Bug 192392

Summary: Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, cmarcelo, darin, dbates, dino, esprehn+autocc, ews-watchlist, kangil.han, koivisto, rniwa
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the bug
dino: review+
Archive of layout-test-results from ews103 for mac-sierra none

Ryosuke Niwa
Reported 2018-12-04 20:29:15 PST
e.g. #0 0x113e06e0c in WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::get() const (WebCore:x86_64+0x16e0c) #1 0x11602e168 in WebCore::DocumentOrderedMap::getElementById(WTF::AtomicStringImpl const&, WebCore::TreeScope const&) const::$_7::operator()(WTF::AtomicStringImpl const&, WebCore::Element const&) const (WebCore:x86_64+0x223e168) #2 0x115fd0e4d in WebCore::Element* WebCore::DocumentOrderedMap::get<WebCore::DocumentOrderedMap::getElementById(WTF::AtomicStringImpl const&, WebCore::TreeScope const&) const::$_7>(WTF::AtomicStringImpl const&, WebCore::TreeScope const&, WebCore::DocumentOrderedMap::getElementById(WTF::AtomicStringImpl const&, WebCore::TreeScope const&) const::$_7 const&) const (WebCore:x86_64+0x21e0e4d) #3 0x1162f4228 in WebCore::FormAssociatedElement::findAssociatedForm(WebCore::HTMLElement const*, WebCore::HTMLFormElement*) (WebCore:x86_64+0x2504228) #4 0x1162f4d91 in WebCore::FormAssociatedElement::resetFormOwner() (WebCore:x86_64+0x2504d91) #5 0x1160776b9 in WebCore::IdTargetObserverRegistry::notifyObserversInternal(WTF::AtomicStringImpl const&) (WebCore:x86_64+0x22876b9) #6 0x11603a819 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (WebCore:x86_64+0x224a819) #7 0x1160417cd in WebCore::Element::didRemoveAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (WebCore:x86_64+0x22517cd) #8 0x116031759 in WebCore::Element::removeAttributeInternal(unsigned int, WebCore::Element::SynchronizationOfLazyAttribute) (WebCore:x86_64+0x2241759) #9 0x116041e24 in WebCore::Element::removeAttribute(WTF::AtomicString const&) (WebCore:x86_64+0x2251e24) #10 0x1146c29dd in WebCore::jsElementPrototypeFunctionRemoveAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (WebCore:x86_64+0x8d29dd) #11 0x1146ab257 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionRemoveAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (WebCore:x86_64+0x8bb257) <rdar://problem/38030356>
Attachments
Fixes the bug (4.53 KB, patch)
2018-12-04 21:01 PST, Ryosuke Niwa 		dino: review+
DetailsFormatted DiffDiff
Archive of layout-test-results from ews103 for mac-sierra (2.46 MB, application/zip)
2018-12-04 21:40 PST, EWS Watchlist 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2018-12-04 21:01:01 PST
Created attachment 356577 [details] Fixes the bug
EWS Watchlist
Comment 2 2018-12-04 21:40:30 PST
Comment on attachment 356577 [details] Fixes the bug Attachment 356577 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/10273976 New failing tests: http/tests/misc/resource-timing-resolution.html
EWS Watchlist
Comment 3 2018-12-04 21:40:31 PST
Created attachment 356580 [details] Archive of layout-test-results from ews103 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-sierra Platform: Mac OS X 10.12.6
Ryosuke Niwa
Comment 4 2018-12-04 21:55:04 PST
Comment on attachment 356580 [details] Archive of layout-test-results from ews103 for mac-sierra I don't believe this test failure is related to my patch.
Ryosuke Niwa
Comment 5 2018-12-05 15:06:51 PST
Committed r238912: <https://trac.webkit.org/changeset/238912>
Note You need to log in before you can comment on or make changes to this bug.