WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
149299
Null dereference loading Blink layout test editing/inserting/insert-with-mutation-event.html
https://bugs.webkit.org/show_bug.cgi?id=149299
Summary
Null dereference loading Blink layout test editing/inserting/insert-with-muta...
Jon Honeycutt
Reported
2015-09-17 14:56:36 PDT
Created
attachment 261434
[details]
crashing test Null dereference loading Blink layout test editing/inserting/insert-with-mutation-event.html. Stack trace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000348 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x348: --> __TEXT 00000001029e4000-00000001029e6000 [ 8K] r-x/rwx SM=COW /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: CRASHING TEST: temp-tests/editing/inserting/insert-with-mutation-event.html Global Trace Buffer (reverse chronological seconds): 40.565241 CFNetwork 0x00007fff88d43b97 Explicitly setting CF cookie storage singleton 40.565623 CFNetwork 0x00007fff88d8f211 Explicitly setting cookie storage singleton Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010aa177da WebCore::SimpleEditCommand::SimpleEditCommand(WebCore::Document&, WebCore::EditAction) + 90 (memory:2635) 1 com.apple.WebCore 0x000000010b4afde5 WebCore::SplitTextNodeCommand::SplitTextNodeCommand(WTF::PassRefPtr<WebCore::Text>, int) + 37 (SplitTextNodeCommand.cpp:40) 2 com.apple.WebCore 0x000000010a80317f WebCore::CompositeEditCommand::splitTextNode(WTF::PassRefPtr<WebCore::Text>, unsigned int) + 63 (StdLibExtras.h:366) 3 com.apple.WebCore 0x000000010a7527a1 WebCore::ApplyStyleCommand::splitTextAtStart(WebCore::Position const&, WebCore::Position const&) + 161 (StdLibExtras.h:366) 4 com.apple.WebCore 0x000000010a750963 WebCore::ApplyStyleCommand::applyInlineStyle(WebCore::EditingStyle*) + 723 (ApplyStyleCommand.cpp:189) 5 com.apple.WebCore 0x000000010a74e0fd WebCore::ApplyStyleCommand::doApply() + 173 (PassRefPtr.h:41) 6 com.apple.WebCore 0x000000010a80252b WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) + 43 (CompositeEditCommand.cpp:281) 7 com.apple.WebCore 0x000000010a8026dc WebCore::CompositeEditCommand::applyStyle(WebCore::EditingStyle const*, WebCore::EditAction) + 76 (StdLibExtras.h:366) 8 com.apple.WebCore 0x000000010ac8912d WebCore::InsertTextCommand::doApply() + 2205 (RefCounted.h:99) 9 com.apple.WebCore 0x000000010a802630 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::CompositeEditCommand>, WebCore::VisibleSelection const&) + 80 (CompositeEditCommand.cpp:296) 10 com.apple.WebCore 0x000000010b64dc13 WebCore::TypingCommand::insertTextRunWithoutNewlines(WTF::String const&, bool) + 115 (StdLibExtras.h:366) 11 com.apple.WebCore 0x000000010b64e091 void WebCore::forEachLineInString<WebCore::TypingCommandLineOperation>(WTF::String const&, WebCore::TypingCommandLineOperation const&) + 257 (StdLibExtras.h:366) 12 com.apple.WebCore 0x000000010b64cae8 WebCore::TypingCommand::insertText(WebCore::Document&, WTF::String const&, WebCore::VisibleSelection const&, unsigned int, WebCore::TypingCommand::TextCompositionType) + 440 (RefCounted.h:99) 13 com.apple.WebCore 0x000000010aa3629a WebCore::executeInsertText(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 26 (EditorCommand.cpp:535) 14 com.apple.WebCore 0x000000010aa34876 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const + 182 (EditorCommand.cpp:1704) 15 com.apple.WebCore 0x000000010a96dc36 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 214 (Document.cpp:4666) 16 com.apple.WebCore 0x000000010ad84074 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) + 420 (JSCJSValue.h:499) 17 ??? 