a45b WebCore::CachedHTMLCollection<WebCore::HTMLTagCollection, (WebCore::CollectionTraversalType)0>::collectionTraverseBackward(WebCore::ElementDescendantIterator&, unsigned int) const + 43 (CachedHTMLCollection.h:53)
8   com.apple.WebCore             	0x000000011391a30a WebCore::CollectionIndexCache<WebCore::HTMLTagCollection, WebCore::ElementDescendantIterator>::traverseBackwardTo(WebCore::HTMLTagCollection const&, unsigned int) + 586 (CollectionIndexCache.h:125)
9   com.apple.WebCore             	0x00000001139197fe WebCore::CollectionIndexCache<WebCore::HTMLTagCollection, WebCore::ElementDescendantIterator>::nodeAt(WebCore::HTMLTagCollection const&, unsigned int) + 302 (CollectionIndexCache.h:181)
10  com.apple.WebCore             	0x0000000113916654 WebCore::CachedHTMLCollection<WebCore::HTMLTagCollection, (WebCore::CollectionTraversalType)0>::item(unsigned int) const + 52 (CachedHTMLCollection.h:43)
11  com.apple.WebCore             	0x0000000112814009 WebCore::jsHTMLCollectionPrototypeFunctionItem(JSC::ExecState*) + 537 (JSHTMLCollection.cpp:239)
12  ???                           	0x0000304244001028 0 + 53061166829608
Comment 1 Chris Dumez 2016-04-18 13:43:29 PDT
rdar://problem/25750864
Comment 2 Chris Dumez 2016-04-18 14:32:49 PDT
Created attachment 276671 [details]
Patch
Comment 3 WebKit Commit Bot 2016-04-18 15:36:03 PDT
Comment on attachment 276671 [details]
Patch

Clearing flags on attachment: 276671

Committed r199693: <http://trac.webkit.org/changeset/199693>
Comment 4 WebKit Commit Bot 2016-04-18 15:36:09 PDT
All reviewed patches have been landed.  Closing bug.