Bug 55062

Summary:

Crash beneath EditingDelegate::checkSpellingOfString when running fast/forms/input-text-maxlength.html or fast/forms/input-text-paste-maxlength.html on Windows with full page heap enabled

Product:

WebKit

Reporter:

Adam Roben (:aroben) <aroben>

Component:

Tools / Tests

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

sfalken

Priority:

Keywords:

InRadar, LayoutTestFailure, PlatformOnly

Version:

528+ (Nightly build)

Hardware:

OS:

Windows XP

Attachments:

Description	Flags
Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate	andersca: review+

Adam Roben (:aroben)

Reported 2011-02-23 11:01:36 PST

To reproduce: 1. gflags /p /enable dumprendertree.exe /full 2. run-webkit-tests fast/forms/input-text-maxlength.html You'll crash inside isalpha beneath EditingDelegate::checkSpellingOfString. Looks like we're passing a non-ASCII character to isalpha, which isn't allowed. Here's the backtrace: msvcr80.dll!_isalpha_l(int c=773, localeinfo_struct * plocinfo=0x00000000) Line 60 + 0x2b bytes C++ msvcr80.dll!isalpha(int c=773) Line 73 + 0xb bytes C++ DumpRenderTree.exe!wordLength(const wchar_t * text=0x0012dd5c) Line 368 + 0x19 bytes C++ > DumpRenderTree.exe!EditingDelegate::checkSpellingOfString(IWebView * view=0x08af6ee8, const wchar_t * text=0x1f712fec, int length=7, int * misspellingLocation=0x0012de0c, int * misspellingLength=0x0012de00) Line 414 + 0x1e bytes C++ WebKit.dll!WebEditorClient::checkSpellingOfString(const wchar_t * text=0x1f712fec, int length=7, int * misspellingLocation=0x0012de0c, int * misspellingLength=0x0012de00) Line 666 + 0x32 bytes C++ WebKit.dll!WebCore::TextCheckingHelper::findFirstMisspelling(int & firstMisspellingOffset=0, bool markAll=true, WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} }) Line 183 + 0x54 bytes C++ WebKit.dll!WebCore::TextCheckingHelper::markAllMisspellings(WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} }) Line 590 + 0x16 bytes C++ WebKit.dll!WebCore::Editor::markMisspellingsOrBadGrammar(const WebCore::VisibleSelection & selection={...}, bool checkSpelling=true, WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} }) Line 2199 C++ WebKit.dll!WebCore::Editor::markMisspellings(const WebCore::VisibleSelection & selection={...}, WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} }) Line 2227 C++ WebKit.dll!WebCore::Editor::markMisspellingsAndBadGrammar(const WebCore::VisibleSelection & spellingSelection={...}, bool markGrammar=false, const WebCore::VisibleSelection & grammarSelection={...}) Line 2514 C++ WebKit.dll!WebCore::Editor::respondToChangedSelection(const WebCore::VisibleSelection & oldSelection={...}, unsigned int options=3) Line 3537 C++ WebKit.dll!WebCore::SelectionController::setSelection(const WebCore::VisibleSelection & s={...}, unsigned int options=3, WebCore::SelectionController::CursorAlignOnScroll align=AlignCursorOnScrollIfNeeded, WebCore::TextGranularity granularity=CharacterGranularity, WebCore::DirectionalityPolicy directionalityPolicy=MakeDirectionalSelection) Line 191 C++ WebKit.dll!WebCore::SelectionController::clear() Line 955 + 0x19 bytes C++ WebKit.dll!WebCore::clearSelectionIfNeeded(WebCore::Frame * oldFocusedFrame=0x08d268a8, WebCore::Frame * newFocusedFrame=0x08d268a8, WebCore::Node * newFocusedNode=0x214e2f78) Line 347 C++ WebKit.dll!WebCore::FocusController::setFocusedNode(WebCore::Node * node=0x214e2f78, WTF::PassRefPtr<WebCore::Frame> newFocusedFrame={...}) Line 364 + 0x1b bytes C++ WebKit.dll!WebCore::Element::focus(bool restorePreviousSelection=true) Line 1508 + 0x24 bytes C++ WebKit.dll!WebCore::jsElementPrototypeFunctionFocus(JSC::ExecState * exec=0x131e0198) Line 1755 + 0x14 bytes C++ 0ff737ce() JavaScriptCore.dll!cti_vm_lazyLinkCall() Line 2031 + 0x1c bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval=0x22b7efa8, JSC::ExecState * callFrame=0x131e0088, JSC::JSObject * thisObj=0x13601020, int globalRegisterOffset=32, JSC::ScopeChainNode * scopeChain=0x22b74fe8) Line 1153 + 0x2b bytes C++ JavaScriptCore.dll!JSC::Interpreter::callEval(JSC::ExecState * callFrame=0x131e0088, JSC::RegisterFile * registerFile=0x11b31fcc, JSC::Register * argv=0x131e00c0, int argc=2, int registerOffset=15) Line 418 + 0x71 bytes C++ JavaScriptCore.dll!cti_op_call_eval(void * * args=0x0012e820) Line 3125 C++ JavaScriptCore.dll!@cti_op_create_this@4() + 0x1cf bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x11b31fcc, JSC::ExecState * callFrame=0x131e0038, JSC::JSGlobalData * globalData=0x127b0e78) Line 77 + 0x22 bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program=0x1f8e1fa8, JSC::ExecState * callFrame=0x1b8c6e78, JSC::ScopeChainNode * scopeChain=0x1b91cfe8, JSC::JSObject * thisObj=0x13601020) Line 780 + 0x25 bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x1b8c6e78, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 64 C++ WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec=0x1b8c6e78, JSC::ScopeChain & chain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 54 + 0x1d bytes C++ WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode={...}, WebCore::DOMWrapperWorld * world=0x11b7cf20) Line 142 + 0x2f bytes C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode={...}) Line 165 + 0x16 bytes C++ WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode={...}) Line 256 + 0x17 bytes C++ WebKit.dll!WebCore::ScriptElement::prepareScript(const WTF::TextPosition<WTF::OneBasedNumber> & scriptStartPosition={...}, WebCore::ScriptElement::LegacyTypeSupport supportLegacyTypes=DisallowLegacyTypeInTypeAttribute) Line 213 + 0x35 bytes C++ WebKit.dll!WebCore::HTMLScriptRunner::runScript(WebCore::Element * script=0x1f1bafa0, const WTF::TextPosition<WTF::OneBasedNumber> & scriptStartPosition={...}) Line 291 C++ WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element> scriptElement={...}, const WTF::TextPosition<WTF::OneBasedNumber> & scriptStartPosition={...}) Line 175 C++ WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() Line 200 + 0x23 bytes C++ WebKit.dll!WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield, WebCore::PumpSession & session={...}) Line 211 + 0x8 bytes C++ WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield) Line 249 + 0x10 bytes C++ WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield) Line 171 C++ WebKit.dll!WebCore::HTMLDocumentParser::append(const WebCore::SegmentedString & source={...}) Line 338 C++ WebKit.dll!WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter * writer=0x175929c4, const char * data=0x1c2800b0, int length=3909, bool shouldFlush=false) Line 54 + 0x1f bytes C++ WebKit.dll!WebCore::DocumentWriter::addData(const char * str=0x1c2800b0, int len=3909, bool flush=false) Line 201 + 0x1f bytes C++ WebKit.dll!WebCore::DocumentLoader::commitData(const char * bytes=0x1c2800b0, int length=3909) Line 317 C++ WebKit.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * loader=0x17592908, const char * data=0x1c2800b0, int length=3909) Line 499 C++ WebKit.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x1c2800b0, int length=3909) Line 302 + 0x29 bytes C++ WebKit.dll!WebCore::DocumentLoader::receivedData(const char * data=0x1c2800b0, int length=3909) Line 329 C++ WebKit.dll!WebCore::MainResourceLoader::addData(const char * data=0x1c2800b0, int length=3909, bool allAtOnce=false) Line 159 C++ WebKit.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x1c2800b0, int length=3909, __int64 lengthReceived=3909, bool allAtOnce=false) Line 279 + 0x1b bytes C++ WebKit.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x1c2800b0, int length=3909, __int64 lengthReceived=3909, bool allAtOnce=false) Line 444 C++ WebKit.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x20264ff0, const char * data=0x1c2800b0, int length=3909, int lengthReceived=3909) Line 430 + 0x1f bytes C++ WebKit.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x2273efe0, const __CFData * data=0x1c280090, long originalLength=3909, const void * clientInfo=0x20264ff0) + 0x2a bytes C++ CFNetwork.dll!URLConnectionClient::_clientDidReceiveData() + 0x4c bytes C++ CFNetwork.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload() C++ CFNetwork.dll!URLConnectionClient::processEvents() + 0x21 bytes C++ CFNetwork.dll!URLConnectionWndProc() C++ user32.dll!_InternalCallWinProc@20() + 0x28 bytes user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes user32.dll!_DispatchMessageWorker@8() + 0xdc bytes user32.dll!_DispatchMessageW@4() + 0xf bytes DumpRenderTree.exe!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & testPathOrURL="c:\Documents and Settings\Adam Roben\dev\WebKit\OpenSource\LayoutTests\fast\forms\input-text-maxlength.html") Line 1002 + 0xf bytes C++ DumpRenderTree.exe!main(int argc=2, char * * argv=0x07c57f98) Line 1379 + 0x28 bytes C++ DumpRenderTree.exe!__tmainCRTStartup() Line 597 + 0x17 bytes C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes

Attachments
Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate (1.95 KB, patch) 2011-02-27 13:48 PST, Adam Roben (:aroben)	andersca: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Adam Roben (:aroben)

Comment 1 2011-02-23 11:01:54 PST

Just to be clear: this is a bug in DumpRenderTree, not WebKit.

Adam Roben (:aroben)

Comment 2 2011-02-23 11:02:29 PST

fast/forms/input-text-paste-maxlength.html triggers this same crash.

Adam Roben (:aroben)

Comment 3 2011-02-23 11:54:52 PST

and fast/text/atsui-bidi-control.html

Adam Roben (:aroben)

Comment 4 2011-02-27 10:17:44 PST

<rdar://problem/9059907>

Adam Roben (:aroben)

Comment 5 2011-02-27 12:42:37 PST

fast/forms/focus-control-to-page.html just crashed in a Release build: http://build.webkit.org/results/Windows%207%20Release%20(Tests)/r79821%20(9819)/fast/forms/focus-control-to-page-crash-log.txt

Adam Roben (:aroben)

Comment 6 2011-02-27 13:48:35 PST

Created attachment 83992 [details] Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate

Adam Roben (:aroben)

Comment 7 2011-02-27 13:53:10 PST

Committed r79830: <http://trac.webkit.org/changeset/79830>

Eric Seidel (no email)

Comment 8 2011-02-27 14:13:07 PST

Comment on attachment 83992 [details] Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate Wow. Can't the compiler help us with this? I guess win32 is al C and thus compilers do nothing...

Note You need to log in before you can comment on or make changes to this bug.