WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED INVALID
116613
[Qt] New editing/selection/contains-node-crash.html fails with crash.
https://bugs.webkit.org/show_bug.cgi?id=116613
Summary
[Qt] New editing/selection/contains-node-crash.html fails with crash.
Gábor Ábrahám
Reported
2013-05-22 06:55:31 PDT
After
r150498
this test crashes. Could you check is please? Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff3f91878 in WebCore::RenderObject::RenderObjectBitfields::isAnonymous (this=0x34) at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderObject.h:1109 1109 ADD_BOOLEAN_BITFIELD(isAnonymous, IsAnonymous); (gdb) bt #0 0x00007ffff3f91878 in WebCore::RenderObject::RenderObjectBitfields::isAnonymous (this=0x34) at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderObject.h:1109 #1 0x00007ffff3f91800 in WebCore::RenderObject::isAnonymous (this=0x0) at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderObject.h:516 #2 0x00007ffff3f91856 in WebCore::RenderObject::node (this=0x0) at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderObject.h:638 #3 0x00007ffff425bd0c in WebCore::RenderLayerModelObject::node (this=0x0) at /home/abrhm/webkit/WebKit/Source/WebCore/rendering/RenderLayerModelObject.h:54 #4 0x00007ffff4643ec0 in WebCore::highestAncestorToWrapMarkup (range=0x7f8000, shouldAnnotate=WebCore::AnnotateForInterchange) at /home/abrhm/webkit/WebKit/Source/WebCore/editing/markup.cpp:531 #5 0x00007ffff46443aa in WebCore::createMarkupInternal (document=0x7be990, range=0x7f8000, updatedRange=0x7f8000, nodes=0x0, shouldAnnotate=WebCore::AnnotateForInterchange, convertBlocksToInlines=false, shouldResolveURLs=WebCore::ResolveNonLocalURLs) at /home/abrhm/webkit/WebKit/Source/WebCore/editing/markup.cpp:575 #6 0x00007ffff4644bba in WebCore::createMarkup (range=0x7f8000, nodes=0x0, shouldAnnotate=WebCore::AnnotateForInterchange, convertBlocksToInlines=false, shouldResolveURLs=WebCore::ResolveNonLocalURLs) at /home/abrhm/webkit/WebKit/Source/WebCore/editing/markup.cpp:665 #7 0x00007ffff4db2fe5 in WebCore::Pasteboard::writeSelection (this=0x819be0, selectedRange=0x7f8000, canSmartCopyOrDelete=false, frame= 0x6e80c0, shouldSerializeSelectedTextForClipboard=WebCore::DefaultSelectedTextType) at /home/abrhm/webkit/WebKit/Source/WebCore/platform/qt/PasteboardQt.cpp:69 #8 0x00007ffff3ed43c6 in WebCore::EditorClientQt::respondToChangedSelection (this=0x6c0fd0, frame=0x6e80c0) at /home/abrhm/webkit/WebKit/Source/WebKit/qt/WebCoreSupport/EditorClientQt.cpp:209 #9 0x00007ffff461174a in WebCore::Editor::notifyComponentsOnChangedSelection (this=0x6d7df0, oldSelection=..., options=6) at /home/abrhm/webkit/WebKit/Source/WebCore/editing/Editor.cpp:539 #10 0x00007ffff461e236 in WebCore::Editor::respondToChangedSelection (this=0x6d7df0, oldSelection=..., options=6) at /home/abrhm/webkit/WebKit/Source/WebCore/editing/Editor.cpp:3022 #11 0x00007ffff4629fe8 in WebCore::FrameSelection::setSelection (this=0x6e85d0, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at /home/abrhm/webkit/WebKit/Source/WebCore/editing/FrameSelection.cpp:330 #12 0x00007ffff4629219 in WebCore::FrameSelection::moveTo (this=0x6e85d0, base=..., extent=..., userTriggered=WebCore::NotUserTriggered) at /home/abrhm/webkit/WebKit/Source/WebCore/editing/FrameSelection.cpp:157 #13 0x00007ffff4965036 in WebCore::DOMSelection::setBaseAndExtent (this=0x818c60, baseNode=0x7be990, baseOffset=0, extentNode=0x7be990, extentOffset=2, ec=@0x7fffffffc49c: 0) at /home/abrhm/webkit/WebKit/Source/WebCore/page/DOMSelection.cpp:264 #14 0x00007ffff49661a3 in WebCore::DOMSelection::selectAllChildren (this=0x818c60, n=0x7be990, ec=@0x7fffffffc49c: 0) at /home/abrhm/webkit/WebKit/Source/WebCore/page/DOMSelection.cpp:486 #15 0x00007ffff539e88d in WebCore::jsDOMSelectionPrototypeFunctionSelectAllChildren (exec=0x7fffe18c30b8) at generated/JSDOMSelection.cpp:391 #16 0x00007fff9bfff0e5 in ?? () #17 0x00007fffffffc570 in ?? () #18 0x00007ffff58bf2cc in llint_op_call () from /home/abrhm/webkit/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5 #19 