143591 – Regression(r182603): editing/selection/selection-invalid-offset.html is crashing

Bug 143591 - Regression(r182603): editing/selection/selection-invalid-offset.html is crashing

Summary: Regression(r182603): editing/selection/selection-invalid-offset.html is crashing

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:

Depends on:
Blocks:	142536
	Show dependency tree / graph

Reported:	2015-04-09 17:15 PDT by Chris Dumez
Modified:	2015-04-09 17:40 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (1.44 KB, patch) 2015-04-09 17:17 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2015-04-09 17:15:14 PDT

editing/selection/selection-invalid-offset.html is crashing:
Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000

VM Regions Near 0:
--> 
    __TEXT                 00000001024ef000-00000001024f1000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
CRASHING TEST: editing/selection/selection-in-iframe-removed-crash.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010bbe7c01 WebCore::FrameSelection::updateAndRevealSelection() + 337 (FrameSelection.cpp:385)
1   com.apple.WebCore             	0x000000010bbe6134 WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, unsigned int, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) + 308 (FrameSelection.cpp:345)
2   com.apple.WebCore             	0x000000010bbe716c WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, unsigned int, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) + 492 (FrameSelection.cpp:279)
3   com.apple.WebCore             	0x000000010bbe6043 WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, unsigned int, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) + 67 (FrameSelection.cpp:325)
4   com.apple.WebCore             	0x000000010bbe63ac WebCore::FrameSelection::moveTo(WebCore::Range const*) + 252 (FrameSelection.cpp:159)
5   com.apple.WebCore             	0x000000010b973a5b WebCore::DOMSelection::addRange(WebCore::Range*) + 123 (DOMSelection.cpp:392)
6   com.apple.WebCore             	0x000000010c1f348c WebCore::jsDOMSelectionPrototypeFunctionAddRange(JSC::ExecState*) + 492 (JSDOMSelection.cpp:562)
7   ???                           	0x000024e7f1201028 0 + 40578601455656
8   com.apple.JavaScriptCore      	0x0000000109a39946 llint_entry + 25850
9   com.apple.JavaScriptCore      	0x0000000109a39946 llint_entry + 25850
10  com.apple.JavaScriptCore      	0x0000000109a33209 vmEntryToJavaScript + 361
11  com.apple.JavaScriptCore      	0x000000010989c69a JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 266 (JITCode.cpp:77)
12  com.apple.JavaScriptCore      	0x000000010987fd01 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4849 (Interpreter.cpp:857)
13  com.apple.JavaScriptCore      	0x00000001093ceb00 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 480 (Completion.cpp:83)
14  com.apple.WebCore             	0x000000010c3bb075 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 69 (JSMainThreadExecState.h:62)
15  com.apple.WebCore             	0x000000010cdb49bd WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 317 (ScriptController.cpp:165)
16  com.apple.WebCore             	0x000000010cdb6233 WebCore::ScriptController::executeScriptInWorld(WebCore::DOMWrapperWorld&, WTF::String const&, bool) + 307 (ScriptController.cpp:515)
17  com.apple.WebCore             	0x000000010cdaa9ef WebCore::ScheduledAction::execute(WebCore::Document&) + 351 (ScheduledAction.cpp:127)
18  com.apple.WebCore             	0x000000010cdaa863 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext&) + 67 (ScheduledAction.cpp:78)
19  com.apple.WebCore             	0x000000010b979100 WebCore::DOMTimer::fired() + 896 (DOMTimer.cpp:399)
20  com.apple.WebCore             	0x000000010d21d09c WebCore::ThreadTimers::sharedTimerFiredInternal() + 396 (ThreadTimers.cpp:135)
21  com.apple.WebCore             	0x000000010d21cd59 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:108)
22  com.apple.WebCore             	0x000000010c3d9a8a WebCore::timerFired(__CFRunLoopTimer*, void*) + 42 (SharedTimerCF.cpp:83)
23  com.apple.CoreFoundation      	0x00007fff8e9c03e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
24  com.apple.CoreFoundation      	0x00007fff8e9bff1f __CFRunLoopDoTimer + 1151
25  com.apple.CoreFoundation      	0x00007fff8ea315aa __CFRunLoopDoTimers + 298
26  com.apple.CoreFoundation      	0x00007fff8e97b6a5 __CFRunLoopRun + 1525
27  com.apple.CoreFoundation      	0x00007fff8e97ae75 CFRunLoopRunSpecific + 309
28  com.apple.HIToolbox           	0x00007fff85021a0d RunCurrentEventLoopInMode + 226
29  com.apple.HIToolbox           	0x00007fff850217b7 ReceiveNextEventCommon + 479
30  com.apple.HIToolbox           	0x00007fff850215bc _BlockUntilNextEventMatchingListInModeWithFilter + 65
31  com.apple.AppKit              	0x00007fff8ee8a24e _DPSNextEvent + 1434
32  com.apple.AppKit              	0x00007fff8ee8989b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
33  com.apple.AppKit              	0x00007fff8ee7d99c -[NSApplication run] + 553
34  com.apple.AppKit              	0x00007fff8ee68783 NSApplicationMain + 940
35  com.apple.XPCService          	0x00007fff8cb13c0f _xpc_main + 385
36  libxpc.dylib                  	0x00007fff84dc1bde xpc_main + 399
37  com.apple.WebKit.WebContent.Development	0x00000001024f0195 main + 37
38  libdyld.dylib                 	0x00007fff8c6985fd start + 1

Comment 1 Chris Dumez 2015-04-09 17:17:17 PDT

Created attachment 250489 [details]
Patch

Comment 2 Chris Dumez 2015-04-09 17:40:23 PDT

Comment on attachment 250489 [details]
Patch

Clearing flags on attachment: 250489

Committed r182619: <http://trac.webkit.org/changeset/182619>

Comment 3 Chris Dumez 2015-04-09 17:40:29 PDT

All reviewed patches have been landed.  Closing bug.