0x00002c99c3201028 0 + 49038915276840 18 com.apple.JavaScriptCore 0x000000010a0e076f llint_entry + 22696 19 com.apple.JavaScriptCore 0x000000010a0dace4 vmEntryToJavaScript + 299 20 com.apple.JavaScriptCore 0x0000000109f9b2d9 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 169 (JITCode.cpp:82) 21 com.apple.JavaScriptCore 0x0000000109f81a10 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 10448 (Interpreter.cpp:945) 22 com.apple.JavaScriptCore 0x0000000109c944c5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 469 (Completion.cpp:104) 23 com.apple.WebCore 0x000000010b3f78ec WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 284 (JSMainThreadExecState.h:62) 24 com.apple.WebCore 0x000000010b3f7b29 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 (ScriptController.cpp:180) 25 com.apple.WebCore 0x000000010b3fdaac WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 316 (ScriptElement.cpp:309) 26 com.apple.WebCore 0x000000010b3fc756 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1046 (StdLibExtras.h:366) 27 com.apple.WebCore 0x000000010abf95eb WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 347 (ScriptElement.h:58) 28 com.apple.WebCore 0x000000010abf9440 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 (HTMLScriptRunner.cpp:191) 29 com.apple.WebCore 0x000000010ab9c466 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 86 (StdLibExtras.h:366) 30 com.apple.WebCore 0x000000010ab9c52d WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 93 (HTMLDocumentParser.cpp:214) 31 com.apple.WebCore 0x000000010ab9c0c3 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 595 (HTMLDocumentParser.cpp:259) 32 com.apple.WebCore 0x000000010ab9cddd WebCore::HTMLDocumentParser::append(WTF::PassRefPtr<WTF::StringImpl>) + 669 (DocumentParser.h:71) 33 com.apple.WebCore 0x000000010a93f61c WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) + 92 (StdLibExtras.h:366) 34 com.apple.WebCore 0x000000010a99f68b WebCore::DocumentWriter::end() + 43 (RefPtr.h:71) 35 com.apple.WebCore 0x000000010a9879ec WebCore::DocumentLoader::finishedLoading(double) + 268 (ResourceErrorBase.h:42) 36 com.apple.WebCore 0x000000010a7b8179 WebCore::CachedResource::checkNotify() + 153 (CachedResourceClientWalker.h:51) 37 com.apple.WebCore 0x000000010a7b4433 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 227 (CachedRawResource.cpp:104) 38 com.apple.WebCore 0x000000010b52f501 WebCore::SubresourceLoader::didFinishLoading(double) + 1153 (ResourceLoader.h:154) 39 com.apple.WebKit 0x000000010907598d WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 561 (HandleMessage.h:16) 40 com.apple.WebKit 0x0000000108e4f1f1 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 (memory:2636) 41 com.apple.WebKit 0x0000000108e51b4a IPC::Connection::dispatchOneMessage() + 126 (memory:2656) 42 com.apple.JavaScriptCore 0x000000010a293985 WTF::RunLoop::performWork() + 437 (functional:1742) 43 com.apple.JavaScriptCore 0x000000010a293d32 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 44 com.apple.CoreFoundation 0x00007fff949e2c01 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 45 com.apple.CoreFoundation 0x00007fff949d4b1c __CFRunLoopDoSources0 + 556 46 com.apple.CoreFoundation 0x00007fff949d403f __CFRunLoopRun + 927 47 com.apple.CoreFoundation 0x00007fff949d3a38 CFRunLoopRunSpecific + 296 48 com.apple.HIToolbox 0x00007fff88e673bd RunCurrentEventLoopInMode + 235 49 com.apple.HIToolbox 0x00007fff88e67153 ReceiveNextEventCommon + 432 50 com.apple.HIToolbox 0x00007fff88e66f93 _BlockUntilNextEventMatchingListInModeWithFilter + 71 51 com.apple.AppKit 0x00007fff870b81e7 _DPSNextEvent + 1076 52 com.apple.AppKit 0x00007fff8748490d -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 53 com.apple.AppKit 0x00007fff870ae0b8 -[NSApplication run] + 682 54 com.apple.AppKit 0x00007fff87030396 NSApplicationMain + 1176 55 libxpc.dylib 0x00007fff8c70ff70 _xpc_objc_main + 793 56 libxpc.dylib 0x00007fff8c7116bf xpc_main + 494 57 com.apple.WebKit.WebContent.Development 0x00000001029e5424 main + 409 (XPCServiceMain.Development.mm:187) 58 libdyld.dylib 0x00007fff93aa15ad start + 1
Attachments
crashing test
(706 bytes, text/html)
2015-09-17 14:56 PDT
,
Jon Honeycutt
no flags
Details
Patch
(3.62 KB, patch)
2015-10-09 17:24 PDT
,
Jiewen Tan
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2015-09-17 14:56:53 PDT
<
rdar://problem/22746995
>
Jiewen Tan
Comment 2
2015-10-09 17:24:31 PDT
Created
attachment 262804
[details]
Patch
Andreas Kling
Comment 3
2015-10-13 08:36:58 PDT
Comment on
attachment 262804
[details]
Patch r=me
Jiewen Tan
Comment 4
2015-10-13 14:55:28 PDT
Jiewens-Mac-Pro:LayoutTests jwtan$ run-webkit-tests -g --repeat-each=10 http/tests/misc/detach-during-notifyDone.html Using port 'mac-elcapitan-wk2' Test configuration: <elcapitan, x86_64, debug> Placing test results in /Users/jwtan/Documents/Build/Products/Debug/layout-test-results Baseline search path: mac-wk2 -> wk2 -> mac -> generic Using Debug build Pixel tests disabled Regular timeout: 350000, slow test timeout: 1750000 Command line: /Users/jwtan/Documents/Build/Products/Debug/WebKitTestRunner - --lint-test-files warnings: LayoutTests/platform/mac/TestExpectations:973 Path does not exist. media/video-double.html Found 1 test; running 1 (10 times each: --repeat-each=10 --iterations=1), skipping 0. Running 1 WebKitTestRunner. [2/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89460]) [4/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89557]) [6/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89562]) [8/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89566]) [10/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89571]) Retrying 1 unexpected failure ... Running 1 WebKitTestRunner. 5 tests ran as expected, 5 didn't: Regressions: Unexpected crashes (1) http/tests/misc/detach-during-notifyDone.html [ Crash ]
Jiewen Tan
Comment 5
2015-10-13 14:56:13 PDT
Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000bd8 Exception Note: EXC_CORPSE_NOTIFY Application Specific Information: This process is running with libgmalloc.dylib (GuardMalloc) which may have forced the crash due to a memory access error. CRASHING TEST: /misc/detach-during-notifyDone.html Global Trace Buffer (reverse chronological seconds): 18446743968.919937 CFNetwork 0x00007fff929903eb Explicitly setting CF cookie storage singleton 18446743968.920921 CFNetwork 0x00007fff929c6c85 Explicitly setting cookie storage singleton Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebKit 0x000000011c79b28c WebKit::WebDocumentLoader::navigationID() const + 12 (WebDocumentLoader.h:40) 1 com.apple.WebKit 0x000000011c79590d WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() + 173 (WebFrameLoaderClient.cpp:553) 2 com.apple.WebCore 0x00000001222a489d WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 1853 (FrameLoader.cpp:2283) 3 com.apple.WebCore 0x000000012229c8e0 WebCore::FrameLoader::checkLoadComplete() + 320 (FrameLoader.cpp:2461) 4 com.apple.WebCore 0x0000000121f6c51f WebCore::DocumentLoader::finishedLoading(double) + 495 (DocumentLoader.cpp:446) 5 com.apple.WebCore 0x0000000121f6c29e WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) + 270 (DocumentLoader.cpp:385) 6 com.apple.WebCore 0x0000000121b20622 WebCore::CachedResource::checkNotify() + 130 (CachedResource.cpp:296) 7 com.apple.WebCore 