0x00007fffe18c3060 in ?? () #20 0x000000000072b230 in ?? () #21 0x00007fffffffc530 in ?? () #22 0x00007ffff5868d39 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/abrhm/webkit/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #23 0x00007ffff5867ce0 in JSC::JITCode::execute (this=0x7fffe181f590, stack=0x72b230, callFrame=0x7fffe18c3060, vm=0x71d310) at /home/abrhm/webkit/WebKit/Source/JavaScriptCore/jit/JITCode.h:135 #24 0x00007ffff58659bb in JSC::Interpreter::executeCall (this=0x72b220, callFrame=0x7ffff7ebf678, function=0x7ffff7e2ca30, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/abrhm/webkit/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1052 #25 0x00007ffff593b843 in JSC::call (exec=0x7ffff7ebf678, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/abrhm/webkit/WebKit/Source/JavaScriptCore/runtime/CallData.cpp:40 #26 0x00007ffff427a5ed in WebCore::JSMainThreadExecState::call (exec=0x7ffff7ebf678, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/abrhm/webkit/WebKit/Source/WebCore/bindings/js/JSMainThreadExecState.h:56 #27 0x00007ffff42a93db in WebCore::JSEventListener::handleEvent (this=0x8117c0, scriptExecutionContext=0x7bea40, event=0x81d9e0) at /home/abrhm/webkit/WebKit/Source/WebCore/bindings/js/JSEventListener.cpp:130 #28 0x00007ffff455f792 in WebCore::EventTarget::fireEventListeners (this=0x704390, event=0x81d9e0, d=0x704480, entry=...) at /home/abrhm/webkit/WebKit/Source/WebCore/dom/EventTarget.cpp:248 #29 0x00007ffff455f3f5 in WebCore::EventTarget::fireEventListeners (this=0x704390, event=0x81d9e0) at /home/abrhm/webkit/WebKit/Source/WebCore/dom/EventTarget.cpp:190 #30 0x00007ffff496eeda in WebCore::DOMWindow::dispatchEvent (this=0x704390, prpEvent=..., prpTarget=...) at /home/abrhm/webkit/WebKit/Source/WebCore/page/DOMWindow.cpp:1714 #31 0x00007ffff496ec63 in WebCore::DOMWindow::dispatchLoadEvent (this=0x704390) at /home/abrhm/webkit/WebKit/Source/WebCore/page/DOMWindow.cpp:1688 #32 0x00007ffff44f35a6 in WebCore::Document::dispatchWindowLoadEvent (this=0x7be990) at /home/abrhm/webkit/WebKit/Source/WebCore/dom/Document.cpp:3679 #33 0x00007ffff44eec2a in WebCore::Document::implicitClose (this=0x7be990) at /home/abrhm/webkit/WebKit/Source/WebCore/dom/Document.cpp:2429 #34 0x00007ffff48e8a73 in WebCore::FrameLoader::checkCallImplicitClose (this=0x6e8148) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/FrameLoader.cpp:838 #35 0x00007ffff48e8807 in WebCore::FrameLoader::checkCompleted (this=0x6e8148) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/FrameLoader.cpp:781 #36 0x00007ffff48e856c in WebCore::FrameLoader::finishedParsing (this=0x6e8148) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/FrameLoader.cpp:714 #37 0x00007ffff44f5d7f in WebCore::Document::finishedParsing (this=0x7be990) at /home/abrhm/webkit/WebKit/Source/WebCore/dom/Document.cpp:4458 #38 0x00007ffff474558b in WebCore::HTMLConstructionSite::finishedParsing (this=0x7bdca8) at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:344 #39 0x00007ffff4777bc9 in WebCore::HTMLTreeBuilder::finished (this=0x7bdc90) at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2923 #40 0x00007ffff474cb70 in WebCore::HTMLDocumentParser::end (this=0x7bd830) at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:756 #41 0x00007ffff474cc5b in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7bd830) at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:767 #42 0x00007ffff474b8e3 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7bd830) at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:211 #43 0x00007ffff474cca0 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7bd830) at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:779 #44 0x00007ffff474cd59 in WebCore::HTMLDocumentParser::finish (this=0x7bd830) at /home/abrhm/webkit/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:828 #45 0x00007ffff48e03bc in WebCore::DocumentWriter::end (this=0x79a810) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/DocumentWriter.cpp:248 #46 0x00007ffff48d3285 in WebCore::DocumentLoader::finishedLoading (this=0x79a770, finishTime=0) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/DocumentLoader.cpp:398 #47 0x00007ffff48d2ff8 in WebCore::DocumentLoader::notifyFinished (this=0x79a770, resource=0x79b810) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/DocumentLoader.cpp:340 #48 0x00007ffff48ba7c6 in WebCore::CachedResource::checkNotify (this=0x79b810) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:362 #49 0x00007ffff48ba824 in WebCore::CachedResource::data (this=0x79b810, allDataReceived=true) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:371 #50 0x00007ffff48b6fc8 in WebCore::CachedRawResource::data (this=0x79b810, data=..., allDataReceived=true) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/cache/CachedRawResource.cpp:71 #51 0x00007ffff491b3e0 in WebCore::SubresourceLoader::didFinishLoading (this=0x79bd10, finishTime=0) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/SubresourceLoader.cpp:282 #52 0x00007ffff4911df1 in WebCore::ResourceLoader::didFinishLoading (this=0x79bd10, finishTime=0) at /home/abrhm/webkit/WebKit/Source/WebCore/loader/ResourceLoader.cpp:491 #53 0x00007ffff4da051c in WebCore::QNetworkReplyHandler::finish (this=0x79cb20) at /home/abrhm/webkit/WebKit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #54 0x00007ffff4d9f139 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x79cb58) at /home/abrhm/webkit/WebKit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #55 0x00007ffff4d9ee37 in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x79cb58, method= (void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4da0360 <WebCore::QNetworkReplyHandler::finish()>) #56 0x00007ffff4d9fe0a in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x79e770) at /home/abrhm/webkit/WebKit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409 #57 0x00007ffff4da2790 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x79e770, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffd300) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:175 #58 0x00007ffff222a0e1 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #59 0x00007ffff222b73e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #60 0x00007ffff32a81f4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5 #61 0x00007ffff32ab5d1 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5 #62 0x00007ffff2204a24 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #63 0x00007ffff2206961 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #64 0x00007ffff224c1f3 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #65 0x00007fffef026d53 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #66 0x00007fffef0270a0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #67 0x00007fffef027164 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #68 0x00007ffff224c634 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #69 0x00007ffff22038fb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #70 0x00007ffff2206e9e in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #71 0x0000000000439b89 in main (argc=2, argv=0x7fffffffe088) at /home/abrhm/webkit/WebKit/Tools/DumpRenderTree/qt/DumpRenderTreeMain.cpp:199
Attachments
Add attachment
proposed patch, testcase, etc.
Csaba Osztrogonác
Comment 1
2013-05-22 07:00:47 PDT
The original
https://bugs.webkit.org/show_bug.cgi?id=116468
seems to be a security bug. Isn't this crash security bug too?
Ryosuke Niwa
Comment 2
2013-05-22 10:10:27 PDT
It seems like this is an unrelated crash since it's happening inside getSelection().selectAllChildren. I'm not certain if this is a security bug or not. Someone who has access to Qt build needs to debug it.
Jocelyn Turcotte
Comment 3
2014-02-03 03:25:45 PST
=== Bulk closing of Qt bugs === If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary. If you believe that this is still an important QtWebKit bug, please fill a new report at
https://bugreports.qt-project.org
and add a link to this issue. See
http://qt-project.org/wiki/ReportingBugsInQt
for additional guidelines.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug