Bug 200711

Summary: Crash in WebCore::StyledMarkupAccumulator::firstChild
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: FormsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: bugs-noreply, cdumez, clopez, mcatanzaro, wenson_hsieh
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   

Description Michael Catanzaro 2019-08-14 06:04:56 PDT
Here's a short backtrace, note this=0x0 in the first frame is bad.

(gdb) bt
#0  0x00007f17c7840eb2 in WebCore::Node::firstChild() const (this=0x0)
    at ../Source/WebCore/dom/Node.h:595
#1  0x00007f17c7840eb2 in WebCore::StyledMarkupAccumulator::firstChild(WebCore::Node&) (this=0x7fff31dee6a0, node=...)
    at ../Source/WebCore/editing/markup.cpp:267
#2  0x00007f17c7840eb2 in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization(WebCore::Node*, WebCore::Node*, WebCore::StyledMarkupAccumulator::NodeTraversalMode)
    (this=0x7fff31dee6a0, startNode=<optimized out>, pastEnd=0x7f174c74e0e8, traversalMode=<optimized out>) at ../Source/WebCore/editing/markup.cpp:631
#3  0x00007f17c7841a25 in WebCore::StyledMarkupAccumulator::serializeNodes(WebCore::Position const&, WebCore::Position const&)
    (this=this@entry=0x7fff31dee6a0, start=..., end=...)
    at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43
#4  0x00007f17c78420ed in WebCore::serializePreservingVisualAppearanceInternal(WebCore::Position const&, WebCore::Position const&, WTF::Vector<WebCore::Node*, 0, WTF::CrashOnOverflow, 16>*, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WebCore::AnnotateForInterchange, WebCore::ConvertBlocksToInlines, WebCore::MSOListMode)
    (start=..., end=..., nodes=0x0, urlsToResolve=<optimized out>, serializeComposedTree=<optimized out>, annotate=WebCore::AnnotateForInterchange::Yes, convertBlocksToInlines=WebCore::ConvertBlocksToInlines::No, msoListMode=WebCore::MSOListMode::DoNotPreserve) at ../Source/WebCore/editing/markup.cpp:865
#5  0x00007f17c7843670 in WebCore::serializePreservingVisualAppearance(WebCore::VisibleSelection const&, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul>*) (selection=..., resolveURLs=resolveURLs@entry=WebCore::ResolveURLs::YesExcludingLocalFileURLsForPrivacy, serializeComposedTree=serializeComposedTree@entry=WebCore::SerializeComposedTree::No, nodes=nodes@entry=0x0) at ../Source/WebCore/dom/Node.h:700
#6  0x00007f17c6bf1f59 in WebKit::WebEditorClient::updateGlobalSelection(WebCore::Frame*) (this=<optimized out>, frame=0x7f17bde80210) at DerivedSources/ForwardingHeaders/WebCore/FrameSelection.h:152
#7  0x00007f17c77ade61 in WebCore::Editor::respondToChangedSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>) (this=0x7f17bdebb138, options=...) at ../Source/WebCore/editing/Editor.cpp:3570
#8  0x00007f17c77c14b1 in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (this=this@entry=0x7f17bde56000, newSelectionPossiblyWithoutDirection=..., options=..., align=align@entry=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=granularity@entry=WebCore::CharacterGranularity) at /usr/include/c++/9.1.0/bits/unique_ptr.h:357
#9  0x00007f17c77bc778 in WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (this=this@entry=0x7f17bde56000, selection=..., options=options@entry=..., intent=..., align=align@entry=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at ../Source/WebCore/editing/FrameSelection.cpp:388
#10 0x00007f17c77be7ae in WebCore::FrameSelection::setSelectionByMouseIfDifferent(WebCore::VisibleSelection const&, WebCore::TextGranularity, WebCore::FrameSelection::EndPointsAdjustmentMode) (this=0x7f17bde56000, passedNewSelection=..., granularity=WebCore::CharacterGranularity, endpointsAdjustmentMode=endpointsAdjustmentMode@entry=WebCore::FrameSelection::AdjustEndpointsAtBidiBoundary) at ../Source/WebCore/editing/FrameSelection.cpp:315
#11 0x00007f17c7be7b12 in WebCore::EventHandler::updateSelectionForMouseDrag(WebCore::HitTestResult const&) (this=this@entry=0x7f17bde5de00, hitTestResult=...) at ../Source/WebCore/editing/FrameSelection.h:173
#12 0x00007f17c7bfd4a5 in WebCore::EventHandler::handleMouseDraggedEvent(WebCore::MouseEventWithHitTestResults const&, WebCore::CheckDragHysteresis) (checkDragHysteresis=<optimized out>, event=..., this=0x7f17bde5de00) at ../Source/WebCore/page/MouseEventWithHitTestResults.h:35
#13 0x00007f17c7bfd4a5 in WebCore::EventHandler::handleMouseDraggedEvent(WebCore::MouseEventWithHitTestResults const&, WebCore::CheckDragHysteresis) (this=0x7f17bde5de00, event=..., checkDragHysteresis=<optimized out>) at ../Source/WebCore/page/EventHandler.cpp:874
