Bug 149299 - Null dereference loading Blink layout test editing/inserting/insert-with-mutation-event.html
Summary: Null dereference loading Blink layout test editing/inserting/insert-with-muta...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Jiewen Tan
URL:
Keywords: BlinkMergeCandidate, HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2015-09-17 14:56 PDT by Jon Honeycutt
Modified: 2015-10-14 13:12 PDT (History)
6 users (show)

See Also:

Attachments
crashing test (706 bytes, text/html)
2015-09-17 14:56 PDT, Jon Honeycutt 		no flags Details
Patch (3.62 KB, patch)
2015-10-09 17:24 PDT, Jiewen Tan 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jon Honeycutt 2015-09-17 14:56:36 PDT 
Created attachment 261434 [details]
crashing test

Null dereference loading Blink layout test editing/inserting/insert-with-mutation-event.html.

Stack trace:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000348
Exception Note:        EXC_CORPSE_NOTIFY

VM Regions Near 0x348:
--> 
    __TEXT                 00000001029e4000-00000001029e6000 [    8K] r-x/rwx SM=COW  /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
CRASHING TEST: temp-tests/editing/inserting/insert-with-mutation-event.html

Global Trace Buffer (reverse chronological seconds):
40.565241    CFNetwork                 	0x00007fff88d43b97 Explicitly setting CF cookie storage singleton
40.565623    CFNetwork                 	0x00007fff88d8f211 Explicitly setting cookie storage singleton

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010aa177da WebCore::SimpleEditCommand::SimpleEditCommand(WebCore::Document&, WebCore::EditAction) + 90 (memory:2635)
1   com.apple.WebCore             	0x000000010b4afde5 WebCore::SplitTextNodeCommand::SplitTextNodeCommand(WTF::PassRefPtr<WebCore::Text>, int) + 37 (SplitTextNodeCommand.cpp:40)
2   com.apple.WebCore             	0x000000010a80317f WebCore::CompositeEditCommand::splitTextNode(WTF::PassRefPtr<WebCore::Text>, unsigned int) + 63 (StdLibExtras.h:366)
3   com.apple.WebCore             	0x000000010a7527a1 WebCore::ApplyStyleCommand::splitTextAtStart(WebCore::Position const&, WebCore::Position const&) + 161 (StdLibExtras.h:366)
4   com.apple.WebCore             	0x000000010a750963 WebCore::ApplyStyleCommand::applyInlineStyle(WebCore::EditingStyle*) + 723 (ApplyStyleCommand.cpp:189)
5   com.apple.WebCore             	0x000000010a74e0fd WebCore::ApplyStyleCommand::doApply() + 173 (PassRefPtr.h:41)
6   com.apple.WebCore             	0x000000010a80252b WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) + 43 (CompositeEditCommand.cpp:281)
7   com.apple.WebCore             	0x000000010a8026dc WebCore::CompositeEditCommand::applyStyle(WebCore::EditingStyle const*, WebCore::EditAction) + 76 (StdLibExtras.h:366)
8   com.apple.WebCore             	0x000000010ac8912d WebCore::InsertTextCommand::doApply() + 2205 (RefCounted.h:99)
9   com.apple.WebCore             	0x000000010a802630 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::CompositeEditCommand>, WebCore::VisibleSelection const&) + 80 (CompositeEditCommand.cpp:296)
10  com.apple.WebCore             	0x000000010b64dc13 WebCore::TypingCommand::insertTextRunWithoutNewlines(WTF::String const&, bool) + 115 (StdLibExtras.h:366)
11  com.apple.WebCore             	0x000000010b64e091 void WebCore::forEachLineInString<WebCore::TypingCommandLineOperation>(WTF::String const&, WebCore::TypingCommandLineOperation const&) + 257 (StdLibExtras.h:366)
12  com.apple.WebCore             	0x000000010b64cae8 WebCore::TypingCommand::insertText(WebCore::Document&, WTF::String const&, WebCore::VisibleSelection const&, unsigned int, WebCore::TypingCommand::TextCompositionType) + 440 (RefCounted.h:99)
13  com.apple.WebCore             	0x000000010aa3629a WebCore::executeInsertText(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 26 (EditorCommand.cpp:535)
14  com.apple.WebCore             	0x000000010aa34876 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const + 182 (EditorCommand.cpp:1704)
15  com.apple.WebCore             	0x000000010a96dc36 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 214 (Document.cpp:4666)
16  com.apple.WebCore             	0x000000010ad84074 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) + 420 (JSCJSValue.h:499)
17  ???                           	0x00002c99c3201028 0 + 49038915276840
18  com.apple.JavaScriptCore      	0x000000010a0e076f llint_entry + 22696
19  com.apple.JavaScriptCore      	0x000000010a0dace4 vmEntryToJavaScript + 299
20  com.apple.JavaScriptCore      	0x0000000109f9b2d9 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 169 (JITCode.cpp:82)
21  com.apple.JavaScriptCore      	0x0000000109f81a10 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 10448 (Interpreter.cpp:945)
22  com.apple.JavaScriptCore      	0x0000000109c944c5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 469 (Completion.cpp:104)
23  com.apple.WebCore             	0x000000010b3f78ec WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 284 (JSMainThreadExecState.h:62)
24  com.apple.WebCore             	0x000000010b3f7b29 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 (ScriptController.cpp:180)
25  com.apple.WebCore             	0x000000010b3fdaac WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 316 (ScriptElement.cpp:309)
26  com.apple.WebCore             	0x000000010b3fc756 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1046 (StdLibExtras.h:366)
27  com.apple.WebCore             	0x000000010abf95eb WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 347 (ScriptElement.h:58)
28  com.apple.WebCore             	0x000000010abf9440 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 (HTMLScriptRunner.cpp:191)
29  com.apple.WebCore             	0x000000010ab9c466 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 86 (StdLibExtras.h:366)
30  com.apple.WebCore             	0x000000010ab9c52d WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 93 (HTMLDocumentParser.cpp:214)
31  com.apple.WebCore             	0x000000010ab9c0c3 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 595 (HTMLDocumentParser.cpp:259)
32  com.apple.WebCore             	0x000000010ab9cddd WebCore::HTMLDocumentParser::append(WTF::PassRefPtr<WTF::StringImpl>) + 669 (DocumentParser.h:71)
33  com.apple.WebCore             	0x000000010a93f61c WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) + 92 (StdLibExtras.h:366)
34  com.apple.WebCore             	0x000000010a99f68b WebCore::DocumentWriter::end() + 43 (RefPtr.h:71)
35  com.apple.WebCore             	0x000000010a9879ec WebCore::DocumentLoader::finishedLoading(double) + 268 (ResourceErrorBase.h:42)
36  com.apple.WebCore             	0x000000010a7b8179 WebCore::CachedResource::checkNotify() + 153 (CachedResourceClientWalker.h:51)
37  com.apple.WebCore             	0x000000010a7b4433 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 227 (CachedRawResource.cpp:104)
38  com.apple.WebCore             	0x000000010b52f501 WebCore::SubresourceLoader::didFinishLoading(double) + 1153 (ResourceLoader.h:154)
39  com.apple.WebKit              	0x000000010907598d WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 561 (HandleMessage.h:16)
40  com.apple.WebKit              	0x0000000108e4f1f1 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 (memory:2636)
41  com.apple.WebKit              	0x0000000108e51b4a IPC::Connection::dispatchOneMessage() + 126 (memory:2656)
42  com.apple.JavaScriptCore      	0x000000010a293985 WTF::RunLoop::performWork() + 437 (functional:1742)
43  com.apple.JavaScriptCore      	0x000000010a293d32 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39)
44  com.apple.CoreFoundation      	0x00007fff949e2c01 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
45  com.apple.CoreFoundation      	0x00007fff949d4b1c __CFRunLoopDoSources0 + 556
46  com.apple.CoreFoundation      	0x00007fff949d403f __CFRunLoopRun + 927
47  com.apple.CoreFoundation      	0x00007fff949d3a38 CFRunLoopRunSpecific + 296
48  com.apple.HIToolbox           	0x00007fff88e673bd RunCurrentEventLoopInMode + 235
49  com.apple.HIToolbox           	0x00007fff88e67153 ReceiveNextEventCommon + 432
50  com.apple.HIToolbox           	0x00007fff88e66f93 _BlockUntilNextEventMatchingListInModeWithFilter + 71
51  com.apple.AppKit              	0x00007fff870b81e7 _DPSNextEvent + 1076
52  com.apple.AppKit              	0x00007fff8748490d -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
53  com.apple.AppKit              	0x00007fff870ae0b8 -[NSApplication run] + 682
54  com.apple.AppKit              	0x00007fff87030396 NSApplicationMain + 1176
55  libxpc.dylib                  	0x00007fff8c70ff70 _xpc_objc_main + 793
56  libxpc.dylib                  	0x00007fff8c7116bf xpc_main + 494
57  com.apple.WebKit.WebContent.Development	0x00000001029e5424 main + 409 (XPCServiceMain.Development.mm:187)
58  libdyld.dylib                 	0x00007fff93aa15ad start + 1
Comment 1 Radar WebKit Bug Importer 2015-09-17 14:56:53 PDT 
<rdar://problem/22746995>
Comment 2 Jiewen Tan 2015-10-09 17:24:31 PDT 
Created attachment 262804 [details]
Patch
Comment 3 Andreas Kling 2015-10-13 08:36:58 PDT 
Comment on attachment 262804 [details]
Patch

r=me
Comment 4 Jiewen Tan 2015-10-13 14:55:28 PDT 
Jiewens-Mac-Pro:LayoutTests jwtan$ run-webkit-tests -g --repeat-each=10 http/tests/misc/detach-during-notifyDone.html
Using port 'mac-elcapitan-wk2'
Test configuration: <elcapitan, x86_64, debug>
Placing test results in /Users/jwtan/Documents/Build/Products/Debug/layout-test-results
Baseline search path: mac-wk2 -> wk2 -> mac -> generic
Using Debug build
Pixel tests disabled
Regular timeout: 350000, slow test timeout: 1750000
Command line: /Users/jwtan/Documents/Build/Products/Debug/WebKitTestRunner -

--lint-test-files warnings:
LayoutTests/platform/mac/TestExpectations:973 Path does not exist. media/video-double.html

Found 1 test; running 1 (10 times each: --repeat-each=10 --iterations=1), skipping 0.
Running 1 WebKitTestRunner.     

[2/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89460])
[4/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89557])
[6/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89562])
[8/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89566])
[10/10] http/tests/misc/detach-during-notifyDone.html failed unexpectedly (com.apple.WebKit.WebContent.Development crashed [pid=89571])
                        
Retrying 1 unexpected failure ...

Running 1 WebKitTestRunner.

                                                   
5 tests ran as expected, 5 didn't:


Regressions: Unexpected crashes (1)
  http/tests/misc/detach-during-notifyDone.html [ Crash ]
Comment 5 Jiewen Tan 2015-10-13 14:56:13 PDT 
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000bd8
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
This process is running with libgmalloc.dylib (GuardMalloc) which may have forced the crash due to a memory access error.
 
CRASHING TEST: /misc/detach-during-notifyDone.html

Global Trace Buffer (reverse chronological seconds):
18446743968.919937 CFNetwork                 	0x00007fff929903eb Explicitly setting CF cookie storage singleton
18446743968.920921 CFNetwork                 	0x00007fff929c6c85 Explicitly setting cookie storage singleton

