Bug 45525

Summary: REGRESSION(r67176): editing/selection/doubleclick-inline-first-last-contenteditable.html crashes
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Tools / TestsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, eric, ossy, tonikitoo, tony, webkit.review.bot, zimmermann
Priority: P1 Keywords: Qt, QtTriaged
Version: 528+ (Nightly build)   
Hardware: Other   
OS: Other   
Attachments:
Description Flags
Patch tonikitoo: review+

Description Ryosuke Niwa 2010-09-10 01:06:28 PDT
After r67176, editing/selection/doubleclick-inline-first-last-contenteditable.html constantly crashes on Qt Linux Release.
Since the code modified in r67176 is never executed in the test, the cause of the crash is not the changeset 67176.
Comment 1 Ryosuke Niwa 2010-09-10 01:16:42 PDT
Committed r67180: <http://trac.webkit.org/changeset/67180>
Comment 2 Csaba Osztrogonác 2010-09-10 03:41:56 PDT
Thank for reporting and skipping the test.
But it shouldn't be closed until the real bug fixed.

Let's see the backtrace for crash.

$WebKitTools/Scripts/run-webkit-tests editing/selection/doubleclick-inline-first-last-contenteditable.html --debug

editing/selection/doubleclick-inline-first-last-contenteditable.html -> crashed
0.48s total testing time
1 test case (100%) crashed

$ gdb WebKitBuild/Debug/bin/DumpRenderTree core

#0  0xf59daa4a in WebCore::Node::getFlag (this=0x0, mask=WebCore::Node::IsElementFlag) at ../../../WebCore/dom/Node.h:651
651         bool getFlag(NodeFlags mask) const { return m_nodeFlags & mask; }
(gdb) bt
#0  0xf59daa4a in WebCore::Node::getFlag (this=0x0, mask=WebCore::Node::IsElementFlag) at ../../../WebCore/dom/Node.h:651
#1  0xf5a7e54f in WebCore::Node::isElementNode (this=0x0) at ../../../WebCore/dom/Node.h:182
#2  0xf5d9a5f7 in WebCore::Node::hasTagName (this=0x0, name=@0xf76ea588) at ../../../WebCore/dom/Element.h:373
#3  0xf6106da4 in ancestorToRetainStructureAndAppearance (commonAncestor=0x8224968) at ../../../WebCore/editing/markup.cpp:899
#4  0xf610d7dc in highestAncestorToWrapMarkup (range=0x8221140, fullySelectedRoot=0x0, shouldAnnotate=WebCore::AnnotateForInterchange) at ../../../WebCore/editing/markup.cpp:963
#5  0xf611039b in WebCore::createMarkup (range=0x8221270, nodes=0x0, shouldAnnotate=WebCore::AnnotateForInterchange, convertBlocksToInlines=false, shouldResolveURLs=WebCore::AbsoluteURLs) at ../../../WebCore/editing/markup.cpp:1064
#6  0xf667bbc9 in WebCore::Pasteboard::writeSelection (this=0x82212d0, selectedRange=0x8221270, canSmartCopyOrDelete=true, frame=0x815a708) at ../../../WebCore/platform/qt/PasteboardQt.cpp:68
#7  0xf60dd3f3 in WebCore::Editor::copy (this=0x815aa20) at ../../../WebCore/editing/Editor.cpp:1190
#8  0xf66cb421 in QWebPagePrivate::handleClipboard (this=0x816b668, ev=0x8224918, button=Qt::LeftButton) at ../../../WebKit/qt/Api/qwebpage.cpp:759
#9  0xf66cb58d in QWebPagePrivate::mouseReleaseEvent (this=0x816b668, ev=0x8224918) at ../../../WebKit/qt/Api/qwebpage.cpp:825
#10 0xf66d4103 in QWebPage::event (this=0xf2601690, ev=0x8224918) at ../../../WebKit/qt/Api/qwebpage.cpp:2759
#11 0xf66d5c0a in QWebView::mouseReleaseEvent (this=0xf2601390, ev=0x8224918) at ../../../WebKit/qt/Api/qwebview.cpp:1007
#12 0xf3ea31c0 in QWidget::event (this=0xf2601390, event=0x8224918) at kernel/qwidget.cpp:7998
#13 0xf66d6921 in QWebView::event (this=0xf2601390, e=0x8224918) at ../../../WebKit/qt/Api/qwebview.cpp:844
#14 0xf3e440dc in QApplicationPrivate::notify_helper (this=0x81209b8, receiver=0xf2601390, e=0x8224918) at kernel/qapplication.cpp:4300
#15 0xf3e4b535 in QApplication::notify (this=0xffffb4d8, receiver=0xf2601390, e=0x8224918) at kernel/qapplication.cpp:3865
#16 0xf3bd2feb in QCoreApplication::notifyInternal (this=0xffffb4d8, receiver=0xf2601390, event=0x8224918) at kernel/qcoreapplication.cpp:704
#17 0x0806cb32 in QCoreApplication::sendEvent (receiver=0xf2601390, event=0x8224918) at /usr/local/Trolltech/Qt-4.6.2/include/QtCore/qcoreapplication.h:215
#18 0x0806ec4b in EventSender::sendEvent (this=0x8157878, receiver=0xf2601390, event=0x8224918) at /home/oszi/WebKit/WebKitTools/DumpRenderTree/qt/EventSenderQt.cpp:650
#19 0x0806f21b in EventSender::sendOrQueueEvent (this=0x8157878, event=0x8224918) at /home/oszi/WebKit/WebKitTools/DumpRenderTree/qt/EventSenderQt.cpp:546
#20 0x0807190f in EventSender::mouseUp (this=0x8157878, button=0) at /home/oszi/WebKit/WebKitTools/DumpRenderTree/qt/EventSenderQt.cpp:163
#21 0x0807b69d in EventSender::qt_metacall (this=0x8157878, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xffffa3f0) at moc_EventSenderQt.cpp:116
#22 0xf3bd8435 in QMetaObject::metacall (object=0xf768e914, cl=QMetaObject::InvokeMetaMethod, idx=7, argv=0xffffa3f0) at kernel/qmetaobject.cpp:237
#23 0xf663580c in JSC::Bindings::QtRuntimeMetaMethod::call (exec=0xf112c128) at ../../../WebCore/bridge/qt/qt_runtime.cpp:1404
#24 0xf6997d27 in cti_op_call_NotJSFunction (args=0xffffa530) at ../../../JavaScriptCore/jit/JITStubs.cpp:2177
#25 0xf698ccc6 in doubleHash (key=4151240568) at ../../../JavaScriptCore/wtf/HashTable.h:447
#26 0xf698a02f in JSC::JITCode::execute (this=0x81809cc, registerFile=0x813d334, callFrame=0xf112c038, globalData=0x81762e8, exception=0xffffa6a4) at ../../../JavaScriptCore/jit/JITCode.h:77
#27 0xf6984aff in JSC::Interpreter::execute (this=0x813d328, program=0x81809b8, callFrame=0x81b4dc4, scopeChain=0x816cb88, thisObj=0xf10c0000, exception=0xffffa6a4) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:701
#28 0xf69b8197 in JSC::evaluate (exec=0x81b4dc4, scopeChain=@0x81b4d90, source=@0xffffa8b4, thisValue={u = {asEncodedJSValue = -4545839104, asDouble = -nan(0xffffef10c0000), asBits = {payload = -250871808, tag = -2}}})