#14 0x00007f17c7c0dd7f in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) (this=0x7f17bde5de00, platformMouseEvent=..., hoveredNode=<optimized out>, onlyUpdateScrollbars=<optimized out>) at ../Source/WebCore/page/EventHandler.cpp:2049
#15 0x00007f17c7c0d4ad in WebCore::EventHandler::mouseMoved(WebCore::PlatformMouseEvent const&) (this=0x7f17bde5de00, event=...) at ../Source/WebCore/page/EventHandler.cpp:1903
#16 0x00007f17c811c09c in WebCore::UserInputBridge::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::InputSource) (this=<optimized out>, mouseEvent=...) at /usr/include/c++/9.1.0/bits/unique_ptr.h:357
#17 0x00007f17c6c02370 in WebKit::handleMouseEvent (page=0x7f175c3f0000, mouseEvent=...) at /usr/include/c++/9.1.0/bits/unique_ptr.h:357
#18 0x00007f17c6c02370 in WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) (this=0x7f175c3f0000, mouseEvent=...) at ../Source/WebKit/WebProcess/WebPage/WebPage.cpp:2748
#19 0x00007f17c67670c3 in IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&), std::tuple<WebKit::WebMouseEvent>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&), std::tuple<WebKit::WebMouseEvent>&&, std::integer_sequence<unsigned long, 0ul>) (args=..., function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, const WebKit::WebMouseEvent &)) 0x7f17c6c01ea0 <WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&)>, object=0x7f175c3f0000) at /usr/include/c++/9.1.0/tuple:1332
#20 0x00007f17c67670c3 in IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&), std::tuple<WebKit::WebMouseEvent>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::WebMouseEvent>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) (function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, const WebKit::WebMouseEvent &)) 0x7f17c6c01ea0 <WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&)>, object=0x7f175c3f0000, args=...) at ../Source/WebKit/Platform/IPC/HandleMessage.h:47
#21 0x00007f17c67670c3 in IPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) (decoder=..., object=object@entry=0x7f175c3f0000, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, const WebKit::WebMouseEvent &)) 0x7f17c6c01ea0 <WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&)>) at ../Source/WebKit/Platform/IPC/HandleMessage.h:120
#22 0x00007f17c6764250 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f175c3f0000, connection=..., decoder=...) at DerivedSources/WebKit/WebPageMessageReceiver.cpp:608
#23 0x00007f17c68522e3 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (this=this@entry=0x55e4ad972938, connection=..., decoder=...) at ../Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:123
#24 0x00007f17c6aa018b in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x55e4ad9728d0, connection=..., decoder=...) at ../Source/WebKit/Shared/AuxiliaryProcess.h:88
#25 0x00007f17c684b164 in IPC::Connection::dispatchMessage(IPC::Decoder&) (this=0x7f17bdee7000, decoder=...) at ../Source/WebKit/Platform/IPC/Connection.cpp:1001
#26 0x00007f17c684c9cd in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f17bdee7000, message=...) at /usr/include/c++/9.1.0/bits/unique_ptr.h:357
#27 0x00007f17c684da9f in IPC::Connection::dispatchOneIncomingMessage() (this=0x7f17bdee7000) at /usr/include/c++/9.1.0/bits/move.h:74
#28 0x00007f17c4847fc5 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Lock.h:84
#29 0x00007f17c4847fc5 in WTF::RunLoop::performWork() (this=0x7f17bdefa000) at ../Source/WTF/wtf/RunLoop.cpp:106
#30 0x00007f17c4894a0d in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#31 0x00007f17c4894a0d in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#32 0x00007f17c4ee448e in g_main_dispatch (context=0x55e4ad8c2ad0) at ../glib/gmain.c:3179
#33 0x00007f17c4ee448e in g_main_context_dispatch (context=context@entry=0x55e4ad8c2ad0) at ../glib/gmain.c:3844
#34 0x00007f17c4ee4840 in g_main_context_iterate (context=0x55e4ad8c2ad0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3917
#35 0x00007f17c4ee4b33 in g_main_loop_run (loop=0x55e4ad96b560) at ../glib/gmain.c:4111
#36 0x00007f17c4895480 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:96
#37 0x00007f17c6c4503a in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=3, argv=<optimized out>) at ../Source/WebKit/Shared/unix/AuxiliaryProcessMain.h:47
#38 0x00007f17c5db0173 in __libc_start_main (main=0x55e4ad5407e0 <main(int, char**)>, argc=3, argv=0x7fff31def7e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff31def7d8) at ../csu/libc-start.c:308
#39 0x000055e4ad54086e in _start () at ../sysdeps/x86_64/start.S:120


In happier times, I would attach a full backtrace, but our gdb is broken right now so it crashes after a couple frames. Still, a couple frames is better than nothing. Here's what I've got:

