RESOLVED FIXED 140275
Calling clearSelection on a detached RenderObject leads to segfault. 
https://bugs.webkit.org/show_bug.cgi?id=140275
Summary Calling clearSelection on a detached RenderObject leads to segfault.
zalan
Reported 2015-01-08 16:34:35 PST
Created attachment 244310 [details] Test reduction. We attempt to compute the selection rect on an already detached subtree.
Attachments
Test reduction. (828 bytes, text/html)
2015-01-08 16:34 PST, zalan 		no flags
Details
Patch (6.01 KB, patch)
2015-01-09 15:56 PST, zalan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
zalan
Comment 1 2015-01-08 16:35:06 PST
rdar://problem/19397991
zalan
Comment 2 2015-01-09 14:25:30 PST
* thread #1: tid = 0x1ada2a7, 0x000000010e79c801 WebCore`WebCore::RenderBox::containingBlockLogicalHeightForContent(this=0x000000011bf79480, heightType=IncludeMarginBorderPadding) const + 81 at RenderBox.cpp:1853, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010e79c801 WebCore`WebCore::RenderBox::containingBlockLogicalHeightForContent(this=0x000000011bf79480, heightType=IncludeMarginBorderPadding) const + 81 at RenderBox.cpp:1853 frame #1: 0x000000010e7a5a19 WebCore`WebCore::RenderBox::availableLogicalHeightUsing(this=0x000000011bf79480, h=0x000000011bff20a0, heightType=IncludeMarginBorderPadding) const + 1113 at RenderBox.cpp:3045 frame #2: 0x000000010e7a5599 WebCore`WebCore::RenderBox::availableLogicalHeight(this=0x000000011bf79480, heightType=IncludeMarginBorderPadding) const + 57 at RenderBox.cpp:3010 frame #3: 0x000000010e7cd389 WebCore`WebCore::RenderBox::availableHeight(this=0x000000011bf79480) const + 73 at RenderBox.h:455 frame #4: 0x000000010e7b8a6e WebCore`WebCore::RenderBoxModelObject::relativePositionOffset(this=0x000000011bf79180) const + 766 at RenderBoxModelObject.cpp:303 frame #5: 0x000000010e7ba125 WebCore`WebCore::RenderBoxModelObject::offsetForInFlowPosition(this=0x000000011bf79180) const + 53 at RenderBoxModelObject.cpp:483 frame #6: 0x000000010e79d928 WebCore`WebCore::RenderBox::offsetFromContainer(this=0x000000011bf79180, renderer=0x000000011bf79480, (null)=0x00007fff577af008, offsetDependsOnPoint=0x0000000000000000) const + 184 at RenderBox.cpp:2023 frame #7: 0x000000010e79d0db WebCore`WebCore::RenderBox::mapLocalToContainer(this=0x000000011bf79180, repaintContainer=0x0000000000000000, transformState=0x00007fff577af520, mode=2, wasFixed=0x0000000000000000) const + 667 at RenderBox.cpp:1940 frame #8: 0x000000010e79d35e WebCore`WebCore::RenderBox::mapLocalToContainer(this=0x000000011bfbcbb8, repaintContainer=0x0000000000000000, transformState=0x00007fff577af520, mode=2, wasFixed=0x0000000000000000) const + 1310 at RenderBox.cpp:1963 frame #9: 0x000000010e79d35e WebCore`WebCore::RenderBox::mapLocalToContainer(this=0x000000011bed7780, repaintContainer=0x0000000000000000, transformState=0x00007fff577af520, mode=2, wasFixed=0x0000000000000000) const + 1310 at RenderBox.cpp:1963 frame #10: 0x000000010e92d7e7 WebCore`WebCore::RenderObject::mapLocalToContainer(this=0x000000011bedbc00, repaintContainer=0x0000000000000000, transformState=0x00007fff577af520, mode=2, wasFixed=0x0000000000000000) const + 535 at RenderObject.cpp:1602 frame #11: 0x000000010e92de58 WebCore`WebCore::RenderObject::localToContainerQuad(this=0x000000011bedbc00, localQuad=0x00007fff577af690, repaintContainer=0x0000000000000000, mode=0, wasFixed=0x0000000000000000) const + 280 at RenderObject.cpp:1673 frame #12: 0x000000010ea14c3b WebCore`WebCore::RenderText::collectSelectionRectsForLineBoxes(this=0x000000011bedbc00, repaintContainer=0x0000000000000000, clipToVisibleContent=true, rects=0x000000011bed8948) + 795 at RenderText.cpp:1323 frame #13: 0x000000010ea14dff WebCore`WebCore::RenderText::collectSelectionRectsForLineBoxes(this=0x000000011bedbc00, repaintContainer=0x0000000000000000, clipToVisibleContent=true, rects=0x000000011bed8948) + 47 at RenderText.cpp:1337 frame #14: 0x000000010e94d801 WebCore`WebCore::RenderSelectionInfo::RenderSelectionInfo(this=0x000000011bed8930, renderer=0x000000011bedbc00, clipToVisibleContent=true) + 177 at RenderSelectionInfo.cpp:50 frame #15: 0x000000010e94d8ac WebCore`WebCore::RenderSelectionInfo::RenderSelectionInfo(this=0x000000011bed8930, renderer=0x000000011bedbc00, clipToVisibleContent=true) + 44 at RenderSelectionInfo.cpp:54 frame #16: 0x000000010ea515de WebCore`std::_Unique_if<WebCore::RenderSelectionInfo>::_Single_object std::make_unique<WebCore::RenderSelectionInfo, WebCore::RenderObject&, bool>(args=0x000000011bedbc00, args=0x00007fff577afa8f) + 110 at StdLibExtras.h:337 frame #17: 0x000000010ea4ce81 WebCore`WebCore::RenderView::clearSubtreeSelection(this=0x000000011b7a9000, root=0x000000011b7a90c0, blockRepaintMode=RepaintNewMinusOld, oldSelectionData=0x00007febb34a6d60) const + 481 at RenderView.cpp:963 frame #18: 0x000000010ea4c5fd WebCore`WebCore::RenderView::updateSelectionForSubtrees(this=0x000000011b7a9000, renderSubtreesMap=0x00007fff577affc8, blockRepaintMode=RepaintNewMinusOld) + 285 at RenderView.cpp:927 frame #19: 0x000000010ea4c3a2 WebCore`WebCore::RenderView::setSelection(this=0x000000011b7a9000, start=0x0000000000000000, startPos=-1, end=0x0000000000000000, endPos=-1, blockRepaintMode=RepaintNewMinusOld) + 578 at RenderView.cpp:873 frame #20: 0x000000010ea4e724 WebCore`WebCore::RenderView::clearSelection(this=0x000000011b7a9000) + 84 at RenderView.cpp:1097 frame #21: 0x000000010d95e4c4 WebCore`WebCore::FrameSelection::setNeedsSelectionUpdate(this=0x000000011b7fe140) + 68 at FrameSelection.cpp:360 frame #22: 0x000000010e7ee7df WebCore`WebCore::RenderElement::removeChildInternal(this=0x000000011bed7f00, oldChild=0x000000011bf79480, notifyChildren=DontNotifyChildren) + 495 at RenderElement.cpp:623 frame #23: 0x000000010e7ccb03 WebCore`WebCore::RenderBoxModelObject::moveChildTo(this=0x000000011bed7f00, toBoxModelObject=0x000000011bf79840, child=0x000000011bf79480, beforeChild=0x0000000000000000, fullRemoveInsert=false) + 467 at RenderBoxModelObject.cpp:2709 frame #24: 0x000000010e7ccd15 WebCore`WebCore::RenderBoxModelObject::moveChildrenTo(this=0x000000011bed7f00, toBoxModelObject=0x000000011bf79840, startChild=0x000000011bf79480, endChild=0x0000000000000000, beforeChild=0x0000000000000000, fullRemoveInsert=false) + 485 at RenderBoxModelObject.cpp:2745 frame #25: 0x000000010e73b28d WebCore`WebCore::RenderBoxModelObject::moveAllChildrenTo(this=0x000000011bed7f00, toBoxModelObject=0x000000011bf79840, beforeChild=0x0000000000000000, fullRemoveInsert=false) + 93 at RenderBoxModelObject.h:299 frame #26: 0x000000010e726cde WebCore`WebCore::RenderBlock::collapseAnonymousBoxChild(parent=0x000000011bf79840, child=0x000000011bed7f00) + 