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebKit              	0x000000011c79b28c WebKit::WebDocumentLoader::navigationID() const + 12 (WebDocumentLoader.h:40)
1   com.apple.WebKit              	0x000000011c79590d WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() + 173 (WebFrameLoaderClient.cpp:553)
2   com.apple.WebCore             	0x00000001222a489d WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 1853 (FrameLoader.cpp:2283)
3   com.apple.WebCore             	0x000000012229c8e0 WebCore::FrameLoader::checkLoadComplete() + 320 (FrameLoader.cpp:2461)
4   com.apple.WebCore             	0x0000000121f6c51f WebCore::DocumentLoader::finishedLoading(double) + 495 (DocumentLoader.cpp:446)
5   com.apple.WebCore             	0x0000000121f6c29e WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) + 270 (DocumentLoader.cpp:385)
6   com.apple.WebCore             	0x0000000121b20622 WebCore::CachedResource::checkNotify() + 130 (CachedResource.cpp:296)
7   com.apple.WebCore             	0x0000000121b20731 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 49 (CachedResource.cpp:314)
8   com.apple.WebCore             	0x0000000121b1c16a WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 218 (CachedRawResource.cpp:104)
9   com.apple.WebCore             	0x0000000123861295 WebCore::SubresourceLoader::didFinishLoading(double) + 517 (SubresourceLoader.cpp:374)
10  com.apple.WebKit              	0x000000011caad877 WebKit::WebResourceLoader::didFinishResourceLoad(double) + 151 (WebResourceLoader.cpp:156)
11  com.apple.WebKit              	0x000000011cab2d43 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) + 163 (HandleMessage.h:17)
12  com.apple.WebKit              	0x000000011cab2c98 void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 88 (HandleMessage.h:23)
13  com.apple.WebKit              	0x000000011cab1dcd void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 221 (HandleMessage.h:93)
14  com.apple.WebKit              	0x000000011cab157c WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 636 (WebResourceLoaderMessageReceiver.cpp:68)
15  com.apple.WebKit              	0x000000011c3b8410 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 160 (NetworkProcessConnection.cpp:62)
16  com.apple.WebKit              	0x000000011c16f023 IPC::Connection::dispatchMessage(IPC::MessageDecoder&) + 51 (Connection.cpp:901)
17  com.apple.WebKit              	0x000000011c165f51 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 785 (Connection.cpp:933)
18  com.apple.WebKit              	0x000000011c16f61f IPC::Connection::dispatchOneMessage() + 1519 (Connection.cpp:962)
19  com.apple.WebKit              	0x000000011c18097d IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const + 29 (Connection.cpp:895)
20  com.apple.WebKit              	0x000000011c18094d void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) + 45 (__functional_base:441)
21  com.apple.WebKit              	0x000000011c18079c std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() + 44 (functional:1407)
22  com.apple.JavaScriptCore      	0x000000011f95368a std::__1::function<void ()>::operator()() const + 26 (functional:1793)
23  com.apple.JavaScriptCore      	0x000000011fef6fed WTF::RunLoop::performWork() + 621 (RunLoop.cpp:122)
24  com.apple.JavaScriptCore      	0x000000011fef75f4 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38)
25  com.apple.CoreFoundation      	0x00007fff88dea621 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
26  com.apple.CoreFoundation      	0x00007fff88dc9e1c __CFRunLoopDoSources0 + 556
27  com.apple.CoreFoundation      	0x00007fff88dc933f __CFRunLoopRun + 927
28  com.apple.CoreFoundation      	0x00007fff88dc8d38 CFRunLoopRunSpecific + 296
29  com.apple.HIToolbox           	0x00007fff83b01d55 RunCurrentEventLoopInMode + 235
30  com.apple.HIToolbox           	0x00007fff83b01b8f ReceiveNextEventCommon + 432
31  com.apple.HIToolbox           	0x00007fff83b019cf _BlockUntilNextEventMatchingListInModeWithFilter + 71
32  com.apple.AppKit              	0x00007fff8a645f3a _DPSNextEvent + 1067
33  com.apple.AppKit              	0x00007fff8a645369 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
34  com.apple.AppKit              	0x00007fff8a639ecc -[NSApplication run] + 682
35  com.apple.AppKit              	0x00007fff8a603162 NSApplicationMain + 1176
36  libxpc.dylib                  	0x00007fff970904f2 _xpc_objc_main + 793
37  libxpc.dylib                  	0x00007fff9708ef1e xpc_main + 494
38  com.apple.WebKit.WebContent.Development	0x000000010fca2be1 main + 785 (XPCServiceMain.Development.mm:187)
39  libdyld.dylib                 	0x00007fff84d425ad start + 1
Comment 6 Jiewen Tan 2015-10-13 15:00:41 PDT 
Please ignore the previous two comments.
Comment 7 WebKit Commit Bot 2015-10-14 13:11:55 PDT 
Comment on attachment 262804 [details]
Patch

Clearing flags on attachment: 262804

Committed r191066: <http://trac.webkit.org/changeset/191066>
Comment 8 WebKit Commit Bot 2015-10-14 13:12:00 PDT 
All reviewed patches have been landed.  Closing bug.