    at ../../../JavaScriptCore/runtime/Completion.cpp:63
#29 0xf5e0b43e in WebCore::JSMainThreadExecState::evaluate (exec=0x81b4dc4, chain=@0x81b4d90, source=@0xffffa8b4, thisValue=
          {u = {asEncodedJSValue = -4545839104, asDouble = -nan(0xffffef10c0000), asBits = {payload = -250871808, tag = -2}}}) at ../../../WebCore/bindings/js/JSMainThreadExecState.h:54
#30 0xf5e3b3c2 in WebCore::ScriptController::evaluateInWorld (this=0x815a9cc, sourceCode=@0xffffa8b0, world=0x81690c8, shouldAllowXSS=WebCore::DoNotAllowXSS) at ../../../WebCore/bindings/js/ScriptController.cpp:151
#31 0xf5e3b897 in WebCore::ScriptController::evaluate (this=0x815a9cc, sourceCode=@0xffffa8b0, shouldAllowXSS=WebCore::DoNotAllowXSS) at ../../../WebCore/bindings/js/ScriptController.cpp:177
#32 0xf5e621db in WebCore::ScriptController::executeScript (this=0x815a9cc, sourceCode=@0xffffa8b0, shouldAllowXSS=WebCore::DoNotAllowXSS) at ../../../WebCore/bindings/ScriptControllerBase.cpp:60
#33 0xf6206ab3 in WebCore::HTMLScriptRunner::executeScript (this=0x816a050, element=0x816c630, sourceCode=@0xffffa8b0) at ../../../WebCore/html/parser/HTMLScriptRunner.cpp:175
#34 0xf62073e0 in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent (this=0x816a050, pendingScript=@0x816a058) at ../../../WebCore/html/parser/HTMLScriptRunner.cpp:158
#35 0xf62078e3 in WebCore::HTMLScriptRunner::executeParsingBlockingScript (this=0x816a050) at ../../../WebCore/html/parser/HTMLScriptRunner.cpp:139
#36 0xf620795b in WebCore::HTMLScriptRunner::executeParsingBlockingScripts (this=0x816a050) at ../../../WebCore/html/parser/HTMLScriptRunner.cpp:222
#37 0xf6207c22 in WebCore::HTMLScriptRunner::executeScriptsWaitingForLoad (this=0x816a050, cachedScript=0x81c2128) at ../../../WebCore/html/parser/HTMLScriptRunner.cpp:233
#38 0xf61fb2e3 in WebCore::HTMLDocumentParser::notifyFinished (this=0x81923d8, cachedResource=0x81c2128) at ../../../WebCore/html/parser/HTMLDocumentParser.cpp:491
#39 0xf62d30cb in WebCore::CachedScript::checkNotify (this=0x81c2128) at ../../../WebCore/loader/CachedScript.cpp:99
#40 0xf62d31f7 in WebCore::CachedScript::data (this=0x81c2128, data={m_ptr = 0xffffaafc}, allDataReceived=true) at ../../../WebCore/loader/CachedScript.cpp:89
#41 0xf632403e in WebCore::Loader::Host::didFinishLoading (this=0x8194900, loader=0x81cf808) at ../../../WebCore/loader/loader.cpp:409
#42 0xf63397ee in WebCore::SubresourceLoader::didFinishLoading (this=0x81cf808) at ../../../WebCore/loader/SubresourceLoader.cpp:183
#43 0xf63338f2 in WebCore::ResourceLoader::didFinishLoading (this=0x81cf808) at ../../../WebCore/loader/ResourceLoader.cpp:444
#44 0xf66660ae in WebCore::QNetworkReplyHandler::finish (this=0x81dd030) at ../../../WebCore/platform/network/qt/QNetworkReplyHandler.cpp:261
#45 0xf666698f in WebCore::QNetworkReplyHandler::qt_metacall (this=0x81dd030, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x81dd3b0) at ./moc_QNetworkReplyHandler.cpp:84
#46 0xf3bd8435 in QMetaObject::metacall (object=0xf768e914, cl=QMetaObject::InvokeMetaMethod, idx=5, argv=0x81dd3b0) at kernel/qmetaobject.cpp:237
#47 0xf3be2a36 in QMetaCallEvent::placeMetaCall (this=0x81b4888, object=0x81dd030) at kernel/qobject.cpp:561
#48 0xf3be3fc3 in QObject::event (this=0x81dd030, e=0x81b4888) at kernel/qobject.cpp:1240
#49 0xf3e440dc in QApplicationPrivate::notify_helper (this=0x81209b8, receiver=0x81dd030, e=0x81b4888) at kernel/qapplication.cpp:4300
#50 0xf3e4ab22 in QApplication::notify (this=0xffffb4d8, receiver=0x81dd030, e=0x81b4888) at kernel/qapplication.cpp:3704
#51 0xf3bd2feb in QCoreApplication::notifyInternal (this=0xffffb4d8, receiver=0x81dd030, event=0x81b4888) at kernel/qcoreapplication.cpp:704
#52 0xf3bd3f4f in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x813e308) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#53 0xf3bd40fd in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1238
#54 0xf3bffc5f in postEventSourceDispatch (s=0x8120a80) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:220
#55 0xf30b81d8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#56 0xf30bb873 in ?? () from /usr/lib/libglib-2.0.so.0
#57 0x0813b700 in ?? ()
#58 0x00000000 in ?? ()
Comment 3 Ryosuke Niwa 2010-09-10 11:01:13 PDT
(In reply to comment #2)
> Thank for reporting and skipping the test.
> But it shouldn't be closed until the real bug fixed.

Oops, that wasn't intended.  It seems like webkit-patch did that because I included the bug number in the changelog.

> Let's see the backtrace for crash.
> 
> $WebKitTools/Scripts/run-webkit-tests editing/selection/doubleclick-inline-first-last-contenteditable.html --debug
> 
> editing/selection/doubleclick-inline-first-last-contenteditable.html -> crashed
> 0.48s total testing time
> 1 test case (100%) crashed
> 
> $ gdb WebKitBuild/Debug/bin/DumpRenderTree core
> 
> #0  0xf59daa4a in WebCore::Node::getFlag (this=0x0, mask=WebCore::Node::IsElementFlag) at ../../../WebCore/dom/Node.h:651
> 651         bool getFlag(NodeFlags mask) const { return m_nodeFlags & mask; }
> (gdb) bt
> #0  0xf59daa4a in WebCore::Node::getFlag (this=0x0, mask=WebCore::Node::IsElementFlag) at ../../../WebCore/dom/Node.h:651
> #1  0xf5a7e54f in WebCore::Node::isElementNode (this=0x0) at ../../../WebCore/dom/Node.h:182
> #2  0xf5d9a5f7 in WebCore::Node::hasTagName (this=0x0, name=@0xf76ea588) at ../../../WebCore/dom/Element.h:373
> #3  0xf6106da4 in ancestorToRetainStructureAndAppearance (commonAncestor=0x8224968) at ../../../WebCore/editing/markup.cpp:899
> #4  0xf610d7dc in highestAncestorToWrapMarkup (range=0x8221140, fullySelectedRoot=0x0, shouldAnnotate=WebCore::AnnotateForInterchange) at ../../../WebCore/editing/markup.cpp:963
> #5  0xf611039b in WebCore::createMarkup (range=0x8221270, nodes=0x0, shouldAnnotate=WebCore::AnnotateForInterchange, convertBlocksToInlines=false, shouldResolveURLs=WebCore::AbsoluteURLs) at ../../../WebCore/editing/markup.cpp:1064
> #6  0xf667bbc9 in WebCore::Pasteboard::writeSelection (this=0x82212d0, selectedRange=0x8221270, canSmartCopyOrDelete=true, frame=0x815a708) at ../../../WebCore/platform/qt/PasteboardQt.cpp:68
> #7  0xf60dd3f3 in WebCore::Editor::copy (this=0x815aa20) at ../../../WebCore/editing/Editor.cpp:1190
> #8  0xf66cb421 in QWebPagePrivate::handleClipboard (this=0x816b668, ev=0x8224918, button=Qt::LeftButton) at ../../../WebKit/qt/Api/qwebpage.cpp:759

Why is it calling copy?  That doesn't make any sense.  The test only tests selecting text by double-clicking and click + modify selection.  This must be a qt-specific behavior because on Mac, it's never copied.
Comment 4 Ryosuke Niwa 2010-09-10 11:35:17 PDT
Ah! this crash is reproducible on Mac as well.  Will submit a patch shortly.
Comment 5 Ryosuke Niwa 2010-09-10 11:49:29 PDT
Created attachment 67212 [details]
Patch
Comment 6 Csaba Osztrogonác 2010-09-10 12:10:39 PDT
(In reply to comment #5)
> Created an attachment (id=67212) [details]
> Patch

Great, I tested editing/selection/doubleclick-inline-first-last-contenteditable.html and the new test, and both of them pass.
Comment 7 Ryosuke Niwa 2010-09-10 12:14:08 PDT
Thanks for testing my patch!

(In reply to comment #6)
> (In reply to comment #5)
> > Created an attachment (id=67212) [details] [details]
> > Patch
> 
> Great, I tested editing/selection/doubleclick-inline-first-last-contenteditable.html and the new test, and both of them pass.

And thanks for your review, Antonio.
Comment 8 Ryosuke Niwa 2010-09-10 12:40:56 PDT
Committed r67221: <http://trac.webkit.org/changeset/67221>
Comment 9 WebKit Review Bot 2010-09-10 12:56:02 PDT
http://trac.webkit.org/changeset/67221 might have broken Chromium Mac Release