Bug 140506 - Crash in is<> Template due to corrupted/garbage WebCore::HTMLNames::selectTag
Summary: Crash in is<> Template due to corrupted/garbage WebCore::HTMLNames::selectTag
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC All
: P2 Major
Assignee: Nobody
URL:
Keywords:
Depends on: 113220
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-15 13:06 PST by Brent Fulgham
Modified: 2017-08-30 21:10 PDT (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2015-01-15 13:06:33 PST
The test 'fast/forms/select/popup-closes-on-blur.html' crash with the following stack trace:

 	DumpRenderTree.dll!std::unique_ptr<WTF::HashMap<int,WTF::RefPtr<JSC::WatchpointSet>,WTF::IntHash<int>,WTF::UnsignedWithZeroKeyHashTraits<int>,WTF::HashTraits<WTF::RefPtr<JSC::WatchpointSet> > >,std::default_delete<WTF::HashMap<int,WTF::RefPtr<JSC::WatchpointSet>,WTF::IntHash<int>,WTF::UnsignedWithZeroKeyHashTraits<int>,WTF::HashTraits<WTF::RefPtr<JSC::WatchpointSet> > > > >::get() Line 1453	C++
 	DumpRenderTree.dll!WTF::Vector<COMPtr<IUnknown>,0,WTF::CrashOnOverflow>::data() Line 643	C++
 	DumpRenderTree.dll!WTF::Vector<std::unique_ptr<tagSTGMEDIUM,StgMediumDeleter>,0,WTF::CrashOnOverflow>::begin() Line 647	C++
 	DumpRenderTree.dll!WTF::operator==(const WTF::AtomicString & a, const WTF::AtomicString & b) Line 224	C++
 	DumpRenderTree.dll!WebCore::Element::hasLocalName(const WTF::AtomicString & other) Line 260	C++
 	DumpRenderTree.dll!WebCore::HTMLElement::hasTagName(const WebCore::HTMLQualifiedName & name) Line 99	C++
 	DumpRenderTree.dll!WebCore::Node::hasTagName(const WebCore::HTMLQualifiedName & name) Line 145	C++
>	DumpRenderTree.dll!WTF::TypeCastTraits<WebCore::HTMLSelectElement const ,WebCore::Node const ,0>::checkTagName(const WebCore::Node & node) Line 689	C++
 	DumpRenderTree.dll!WTF::TypeCastTraits<WebCore::HTMLSelectElement const ,WebCore::Node const ,0>::isOfType(const WebCore::Node & node) Line 686	C++
 	DumpRenderTree.dll!WTF::is<WebCore::HTMLSelectElement,WebCore::Node>(WebCore::Node & source) Line 59	C++
 	DumpRenderTree.dll!WebCore::Internals::isSelectPopupVisible(WebCore::Node * node) Line 2166	C++
 	DumpRenderTree.dll!WebCore::jsInternalsPrototypeFunctionIsSelectPopupVisible(JSC::ExecState * exec) Line 3424	C++
 	[External Code]	
 	[Frames below may be incorrect and/or missing]	
 	JavaScriptCore.dll!llint_entry() Line 7211	Unknown
 	JavaScriptCore.dll!vmEntryToJavaScript() Line 109	Unknown
 	JavaScriptCore.dll!JSC::JITCode::execute(JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame) Line 77	C++
 	JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval, JSC::ExecState * callFrame, JSC::JSValue thisValue, JSC::JSScope * scope) Line 1201	C++
 	JavaScriptCore.dll!JSC::eval(JSC::ExecState * callFrame) Line 134	C++
 	JavaScriptCore.dll!llint_slow_path_call_eval(JSC::ExecState * exec, JSC::Instruction * pc) Line 1248	C++
 	JavaScriptCore.dll!llint_entry() Line 7424	Unknown
 	[External Code]	
 	JavaScriptCore.dll!llint_entry() Line 7211	Unknown
 	JavaScriptCore.dll!llint_entry() Line 7211	Unknown
 	JavaScriptCore.dll!vmEntryToJavaScript() Line 109	Unknown
 	JavaScriptCore.dll!JSC::JITCode::execute(JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame) Line 77	C++
 	JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj) Line 914	C++
 	JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException) Line 83	C++
 	WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception) Line 62	C++
 	WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld & world) Line 150	C++
 	WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode) Line 166	C++
 	WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode) Line 301	C++
 	WebKit.dll!WebCore::ScriptElement::prepareScript(const WTF::TextPosition & scriptStartPosition, WebCore::ScriptElement::LegacyTypeSupport supportLegacyTypes) Line 237	C++
 	WebKit.dll!WebCore::HTMLScriptRunner::runScript(WebCore::Element * script, const WTF::TextPosition & scriptStartPosition) Line 304	C++
 	WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element> scriptElement, const WTF::TextPosition & scriptStartPosition) Line 177	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() Line 197	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode mode, WebCore::PumpSession & session) Line 214	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode) Line 259	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode mode) Line 167	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() Line 492	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource * cachedResource) Line 532	C++
 	WebKit.dll!WebCore::CachedResource::checkNotify() Line 294	C++
 	WebKit.dll!WebCore::CachedResource::finishLoading(WebCore::SharedBuffer * __formal) Line 311	C++
 	WebKit.dll!WebCore::CachedScript::finishLoading(WebCore::SharedBuffer * data) Line 87	C++
 	WebKit.dll!WebCore::SubresourceLoader::didFinishLoading(double finishTime) Line 357	C++
 	WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal, double finishTime) Line 503	C++
 	WebKit.dll!WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didFinishLoading() Line 181	C++
 	WebKit.dll!WebCore::ResourceHandleCFURLConnectionDelegate::didFinishLoadingCallback(_CFURLConnection * __formal, const void * clientInfo) Line 88	C++
 	CFNetwork.dll!URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue * preQ) Line 1739	C++
 	CFNetwork.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<enum XClientEvent,XClientEventParams> * e, long count) Line 2256	C++
 	CFNetwork.dll!XConnectionEventQueue<enum XClientEvent,XClientEventParams>::processAllEvents() Line 231	C++
 	CFNetwork.dll!URLConnectionClient::processEvents() Line 362	C++
 	CFNetwork.dll!URLConnectionWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 109	C++
 	[External Code]	
 	DumpRenderTree.dll!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & inputLine) Line 1130	C++
 	DumpRenderTree.dll!main(int argc, const char * * argv) Line 1488	C++
 	DumpRenderTree.dll!dllLauncherEntryPoint(int argc, const char * * argv) Line 1518	C++
 	DumpRenderTree.exe!main(int argc, const char * * argv) Line 239	C++
 	[External Code]	

The crash is happening because the contents of WebCore::HTMLNames::selectTag is garbage.
Comment 1 Brent Fulgham 2015-01-15 13:07:22 PST
May have been introduced in https://bugs.webkit.org/show_bug.cgi?id=113220.
Comment 2 Michael Catanzaro 2017-08-30 21:10:23 PDT
I have one report of this from a Linux user. Only one, so I'd say it's low priority.

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 WTF::RefPtr<WTF::StringImpl>::get at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/RefPtr.h:64
 #1 WTF::String::impl at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/text/WTFString.h:150
 #2 WTF::AtomicString::impl at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/text/AtomicString.h:98
 #3 WTF::operator== at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/text/AtomicString.h:202
 #4 WebCore::Element::hasLocalName at /usr/src/debug/webkitgtk-2.16.2/Source/WebCore/dom/Element.h:214
 #5 WebCore::HTMLElement::hasTagName at /usr/src/debug/webkitgtk-2.16.2/Source/WebCore/html/HTMLElement.h:91
 #6 WebCore::Node::hasTagName at /usr/src/debug/webkitgtk-2.16.2/Source/WebCore/html/HTMLElement.h:158
 #7 WTF::TypeCastTraits<WebCore::HTMLOptionElement const, WebCore::ContainerNode const, false>::checkTagName at /usr/src/debug/webkitgtk-2.16.2/x86_64-redhat-linux-gnu/DerivedSources/WebCore/HTMLElementTypeHelpers.h:619
 #8 WTF::TypeCastTraits<WebCore::HTMLOptionElement const, WebCore::ContainerNode const, false>::isOfType at /usr/src/debug/webkitgtk-2.16.2/x86_64-redhat-linux-gnu/DerivedSources/WebCore/HTMLElementTypeHelpers.h:616
 #9 WTF::is<WebCore::HTMLOptionElement, WebCore::ContainerNode> at /usr/src/debug/webkitgtk-2.16.2/Source/WTF/wtf/TypeCasts.h:59