0x0000000121b20731 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 49 (CachedResource.cpp:314) 8 com.apple.WebCore 0x0000000121b1c16a WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 218 (CachedRawResource.cpp:104) 9 com.apple.WebCore 0x0000000123861295 WebCore::SubresourceLoader::didFinishLoading(double) + 517 (SubresourceLoader.cpp:374) 10 com.apple.WebKit 0x000000011caad877 WebKit::WebResourceLoader::didFinishResourceLoad(double) + 151 (WebResourceLoader.cpp:156) 11 com.apple.WebKit 0x000000011cab2d43 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) + 163 (HandleMessage.h:17) 12 com.apple.WebKit 0x000000011cab2c98 void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 88 (HandleMessage.h:23) 13 com.apple.WebKit 0x000000011cab1dcd void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 221 (HandleMessage.h:93) 14 com.apple.WebKit 0x000000011cab157c WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 636 (WebResourceLoaderMessageReceiver.cpp:68) 15 com.apple.WebKit 0x000000011c3b8410 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 160 (NetworkProcessConnection.cpp:62) 16 com.apple.WebKit 0x000000011c16f023 IPC::Connection::dispatchMessage(IPC::MessageDecoder&) + 51 (Connection.cpp:901) 17 com.apple.WebKit 0x000000011c165f51 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 785 (Connection.cpp:933) 18 com.apple.WebKit 0x000000011c16f61f IPC::Connection::dispatchOneMessage() + 1519 (Connection.cpp:962) 19 com.apple.WebKit 0x000000011c18097d IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const + 29 (Connection.cpp:895) 20 com.apple.WebKit 0x000000011c18094d void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) + 45 (__functional_base:441) 21 com.apple.WebKit 0x000000011c18079c std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() + 44 (functional:1407) 22 com.apple.JavaScriptCore 0x000000011f95368a std::__1::function<void ()>::operator()() const + 26 (functional:1793) 23 com.apple.JavaScriptCore 0x000000011fef6fed WTF::RunLoop::performWork() + 621 (RunLoop.cpp:122) 24 com.apple.JavaScriptCore 0x000000011fef75f4 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38) 25 com.apple.CoreFoundation 0x00007fff88dea621 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 26 com.apple.CoreFoundation 0x00007fff88dc9e1c __CFRunLoopDoSources0 + 556 27 com.apple.CoreFoundation 0x00007fff88dc933f __CFRunLoopRun + 927 28 com.apple.CoreFoundation 0x00007fff88dc8d38 CFRunLoopRunSpecific + 296 29 com.apple.HIToolbox 0x00007fff83b01d55 RunCurrentEventLoopInMode + 235 30 com.apple.HIToolbox 0x00007fff83b01b8f ReceiveNextEventCommon + 432 31 com.apple.HIToolbox 0x00007fff83b019cf _BlockUntilNextEventMatchingListInModeWithFilter + 71 32 com.apple.AppKit 0x00007fff8a645f3a _DPSNextEvent + 1067 33 com.apple.AppKit 0x00007fff8a645369 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 34 com.apple.AppKit 0x00007fff8a639ecc -[NSApplication run] + 682 35 com.apple.AppKit 0x00007fff8a603162 NSApplicationMain + 1176 36 libxpc.dylib 0x00007fff970904f2 _xpc_objc_main + 793 37 libxpc.dylib 0x00007fff9708ef1e xpc_main + 494 38 com.apple.WebKit.WebContent.Development 0x000000010fca2be1 main + 785 (XPCServiceMain.Development.mm:187) 39 libdyld.dylib 0x00007fff84d425ad start + 1
Jiewen Tan
Comment 6
2015-10-13 15:00:41 PDT
Please ignore the previous two comments.
WebKit Commit Bot
Comment 7
2015-10-14 13:11:55 PDT
Comment on
attachment 262804
[details]
Patch Clearing flags on attachment: 262804 Committed
r191066
: <
http://trac.webkit.org/changeset/191066
>
WebKit Commit Bot
Comment 8
2015-10-14 13:12:00 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug