WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
150208
Null dereference loading Blink layout test editing/execCommand/insert-image-changing-visibility-crash.html
https://bugs.webkit.org/show_bug.cgi?id=150208
Summary
Null dereference loading Blink layout test editing/execCommand/insert-image-c...
Jon Honeycutt
Reported
2015-10-15 16:55:39 PDT
Created
attachment 263225
[details]
crashing test Stack trace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000014 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x14: --> __TEXT 000000010f6c0000-000000010f6c3000 [ 12K] r-x/rwx SM=COW /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: ================================================================ ==8111==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x00011e001ab2 bp 0x7fff50539430 sp 0x7fff50539430 T0) #0 0x11e001ab1 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xaab1) #1 0x11e333c2d in WebCore::canHaveChildrenForEditing(WebCore::Node const*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x33cc2d) #2 0x11e322cb0 in WebCore::CompositeEditCommand::insertNodeAt(WTF::PassRefPtr<WebCore::Node>, WebCore::Position const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x32bcb0) #3 0x11ff44b1c in WebCore::ReplaceSelectionCommand::doApply() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x1f4db1c) #4 0x11e320b7b in WebCore::CompositeEditCommand::apply() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x329b7b) #5 0x11e8b71e5 in WebCore::executeInsertFragment(WebCore::Frame&, WTF::PassRefPtr<WebCore::DocumentFragment>) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8c01e5) #6 0x11e8b74e1 in WebCore::executeInsertNode(WebCore::Frame&, WTF::Ref<WebCore::Node>&&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8c04e1) #7 0x11e8b274d in WebCore::executeInsertImage(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8bb74d) #8 0x11e8af85e in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8b885e) #9 0x11e687979 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x690979) #10 0x11f0f5260 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x10fe260) #11 0x3020bb201027 (<unknown module>) #12 0x11c6cd64f in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab464f) #13 0x11c6c7a0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a) #14 0x11c42907d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x81007d) #15 0x11c3e6714 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x7cd714) #16 0x11bcf79d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xde9d1) #17 0x11bcf7ac1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xdeac1) #18 0x11f0259c7 in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x102e9c7) #19 0x11f217f5d in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x1220f5d) #20 0x11e93bd21 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x944d21) #21 0x11e93b721 in WebCore::EventTarget::fireEventListeners(WebCore::Event*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x944721) #22 0x11e82bbbd in WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x834bbd) #23 0x11e8375db in WebCore::DOMWindow::dispatchLoadEvent() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x8405db) #24 0x11e67962f in WebCore::Document::dispatchWindowLoadEvent() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x68262f) #25 0x11e675201 in WebCore::Document::implicitClose() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x67e201) #26 0x11ea7f0ab in WebCore::FrameLoader::checkCompleted() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xa880ab) #27 0x11ea7c35c in WebCore::FrameLoader::finishedParsing() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xa8535c) #28 0x11e68a049 in WebCore::Document::finishedParsing() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x693049) #29 0x11ec1cd3d in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0xc25d3d) #30 0x11e71995c in WebCore::DocumentWriter::end() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x72295c) #31 0x11e6e1b67 in WebCore::DocumentLoader::finishedLoading(double) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x6eab67) #32 0x11e240ca7 in WebCore::CachedResource::checkNotify() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x249ca7) #33 0x11e23bff9 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x244ff9) #34 0x1202c9588 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebCore.framework/Versions/A/WebCore+0x22d2588) #35 0x11a2547b5 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x8e77b5) #36 0x11a253ca2 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x8e6ca2) #37 0x119bd36ca in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x2666ca) #38 0x1199fd745 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x90745) #39 0x119a04f09 in IPC::Connection::dispatchOneMessage() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/WebKit+0x97f09) #40 0x11ca97618 in WTF::RunLoop::performWork() (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xe7e618) #41 0x11ca97e6e in WTF::RunLoop::performWork(void*) (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xe7ee6e) #42 0x7fff96fba8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #43 0x7fff96f9a0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #44 0x7fff96f995ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #45 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #46 0x7fff89713d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54) #47 0x7fff89713b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e) #48 0x7fff897139ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce) #49 0x7fff8d4e6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95) #50 0x7fff8d4e61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4) #51 0x7fff8d4dad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27) #52 0x7fff8d4a3fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd) #53 0x7fff924c44f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1) #54 0x7fff924c2f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d) #55 0x10f6c1266 in main (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001266) #56 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #57 0x0 (<unknown module>)
Attachments
crashing test
(681 bytes, text/html)
2015-10-15 16:55 PDT
,
Jon Honeycutt
no flags
Details
Patch
(4.68 KB, patch)
2015-10-23 14:00 PDT
,
Jiewen Tan
no flags
Details
Formatted Diff
Diff
Patch
(4.70 KB, patch)
2015-10-26 13:05 PDT
,
Jiewen Tan
no flags
Details
Formatted Diff
Diff
Patch
(4.70 KB, patch)
2015-10-26 13:21 PDT
,
Jiewen Tan
no flags
Details
Formatted Diff
Diff
Show Obsolete
(2)
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2015-10-15 16:56:14 PDT
<
rdar://problem/23137109
>
Jiewen Tan
Comment 2
2015-10-23 14:00:05 PDT
Created
attachment 263942
[details]
Patch
Chris Dumez
Comment 3
2015-10-26 12:04:07 PDT
Comment on
attachment 263942
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=263942&action=review
r=me with comments.
> LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html:25 > + document.write("Pass if not crash.");
Passes if it does not crash.
> LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html:32 > +<table id="table" ></table>
extra space here.
Jiewen Tan
Comment 4
2015-10-26 13:05:15 PDT
Created
attachment 264066
[details]
Patch
Jiewen Tan
Comment 5
2015-10-26 13:21:35 PDT
Created
attachment 264067
[details]
Patch
WebKit Commit Bot
Comment 6
2015-10-26 16:06:41 PDT
Comment on
attachment 264067
[details]
Patch Clearing flags on attachment: 264067 Committed
r191608
: <
http://trac.webkit.org/changeset/191608
>
WebKit Commit Bot
Comment 7
2015-10-26 16:06:49 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug