Bug 150207 - Null dereference loading Blink layout test editing/execCommand/format-block-uneditable-crash.html
Summary: Null dereference loading Blink layout test editing/execCommand/format-block-u...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Jiewen Tan
URL:
Keywords: BlinkMergeCandidate, HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2015-10-15 16:53 PDT by Jon Honeycutt
Modified: 2015-10-27 17:36 PDT (History)
5 users (show)

See Also:

Attachments
Crashing test (539 bytes, text/html)
2015-10-15 16:53 PDT, Jon Honeycutt 		no flags Details
Patch (4.27 KB, patch)
2015-10-23 19:10 PDT, Jiewen Tan 		no flags Details | Formatted Diff | Diff
Patch (5.28 KB, patch)
2015-10-26 18:11 PDT, Jiewen Tan 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jon Honeycutt 2015-10-15 16:53:04 PDT 
Created attachment 263224 [details]
Crashing test

Null dereference loading Blink layout test editing/execCommand/format-block-uneditable-crash.html.

Stack trace:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGABRT)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000014

VM Regions Near 0x14:
--> 
    __TEXT                 000000010c416000-000000010c4b0000 [  616K] r-x/rwx SM=COW  /Users/USER/*

Application Specific Information:
CRASHING TEST: blink-tests-that-are-unknown/editing/execCommand/format-block-uneditable-crash.html
================================================================
==21895==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x000111b5fab2 bp 0x7fff537e2570 sp 0x7fff537e2570 T0)
    #0 0x111b5fab1 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const Node.h:641
    #1 0x111b941bb in WebCore::lastPositionInNode(WebCore::Node*) Position.h:313
    #2 0x111c4b6e1 in WebCore::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded(WebCore::VisiblePosition const&, WebCore::Position&, WebCore::Position&) ApplyBlockElementCommand.cpp:248
    #3 0x111c4a29e in WebCore::ApplyBlockElementCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&) ApplyBlockElementCommand.cpp:126
    #4 0x11257d4a7 in WebCore::FormatBlockCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&) FormatBlockCommand.cpp:59
    #5 0x111c49397 in WebCore::ApplyBlockElementCommand::doApply() ApplyBlockElementCommand.cpp:86
    #6 0x111e7eb7b in WebCore::CompositeEditCommand::apply() CompositeEditCommand.cpp:229
    #7 0x11240fa24 in WebCore::executeFormatBlock(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) EditorCommand.cpp:425
    #8 0x11240d85e in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const EditorCommand.cpp:1704
    #9 0x1121e5979 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) Document.cpp:4657
    #10 0x112c53260 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) JSDocument.cpp:5093
    #11 0x2abca0401027  (<unknown module>)
    #12 0x10d24664f in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab464f)
    #13 0x10d246a49 in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab4a49)
    #14 0x10d24664f in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab464f)
    #15 0x10d24664f in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab464f)
    #16 0x10d240a0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a)
    #17 0x10cfa207d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:80
    #18 0x10cf5ecc6 in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) Interpreter.cpp:961
    #19 0x10c921689 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) Completion.cpp:104
    #20 0x112f0f3ad in WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) JSMainThreadExecState.h:62
    #21 0x113b4b410 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) ScriptController.cpp:164
    #22 0x113b4b618 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) ScriptController.cpp:180
    #23 0x113b5d586 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) ScriptElement.cpp:309
    #24 0x113b5ae6a in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) ScriptElement.cpp:242
    #25 0x1128509cb in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) HTMLScriptRunner.cpp:308
    #26 0x112850705 in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) HTMLScriptRunner.cpp:177
    #27 0x11277ba6f in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() HTMLDocumentParser.cpp:195
    #28 0x11277bce3 in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) HTMLDocumentParser.cpp:213
    #29 0x11277b2a8 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) HTMLDocumentParser.cpp:259
    #30 0x11277cc9d in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() HTMLDocumentParser.cpp:496
    #31 0x11277cf61 in WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) HTMLDocumentParser.cpp:536
    #32 0x111d9eca7 in WebCore::CachedResource::checkNotify() CachedResource.cpp:297
    #33 0x113e27588 in WebCore::SubresourceLoader::didFinishLoading(double) SubresourceLoader.cpp:372
    #34 0x7fff8c4a3850 in __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e850)
    #35 0x7fff8c4a3765 in -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e765)
    #36 0x7fff8c4a366a in -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e66a)
    #37 0x7fff8c4a8491 in ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x33491)
    #38 0x7fff8c63c976 in ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x1c7976)
    #39 0x7fff9a99c3c2 in _dispatch_client_callout (/usr/lib/system/libdispatch.dylib+0x23c2)
    #40 0x7fff9a9aa0bd in _dispatch_block_invoke (/usr/lib/system/libdispatch.dylib+0x100bd)
    #41 0x7fff8c4a3527 in RunloopBlockContext::_invoke_block(void const*, void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e527)
    #42 0x7fff96f5ce63 in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x4ce63)
    #43 0x7fff8c4a3420 in RunloopBlockContext::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e420)
    #44 0x7fff8c4a32c1 in MultiplexerSource::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e2c1)
    #45 0x7fff8c4a30e3 in MultiplexerSource::_perform(void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e0e3)
    #46 0x7fff96fba8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0)
    #47 0x7fff96f9a0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab)
    #48 0x7fff96f995ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce)
    #49 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7)
    #50 0x10c43898d in runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:2030
    #51 0x10c437f39 in runTestingServerLoop() DumpRenderTree.mm:1180
    #52 0x10c437267 in dumpRenderTree(int, char const**) DumpRenderTree.mm:1288
    #53 0x10c4392b1 in DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1418
    #54 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #55 0x1  (<unknown module>)
Comment 1 Radar WebKit Bug Importer 2015-10-15 16:53:19 PDT 
<rdar://problem/23137066>
Comment 2 Jiewen Tan 2015-10-23 19:10:47 PDT 
Created attachment 263973 [details]
Patch
Comment 3 Enrica Casucci 2015-10-26 13:49:34 PDT 
Comment on attachment 263973 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=263973&action=review

> LayoutTests/editing/execCommand/format-block-uneditable-crash.html:21
> +</script>

Please use the editing.js and markup.js functions to write the test.
Comment 4 Jiewen Tan 2015-10-26 18:11:49 PDT 
Created attachment 264115 [details]
Patch
Comment 5 WebKit Commit Bot 2015-10-27 16:48:21 PDT 
Comment on attachment 264115 [details]
Patch

Rejecting attachment 264115 [details] from commit-queue.

jiewen_tan@apple.com does not have committer permissions according to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/contributors.json.

- If you do not have committer rights please read http://webkit.org/coding/contributing.html for instructions on how to use bugzilla flags.

- If you have committer rights please correct the error in Tools/Scripts/webkitpy/common/config/contributors.json by adding yourself to the file (no review needed).  The commit-queue restarts itself every 2 hours.  After restart the commit-queue will correctly respect your committer rights.
Comment 6 WebKit Commit Bot 2015-10-27 17:36:11 PDT 
Comment on attachment 264115 [details]
Patch

Clearing flags on attachment: 264115

Committed r191647: <http://trac.webkit.org/changeset/191647>
Comment 7 WebKit Commit Bot 2015-10-27 17:36:16 PDT 
All reviewed patches have been landed.  Closing bug.