Bug 99607

Summary:	editing/pasteboard/paste-noscript-xhtml.xhtml crashes in chromium's content_shell
Product:	WebKit	Reporter:	jochen
Component:	HTML Editing	Assignee:	Adam Klein <adamk>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	adamk, esprehn, leviw, ojan, rniwa
Priority:	P2
Version:	528+ (Nightly build)
Hardware:	Unspecified
OS:	Unspecified
Bug Depends on:	99880
Bug Blocks:

Description jochen 2012-10-17 10:11:40 PDT

When running

new_run_webkit_tests --chromium --debug --driver-name=content_shell --additional-drt-flag=--dump-render-tree --additional-drt-flag=--no-sandbox --clobber-old-results --no-show-results editing/pasteboard/paste-noscript-xhtml.xhtml

I get the following crash:

STDERR: [20611:20611:1017/190312:32571343945:ERROR:process_util_posix.cc(144)] Received signal 11
STDERR: 	base::debug::StackTrace::StackTrace() [0x4e505e]
STDERR: 	base::(anonymous namespace)::StackDumpSignalHandler() [0x4fe814]
STDERR: 	0x7fc9502a84c0
STDERR: 	WebCore::Node::getFlag() [0xc5084e]
STDERR: 	WebCore::Node::isContainerNode() [0x1e02c0a]
STDERR: 	WebCore::Node::firstChild() [0x1e292a9]
STDERR: 	WebCore::getChildNodes() [0x2c2ce43]
STDERR: 	WebCore::ContainerNode::takeAllChildrenFrom() [0x309d9aa]
STDERR: 	WebCore::createFragmentFromMarkupWithContext() [0x27e112a]
STDERR: 	WebCore::Pasteboard::documentFragment() [0x39f3efa]
STDERR: 	WebCore::Editor::pasteWithPasteboard() [0x2779bfd]
STDERR: 	WebCore::Editor::paste() [0x277d47e]
STDERR: 	WebCore::executePaste() [0x278fca1]
STDERR: 	WebCore::Editor::Command::execute() [0x278c1d5]
STDERR: 	WebCore::Document::execCommand() [0x30c6c0e]
STDERR: 	WebCore::DocumentV8Internal::execCommandCallback() [0x36826b3]
STDERR: 	v8::internal::HandleApiCallHelper<>() [0x1699b95]
STDERR: 	v8::internal::Builtin_Impl_HandleApiCall() [0x1699773]
STDERR: 	v8::internal::Builtin_HandleApiCall() [0x16932fc]
STDERR: 	0x24143650618e

Tracked also in http://code.google.com/p/chromium/issues/detail?id=156376

Comment 1 Adam Klein 2012-10-18 11:21:02 PDT

Most likely reason for this is that we're passing an empty DocumentFragment to ContainerNode::takeAllChildrenFrom(), which assumes (but doesn't check) that oldParent is non-null. Will look into it.

Comment 2 Adam Klein 2012-10-18 11:57:51 PDT

I'm running into a bit of a problem trying to track this down, in that I can't figure out how to attach gdb to the renderer. jochen, any tips?

Comment 3 jochen 2012-10-18 12:18:14 PDT

(In reply to comment #2)
> I'm running into a bit of a problem trying to track this down, in that I can't figure out how to attach gdb to the renderer. jochen, any tips?

I would try

echo /path/to/editing/pasteboard/paste-noscript-xhtml.xhtml | out/Debug/content_shell --dump-render-tree --no-timeout --no-sandbox --renderer-cmd-prefix='xterm -title renderer -e gdb --eval-command=run --args'

That should start each renderer in a gdb in a new xterm

Comment 4 Adam Klein 2012-10-18 12:19:01 PDT

Thanks, used printfs for now. It looks like the problem is that the selected content can't be parsed, likely due to a leading <meta charset='UTF-8'> tag in the selected markup. Still digging to figure out how that's ending up in the selection, and only in ContentShell.

Comment 5 Adam Klein 2012-10-18 12:23:37 PDT

(In reply to comment #4)
> Thanks, used printfs for now. It looks like the problem is that the selected content can't be parsed, likely due to a leading <meta charset='UTF-8'> tag in the selected markup. Still digging to figure out how that's ending up in the selection, and only in ContentShell.

Correction, that's "<meta charset='utf-8'>" to be precise, and at least on Mac it looks like we add that to the selection. Last of updates for now, I think I've got a bead on it.

Comment 6 Adam Klein 2012-10-18 12:42:01 PDT

Okay, I lied, one more question for jochen: I take it you were running this on Linux? I'm not able to reproduce there, only on Mac, and the <meta> tag insertion I mentioned before seems to be Mac-specific.

Comment 7 jochen 2012-10-18 12:50:04 PDT

(In reply to comment #6)
> Okay, I lied, one more question for jochen: I take it you were running this on Linux? I'm not able to reproduce there, only on Mac, and the <meta> tag insertion I mentioned before seems to be Mac-specific.

Yes, sorry for not mentioning this.

I can repro on 64bit lucid and precise

Comment 8 Adam Klein 2012-10-18 14:02:34 PDT

(In reply to comment #7)
> (In reply to comment #6)
> > Okay, I lied, one more question for jochen: I take it you were running this on Linux? I'm not able to reproduce there, only on Mac, and the <meta> tag insertion I mentioned before seems to be Mac-specific.
> 
> Yes, sorry for not mentioning this.
> 
> I can repro on 64bit lucid and precise

Hmm, I can't on precise (the test fails to run properly instead, looks like perhaps the paste never happens?). Anyway, the <meta> thing looks like a real bug (http://crbug.com/136218).

Comment 9 jochen 2012-10-18 14:05:42 PDT

(In reply to comment #8)
> (In reply to comment #7)
> > (In reply to comment #6)
> > > Okay, I lied, one more question for jochen: I take it you were running this on Linux? I'm not able to reproduce there, only on Mac, and the <meta> tag insertion I mentioned before seems to be Mac-specific.
> > 
> > Yes, sorry for not mentioning this.
> > 
> > I can repro on 64bit lucid and precise
> 
> Hmm, I can't on precise (the test fails to run properly instead, looks like perhaps the paste never happens?). Anyway, the <meta> thing looks like a real bug (http://crbug.com/136218).

Are you building after chromium r161834 ?

Comment 10 Adam Klein 2012-10-23 07:52:38 PDT

Should be fixed by http://trac.webkit.org/changeset/132211