270 at RenderBlock.cpp:694 frame #27: 0x000000010e7271a6 WebCore`WebCore::RenderBlock::removeChild(this=0x000000011bf79840, oldChild=0x000000011bed7e40) + 1190 at RenderBlock.cpp:767 frame #28: 0x000000010e770cdd WebCore`WebCore::RenderBlockFlow::removeChild(this=0x000000011bf79840, oldChild=0x000000011bed7e40) + 125 at RenderBlockFlow.cpp:3729 frame #29: 0x000000010e9251c6 WebCore`WebCore::RenderObject::removeFromParent(this=0x000000011bed7e40) + 70 at RenderObject.cpp:188 frame #30: 0x000000010e92e406 WebCore`WebCore::RenderObject::willBeDestroyed(this=0x000000011bed7e40) + 102 at RenderObject.cpp:1863 frame #31: 0x000000010e7f061f WebCore`WebCore::RenderElement::willBeDestroyed(this=0x000000011bed7e40) + 95 at RenderElement.cpp:1067 frame #32: 0x000000010e7b8198 WebCore`WebCore::RenderBoxModelObject::willBeDestroyed(this=0x000000011bed7e40) + 184 at RenderBoxModelObject.cpp:204 frame #33: 0x000000010e75772e WebCore`WebCore::RenderBlockFlow::willBeDestroyed(this=0x000000011bed7e40) + 414 at RenderBlockFlow.cpp:175 frame #34: 0x000000010e92e982 WebCore`WebCore::RenderObject::destroy(this=0x000000011bed7e40) + 66 at RenderObject.cpp:1990 frame #35: 0x000000010e92e932 WebCore`WebCore::RenderObject::destroyAndCleanupAnonymousWrappers(this=0x000000011bed7e40) + 274 at RenderObject.cpp:1976 frame #36: 0x000000010ed63d05 WebCore`WebCore::Style::detachRenderTree(current=0x000000011befbf70, detachType=NormalDetach) + 197 at StyleResolveTree.cpp:700 frame #37: 0x000000010ed63c3a WebCore`WebCore::Style::detachRenderTree(element=0x000000011befbf70) + 26 at StyleResolveTree.cpp:1000 frame #38: 0x000000010d34478e WebCore`WebCore::destroyRenderTreeIfNeeded(child=0x000000011befbf70) + 94 at ContainerNode.cpp:100 frame #39: 0x000000010d346a76 WebCore`WebCore::ContainerNode::removeBetween(this=0x000000011befbc98, previousChild=0x000000011befbea0, nextChild=0x0000000000000000, oldChild=0x000000011befbf70) + 134 at ContainerNode.cpp:586 frame #40: 0x000000010d346471 WebCore`WebCore::ContainerNode::removeChild(this=0x000000011befbc98, oldChild=0x000000011befbf70, ec=0x00007fff577b0784) + 593 at ContainerNode.cpp:559 frame #41: 0x000000010e615b78 WebCore`WebCore::Node::removeChild(this=0x000000011befbc98, oldChild=0x000000011befbf70, ec=0x00007fff577b0784) + 88 at Node.cpp:447 frame #42: 0x000000010e170a74 WebCore`WebCore::JSNode::removeChild(this=0x000000011d59f5d0, exec=0x00007fff577b0800) + 84 at JSNodeCustom.cpp:156 frame #43: 0x000000010e16cfaf WebCore`WebCore::jsNodePrototypeFunctionRemoveChild(exec=0x00007fff577b0800) + 383 at JSNode.cpp:671 frame #44: 0x00002ccf37601034 frame #45: 0x000000010b8a9e1b JavaScriptCore`llint_entry + 25439 frame #46: 0x000000010b8a3879 JavaScriptCore`vmEntryToJavaScript + 361 frame #47: 0x000000010b72cf5a JavaScriptCore`JSC::JITCode::execute(this=0x000000011beece10, vm=0x000000011a0261c0, protoCallFrame=0x00007fff577b0a70) + 266 at JITCode.cpp:77 frame #48: 0x000000010b7114e4 JavaScriptCore`JSC::Interpreter::executeCall(this=0x000000011bff1270, callFrame=0x000000011d58eeb0, function=0x000000011d5b50f0, callType=CallTypeJS, callData=0x00007fff577b0e88, thisValue=JSValue at 0x00007fff577b0b50, args=0x00007fff577b0dc0) + 1508 at Interpreter.cpp:978 frame #49: 0x000000010b21867e JavaScriptCore`JSC::call(exec=0x000000011d58eeb0, functionObject=JSValue