Bug 158273

Summary: Crash under eventTargetRespectingTargetRules()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, cdumez, commit-queue, esprehn+autocc, kangil.han, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Chris Dumez
Reported 2016-06-01 14:03:49 PDT
Crash under eventTargetRespectingTargetRules(): Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000014) [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::Node::getFlag(WebCore::Node::NodeFlags) const at Node.h:625:49 621 622 DefaultNodeFlags = IsParsingChildrenFinishedFlag 623 }; 624 -> 625 bool getFlag(NodeFlags mask) const { return m_nodeFlags & mask; } 626 void setFlag(bool f, NodeFlags mask) const { m_nodeFlags = (m_nodeFlags & ~mask) | (-(int32_t)f & mask); } 627 void setFlag(NodeFlags mask) const { m_nodeFlags |= mask; } 628 void clearFlag(NodeFlags mask) const { m_nodeFlags &= ~mask; } 629 0x00007fff8b85798a: testb %al, %al 0x00007fff8b85798c: movq %r15, %r14 0x00007fff8b85798f: je 0x5b3995 ; <+117> [inlined] WebCore::Node::getFlag(WebCore::Node::NodeFlags) const at Node.h:217 0x00007fff8b857991: movq 0x60(%r15), %r14 -> 0x00007fff8b857995: movl 0x14(%r14), %eax 0x00007fff8b857999: movl %eax, %ecx 0x00007fff8b85799b: andl $0x100004, %ecx ; imm = 0x100004 0x00007fff8b8579a1: cmpl $0x100004, %ecx ; imm = 0x100004 0x00007fff8b8579a7: jne 0x5b39cf ; <+175> [inlined] WebCore::Node::getFlag(WebCore::Node::NodeFlags) const + 4 at Node.h:221 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::Node::isElementNode() const at Node.h:217 213 WEBCORE_EXPORT void remove(ExceptionCode&); 214 215 // Other methods (not part of DOM) 216 -> 217 bool isElementNode() const { return getFlag(IsElementFlag); } 218 bool isContainerNode() const { return getFlag(IsContainerFlag); } 219 bool isTextNode() const { return getFlag(IsTextFlag); } 220 bool isHTMLElement() const { return getFlag(IsHTMLFlag); } 221 bool isSVGElement() const { return getFlag(IsSVGFlag); } [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::Node::pseudoId() const at Node.h:227 223 224 bool isPseudoElement() const { return pseudoId() != NOPSEUDO; } 225 bool isBeforePseudoElement() const { return pseudoId() == BEFORE; } 226 bool isAfterPseudoElement() const { return pseudoId() == AFTER; } -> 227 PseudoId pseudoId() const { return (isElementNode() && hasCustomStyleResolveCallbacks()) ? customPseudoId() : NOPSEUDO; } 228 229 virtual bool isMediaControlElement() const { return false; } 230 virtual bool isMediaControls() const { return false; } 231 #if ENABLE(VIDEO_TRACK) [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::Node::isPseudoElement() const at Node.h:224 220 bool isHTMLElement() const { return getFlag(IsHTMLFlag); } 221 bool isSVGElement() const { return getFlag(IsSVGFlag); } 222 bool isMathMLElement() const { return getFlag(IsMathMLFlag); } 223 -> 224 bool isPseudoElement() const { return pseudoId() != NOPSEUDO; } 225 bool isBeforePseudoElement() const { return pseudoId() == BEFORE; } 226 bool isAfterPseudoElement() const { return pseudoId() == AFTER; } 227 PseudoId pseudoId() const { return (isElementNode() && hasCustomStyleResolveCallbacks()) ? customPseudoId() : NOPSEUDO; } 228 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WTF::TypeCastTraits<WebCore::PseudoElement const, WebCore::Node const, false>::isType(WebCore::Node const&) at PseudoElement.h:83 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WTF::TypeCastTraits<WebCore::PseudoElement const, WebCore::Node const, false>::isOfType(WebCore::Node const&) at PseudoElement.h:82 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] bool WTF::is<WebCore::PseudoElement, WebCore::Node>(WebCore::Node&) at TypeCasts.h:59 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) [inlined] WebCore::EventPath::eventTargetRespectingTargetRules(WebCore::Node&) at EventPath.h:55 [ 0] 0x00007fff8b857995 WebCore`WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) + 117 at EventPath.cpp:94 [ 1] 0x00007fff8b84f47d WebCore`WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::Event&) + 77 at EventDispatcher.cpp:157:15 [ 2] 0x00007fff8b40cad3 WebCore`WebCore::AnimationControllerPrivate::fireEventsAndUpdateStyle() + 355 at AnimationController.cpp:208:13 [ 3] 0x00007fff8b581e66 WebCore`WebCore::AnimationControllerPrivate::animationTimerFired() + 182 at AnimationController.cpp:272:5 [ 4] 0x00007fff8b2b760f WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal() + 175 at ThreadTimers.cpp:121:9 [ 5] 0x00007fff8b2b754e WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*) + 30 at MainThreadSharedTimerCF.cpp:74:5
Attachments
Patch (1.76 KB, patch)
2016-06-01 14:07 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2016-06-01 14:04:08 PDT
<rdar://problem/26343998>
Chris Dumez
Comment 2 2016-06-01 14:07:53 PDT
Created attachment 280266 [details] Patch
Chris Dumez
Comment 3 2016-06-01 14:41:50 PDT
Comment on attachment 280266 [details] Patch Clearing flags on attachment: 280266 Committed r201571: <http://trac.webkit.org/changeset/201571>
Chris Dumez
Comment 4 2016-06-01 14:41:57 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.