136947 – Null pointer dereference in WebCore::StyleProperties::findPropertyIndex

Bug 136947 - Null pointer dereference in WebCore::StyleProperties::findPropertyIndex

Summary: Null pointer dereference in WebCore::StyleProperties::findPropertyIndex

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2014-09-19 02:26 PDT by Renata Hodovan
Modified:	2016-08-03 17:04 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Test case (682 bytes, text/html) 2014-09-19 02:26 PDT, Renata Hodovan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2014-09-19 02:26:14 PDT

Created attachment 238364 [details]
Test case

The crashing test case:

<!DOCTYPE html>
<style>
* {
    position:absolute;
}
</style>
<script>
onload = function() {
    document.designMode = 'on';
    document.execCommand("selectAll", false, null);
    document.execCommand("insertParagraph", true, null);
    document.execCommand("useCSS", true, false);
    document.execCommand("insertOrderedList", false, null);
    document.execCommand("insertOrderedList", false, null);
    document.execCommand("insertOrderedList", false, null);
    document.execCommand("undo", false, null);
    document.execCommand("insertOrderedList", false, null);
    document.execCommand("redo",  false, null);
}
</script>
<li>
    <b>
        <embed></embed>
    </b>
</li>



The backtrace:

0x00007ffff2fb9711 in WebCore::StyleProperties::findPropertyIndex (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.h:291
291	    if (m_isMutable)
#0  0x00007ffff2fb9711 in WebCore::StyleProperties::findPropertyIndex (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.h:291
#1  0x00007ffff2fb61d8 in WebCore::StyleProperties::getPropertyCSSValue (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.cpp:578
#2  0x00007ffff2fb330c in WebCore::StyleProperties::getPropertyValue (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.cpp:120
#3  0x00007ffff31fd21a in WebCore::RemoveCSSPropertyCommand::doApply (this=0x8931f0) at ../../Source/WebCore/editing/RemoveCSSPropertyCommand.cpp:53
#4  0x00007ffff31a9549 in WebCore::SimpleEditCommand::doReapply (this=0x8931f0) at ../../Source/WebCore/editing/EditCommand.cpp:117
#5  0x00007ffff318d82d in WebCore::EditCommandComposition::reapply (this=0x96ecb0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:146
#6  0x00007ffff2a35584 in WebKit::WebPage::reapplyEditCommand (this=0xaff070, stepID=0x4) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:3112
#7  0x00007ffff2b92dee in IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long), std::tuple<unsigned long>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long), std::tuple<unsigned long>&&, std::index_sequence<0ul>) (object=0xaff070, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ffff2a3552e <WebKit::WebPage::reapplyEditCommand(unsigned long)>, args=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x6da7251, DIE 0x6e79cc3>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:16
#8  0x00007ffff2b90c7e in IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long), std::tuple<unsigned long>, std::make_index_sequence<1ul> >(std::tuple<unsigned long>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long)) (args=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x6da7251, DIE 0x6e79cc3>, object=0xaff070, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ffff2a3552e <WebKit::WebPage::reapplyEditCommand(unsigned long)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:22
#9  0x00007ffff2b8cc6f in IPC::handleMessage<Messages::WebPage::ReapplyEditCommand, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long)> (decoder=..., object=0xaff070, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ffff2a3552e <WebKit::WebPage::reapplyEditCommand(unsigned long)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:120
#10 0x00007ffff2b87f28 in WebKit::WebPage::didReceiveWebPageMessage (this=0xaff070, decoder=...) at DerivedSources/WebKit2/WebPageMessageReceiver.cpp:612
#11 0x00007ffff2a362b0 in WebKit::WebPage::didReceiveMessage (this=0xaff070, connection=0xaa8200, decoder=...) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:3505
#12 0x00007ffff2752042 in IPC::MessageReceiverMap::dispatchMessage (this=0x8ec6e8, connection=0xaa8200, decoder=...) at ../../Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:87
#13 0x00007ffff29203f9 in WebKit::WebProcess::didReceiveMessage (this=0x8ec600, connection=0xaa8200, decoder=...) at ../../Source/WebKit2/WebProcess/WebProcess.cpp:599
#14 0x00007ffff27411be in IPC::Connection::dispatchMessage (this=0xaa8200, decoder=...) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:809
#15 0x00007ffff274128a in IPC::Connection::dispatchMessage (this=0xaa8200, message=...) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:828
#16 0x00007ffff273d30d in IPC::Connection::SyncMessageState::dispatchMessages (this=0xacd600, allowedConnection=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:201
#17 0x00007ffff273f51d in IPC::Connection::waitForSyncReply (this=0xaa8200, syncRequestID=0x7, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:537
#18 0x00007ffff273ef7a in IPC::Connection::sendSyncMessage (this=0xaa8200, syncRequestID=0x7, encoder=..., timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:478
#19 0x00007ffff29e8cbb in IPC::Connection::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, Messages::WebPageProxy::ExecuteUndoRedo::Reply&&, unsigned long, std::chrono::duration<long, std::ratio<1l, 1000l> >, unsigned int) (this=0xaa8200, message=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d34>, reply=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4207c50>, destinationID=0x1, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.h:359
#20 0x00007ffff29e8030 in IPC::MessageSender::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, Messages::WebPageProxy::ExecuteUndoRedo::Reply&&, unsigned long, std::chrono::duration<long, std::ratio<1l, 1000l> >, unsigned int) (this=0xaff088, message=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d34>, reply=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x42065fb>, destinationID=0x1, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/MessageSender.h:66
#21 0x00007ffff29e741a in IPC::MessageSender::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, Messages::WebPageProxy::ExecuteUndoRedo::Reply&&, std::chrono::duration<long, std::ratio<1l, 1000l> >, unsigned int) (this=0xaff088, message=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d34>, reply=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d39>, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/MessageSender.h:58
#22 0x00007ffff29e5812 in WebKit::WebEditorClient::redo (this=0x6ffa80) at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebEditorClient.cpp:280
#23 0x00007ffff31bde1e in WebCore::Editor::redo (this=0xa84360) at ../../Source/WebCore/editing/Editor.cpp:1617
#24 0x00007ffff31d3277 in WebCore::executeRedo (frame=...) at ../../Source/WebCore/editing/EditorCommand.cpp:977
#25 0x00007ffff31d5121 in WebCore::Editor::Command::execute (this=0x7fffffffc780, parameter=..., triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1726
#26 0x00007ffff3068d82 in WebCore::Document::execCommand (this=0xabf430, commandName=..., userInterface=0x0, value=...) at ../../Source/WebCore/dom/Document.cpp:4284
#27 0x00007ffff4064ccf in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffffffc880) at DerivedSources/WebCore/JSDocument.cpp:4526
#28 0x00007fff9b2060b4 in ?? ()
#29 0x00007fffffffc8e0 in ?? ()
#30 0x00007fffedbda6ae in llint_entry () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18

Comment 1 Brent Fulgham 2016-08-03 17:04:35 PDT

This problem does not reproduce under GuardMalloc or ASAN under r204037. If you believe there is still a problem, please reopen this bug and provide an updated test case.