Bug 150208 - Null dereference loading Blink layout test editing/execCommand/insert-image-changing-visibility-crash.html
Summary: Null dereference loading Blink layout test editing/execCommand/insert-image-c...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Jiewen Tan
URL:
Keywords: BlinkMergeCandidate, HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2015-10-15 16:55 PDT by Jon Honeycutt
Modified: 2015-10-26 16:06 PDT (History)
4 users (show)

See Also:


Attachments
crashing test (681 bytes, text/html)
2015-10-15 16:55 PDT, Jon Honeycutt
no flags Details
Patch (4.68 KB, patch)
2015-10-23 14:00 PDT, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (4.70 KB, patch)
2015-10-26 13:05 PDT, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (4.70 KB, patch)
2015-10-26 13:21 PDT, Jiewen Tan
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jon Honeycutt 2015-10-15 16:55:39 PDT
Created attachment 263225 [details]
crashing test

Stack trace:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGABRT)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000014
Exception Note:        EXC_CORPSE_NOTIFY

VM Regions Near 0x14:
--> 
    __TEXT                 000000010f6c0000-000000010f6c3000 [   12K] r-x/rwx SM=COW  /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
================================================================
==8111==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x00011e001ab2 bp 0x7fff50539430 sp 0x7fff50539430 T0)
    #0 0x11e001ab1 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xaab1)
    #1 0x11e333c2d in WebCore::canHaveChildrenForEditing(WebCore::Node const*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x33cc2d)
    #2 0x11e322cb0 in WebCore::CompositeEditCommand::insertNodeAt(WTF::PassRefPtr<WebCore::Node>, WebCore::Position const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x32bcb0)
    #3 0x11ff44b1c in WebCore::ReplaceSelectionCommand::doApply() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x1f4db1c)
    #4 0x11e320b7b in WebCore::CompositeEditCommand::apply() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x329b7b)
    #5 0x11e8b71e5 in WebCore::executeInsertFragment(WebCore::Frame&, WTF::PassRefPtr<WebCore::DocumentFragment>) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8c01e5)
    #6 0x11e8b74e1 in WebCore::executeInsertNode(WebCore::Frame&, WTF::Ref<WebCore::Node>&&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8c04e1)
    #7 0x11e8b274d in WebCore::executeInsertImage(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8bb74d)
    #8 0x11e8af85e in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8b885e)
    #9 0x11e687979 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x690979)
    #10 0x11f0f5260 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x10fe260)
    #11 0x3020bb201027  (<unknown module>)
    #12 0x11c6cd64f in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab464f)
    #13 0x11c6c7a0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a)
    #14 0x11c42907d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x81007d)
    #15 0x11c3e6714 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x7cd714)
    #16 0x11bcf79d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xde9d1)
    #17 0x11bcf7ac1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xdeac1)
    #18 0x11f0259c7 in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x102e9c7)
    #19 0x11f217f5d in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x1220f5d)
    #20 0x11e93bd21 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x944d21)
    #21 0x11e93b721 in WebCore::EventTarget::fireEventListeners(WebCore::Event*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x944721)
    #22 0x11e82bbbd in WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x834bbd)
    #23 0x11e8375db in WebCore::DOMWindow::dispatchLoadEvent() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8405db)
    #24 0x11e67962f in WebCore::Document::dispatchWindowLoadEvent() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x68262f)
    #25 0x11e675201 in WebCore::Document::implicitClose() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x67e201)
    #26 0x11ea7f0ab in WebCore::FrameLoader::checkCompleted() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xa880ab)
    #27 0x11ea7c35c in WebCore::FrameLoader::finishedParsing() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xa8535c)
    #28 0x11e68a049 in WebCore::Document::finishedParsing() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x693049)
    #29 0x11ec1cd3d in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xc25d3d)
    #30 0x11e71995c in WebCore::DocumentWriter::end() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x72295c)
    #31 0x11e6e1b67 in WebCore::DocumentLoader::finishedLoading(double) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x6eab67)
    #32 0x11e240ca7 in WebCore::CachedResource::checkNotify() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x249ca7)
    #33 0x11e23bff9 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x244ff9)
    #34 0x1202c9588 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x22d2588)
    #35 0x11a2547b5 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x8e77b5)
    #36 0x11a253ca2 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x8e6ca2)
    #37 0x119bd36ca in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x2666ca)
    #38 0x1199fd745 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x90745)
    #39 0x119a04f09 in IPC::Connection::dispatchOneMessage() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x97f09)
    #40 0x11ca97618 in WTF::RunLoop::performWork() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xe7e618)
    #41 0x11ca97e6e in WTF::RunLoop::performWork(void*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xe7ee6e)
    #42 0x7fff96fba8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0)
    #43 0x7fff96f9a0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab)
    #44 0x7fff96f995ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce)
    #45 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7)
    #46 0x7fff89713d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54)
    #47 0x7fff89713b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e)
    #48 0x7fff897139ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce)
    #49 0x7fff8d4e6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95)
    #50 0x7fff8d4e61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4)
    #51 0x7fff8d4dad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27)
    #52 0x7fff8d4a3fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd)
    #53 0x7fff924c44f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1)
    #54 0x7fff924c2f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d)
    #55 0x10f6c1266 in main (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001266)
    #56 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #57 0x0  (<unknown module>)
Comment 1 Radar WebKit Bug Importer 2015-10-15 16:56:14 PDT
<rdar://problem/23137109>
Comment 2 Jiewen Tan 2015-10-23 14:00:05 PDT
Created attachment 263942 [details]
Patch
Comment 3 Chris Dumez 2015-10-26 12:04:07 PDT
Comment on attachment 263942 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=263942&action=review

r=me with comments.

> LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html:25
> +    document.write("Pass if not crash.");

Passes if it does not crash.

> LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html:32
> +<table id="table" ></table>

extra space here.
Comment 4 Jiewen Tan 2015-10-26 13:05:15 PDT
Created attachment 264066 [details]
Patch
Comment 5 Jiewen Tan 2015-10-26 13:21:35 PDT
Created attachment 264067 [details]
Patch
Comment 6 WebKit Commit Bot 2015-10-26 16:06:41 PDT
Comment on attachment 264067 [details]
Patch

Clearing flags on attachment: 264067

Committed r191608: <http://trac.webkit.org/changeset/191608>
Comment 7 WebKit Commit Bot 2015-10-26 16:06:49 PDT
All reviewed patches have been landed.  Closing bug.