(gdb) bt full
#0  0x00007f17c7840eb2 in WebCore::Node::firstChild() const (this=0x0)
    at ../Source/WebCore/dom/Node.h:595
        child = <optimized out>
        exitedAncestors = 
                {<WTF::VectorBuffer<WebCore::Node*, 8>> = {<WTF::VectorBufferBase<WebCore::Node*>> = {m_buffer = 0x7fff31dee440, m_capacity = 8, m_size = 0}, m_inlineBuffer = {{__data = "p\217.\\\027\177\000", __align = {<No data fields>}}, {__data = "+˂\307\027\177\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\001\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\061\215", <incomplete sequence \345>, __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\001\000\000", __align = {<No data fields>}}}}, <No data fields>}
        n = 0x0
        shouldEmit = <optimized out>
        depth = 0
        enterNode = 
          {__this = 0x7fff31dee6a0, __shouldEmit = <synthetic pointer><error reading variable>, __depth = <synthetic pointer><error reading variable>}
        lastClosed = 0x7f175c2e8f70
        exitNode = 
          {__depth = <synthetic pointer><error reading variable>, __shouldEmit =--Type <RET> for more, q to quit, c to continue without paging--c
 <synthetic pointer><error reading variable>, __this = 0x7fff31dee6a0, __lastClosed = <synthetic pointer><error reading variable>}
        lastNode = 0x0
        next = 0x0
#1  0x00007f17c7840eb2 in WebCore::StyledMarkupAccumulator::firstChild(WebCore::Node&) (this=0x7fff31dee6a0, node=...) at ../Source/WebCore/editing/markup.cpp:267
        child = <optimized out>
        exitedAncestors = {<WTF::VectorBuffer<WebCore::Node*, 8>> = {<WTF::VectorBufferBase<WebCore::Node*>> = {m_buffer = 0x7fff31dee440, m_capacity = 8, m_size = 0}, m_inlineBuffer = {{__data = "p\217.\\\027\177\000", __align = {<No data fields>}}, {__data = "+˂\307\027\177\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\001\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\061\215", <incomplete sequence \345>, __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\001\000\000", __align = {<No data fields>}}}}, <No data fields>}
        n = 0x0
        shouldEmit = <optimized out>
        depth = 0
        enterNode = {__this = 0x7fff31dee6a0, __shouldEmit = <synthetic pointer><error reading variable>, __depth = <synthetic pointer><error reading variable>}
        lastClosed = 0x7f175c2e8f70
        exitNode = {__depth = <synthetic pointer><error reading variable>, __shouldEmit = <synthetic pointer><error reading variable>, __this = 0x7fff31dee6a0, __lastClosed = <synthetic pointer><error reading variable>}
        lastNode = 0x0
        next = 0x0
#2  0x00007f17c7840eb2 in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization(WebCore::Node*, WebCore::Node*, WebCore::StyledMarkupAccumulator::NodeTraversalMode) (this=0x7fff31dee6a0, startNode=<optimized out>, pastEnd=0x7f174c74e0e8, traversalMode=<optimized out>) at ../Source/WebCore/editing/markup.cpp:631
        child = <optimized out>
        exitedAncestors = {<WTF::VectorBuffer<WebCore::Node*, 8>> = {<WTF::VectorBufferBase<WebCore::Node*>> = {m_buffer = 0x7fff31dee440, m_capacity = 8, m_size = 0}, m_inlineBuffer = {{__data = "p\217.\\\027\177\000", __align = {<No data fields>}}, {__data = "+˂\307\027\177\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\001\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\061\215", <incomplete sequence \345>, __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", __align = {<No data fields>}}, {__data = "\000\000\000\000\001\000\000", __align = {<No data fields>}}}}, <No data fields>}
        n = 0x0
        shouldEmit = <optimized out>
        depth = 0
        enterNode = {__this = 0x7fff31dee6a0, __shouldEmit = <synthetic pointer><error reading variable>, __depth = <synthetic pointer><error reading variable>}
        lastClosed = 0x7f175c2e8f70
        exitNode = {__depth = <synthetic pointer><error reading variable>, __shouldEmit = <synthetic pointer><error reading variable>, __this = 0x7fff31dee6a0, __lastClosed = <synthetic pointer><error reading variable>}
        lastNode = 0x0
        next = 0x0
#3  0x00007f17c7841a25 in WebCore::StyledMarkupAccumulator::serializeNodes(WebCore::Position const&, WebCore::Position const&) (this=this@entry=0x7fff31dee6a0, start=..., end=...) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43
        lastClosed = <optimized out>
Comment 1 Carlos Alberto Lopez Perez 2019-08-14 06:48:46 PDT
Any way/test to reproduce it?
Comment 2 Michael Catanzaro 2019-08-14 09:02:45 PDT
Haha, of course not.
Comment 3 Michael Catanzaro 2019-10-09 08:52:07 PDT

*** This bug has been marked as a duplicate of bug 199224 ***