at 0x00007fff577b0c30, callType=CallTypeJS, callData=0x00007fff577b0e88, thisValue=JSValue at 0x00007fff577b0c28, args=0x00007fff577b0dc0) + 190 at CallData.cpp:39 frame #50: 0x000000010b2186e3 JavaScriptCore`JSC::call(exec=0x000000011d58eeb0, functionObject=JSValue at 0x00007fff577b0cb0, callType=CallTypeJS, callData=0x00007fff577b0e88, thisValue=JSValue at 0x00007fff577b0ca8, args=0x00007fff577b0dc0, exception=0x00007fff577b0de0) + 83 at CallData.cpp:44 frame #51: 0x000000010de705db WebCore`WebCore::JSMainThreadExecState::call(exec=0x000000011d58eeb0, functionObject=JSValue at 0x00007fff577b0d30, callType=CallTypeJS, callData=0x00007fff577b0e88, thisValue=JSValue at 0x00007fff577b0d28, args=0x00007fff577b0dc0, exception=0x00007fff577b0de0) + 107 at JSMainThreadExecState.h:56 frame #52: 0x000000010eadd6e4 WebCore`WebCore::ScheduledAction::executeFunctionInContext(this=0x000000011beeeac8, globalObject=0x000000011d58ee70, thisValue=JSValue at 0x00007fff577b0eb8, context=0x000000011a0160e0) + 532 at ScheduledAction.cpp:104 frame #53: 0x000000010eadd2e4 WebCore`WebCore::ScheduledAction::execute(this=0x000000011beeeac8, document=0x000000011a016040) + 276 at ScheduledAction.cpp:125 frame #54: 0x000000010eadd1a3 WebCore`WebCore::ScheduledAction::execute(this=0x000000011beeeac8, context=0x000000011a0160e0) + 67 at ScheduledAction.cpp:78 frame #55: 0x000000010d6e4710 WebCore`WebCore::DOMTimer::fired(this=0x000000011bf5c9d8) + 896 at DOMTimer.cpp:396 frame #56: 0x000000010ef6818c WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal(this=0x000000011bfffa28) + 396 at ThreadTimers.cpp:132 frame #57: 0x000000010ef67e49 WebCore`WebCore::ThreadTimers::sharedTimerFired() + 25 at ThreadTimers.cpp:107 frame #58: 0x000000010ec145ef WebCore`WebCore::timerFired((null)=0x00007febb34a9cc0, (null)=0x0000000000000000) + 31 at SharedTimerMac.mm:124 frame #59: 0x00007fff8db4bb64 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 frame #60: 0x00007fff8db4b7f3 CoreFoundation`__CFRunLoopDoTimer + 1059 frame #61: 0x00007fff8dbbedbd CoreFoundation`__CFRunLoopDoTimers + 301 frame #62: 0x00007fff8db08288 CoreFoundation`__CFRunLoopRun + 2024 frame #63: 0x00007fff8db07858 CoreFoundation`CFRunLoopRunSpecific + 296 frame #64: 0x00007fff83f21b8f HIToolbox`RunCurrentEventLoopInMode + 235 frame #65: 0x00007fff83f2190a HIToolbox`ReceiveNextEventCommon + 431 frame #66: 0x00007fff83f2174b HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71 frame #67: 0x00007fff8f09477d AppKit`_DPSNextEvent + 964 frame #68: 0x00007fff8f093f30 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194 frame #69: 0x00007fff8f087d83 AppKit`-[NSApplication run] + 594 frame #70: 0x00007fff8f073184 AppKit`NSApplicationMain + 1832 frame #71: 0x0000000108450272 MiniBrowser`main(argc=1, argv=0x00007fff577b3988) + 34 at main.m:30 frame #72: 0x00007fff88dac5c9 libdyld.dylib`start + 1 frame #73: 0x00007fff88dac5c9 libdyld.dylib`start + 1
zalan
Comment 3 2015-01-09 15:56:42 PST
Created attachment 244380 [details] Patch
WebKit Commit Bot
Comment 4 2015-01-09 18:12:01 PST
Comment on attachment 244380 [details] Patch Clearing flags on attachment: 244380 Committed r178231: <http://trac.webkit.org/changeset/178231>
WebKit Commit Bot
Comment 5 2015-01-09 18:12:14 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.