RESOLVED FIXED150210
Null dereference loading Blink layout test editing/selection/selectstart-event-crash.html 
https://bugs.webkit.org/show_bug.cgi?id=150210
Summary Null dereference loading Blink layout test editing/selection/selectstart-even...
Jon Honeycutt
Reported 2015-10-15 17:02:47 PDT
Created attachment 263227 [details] crashing test Null dereference loading Blink layout test editing/selection/selectstart-event-crash.html. Stack trace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000020 VM Regions Near 0x20: --> __TEXT 0000000106e12000-0000000106eac000 [ 616K] r-x/rwx SM=COW /Users/USER/* Application Specific Information: CRASHING TEST: blink-tests-that-are-unknown/editing/selection/selectstart-event-crash.html ================================================================ ==21984==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x00010c55e1c1 bp 0x7fff58de9100 sp 0x7fff58de9100 T0) #0 0x10c55e1c0 in WebCore::Node::treeScope() const Node.h:405 #1 0x10c55e188 in WebCore::Node::document() const Node.h:399 #2 0x10ead6e80 in WebCore::VisibleSelection::firstRange() const VisibleSelection.cpp:132 #3 0x10d00545c in WebCore::FrameSelection::respondToNodeModification(WebCore::Node&, bool, bool, bool, bool) FrameSelection.cpp:474 #4 0x10d00527c in WebCore::FrameSelection::nodeWillBeRemoved(WebCore::Node&) FrameSelection.cpp:439 #5 0x10cbe4285 in WebCore::Document::nodeChildrenWillBeRemoved(WebCore::ContainerNode&) Document.cpp:3936 #6 0x10c8a7c82 in WebCore::willRemoveChildren(WebCore::ContainerNode&) ContainerNode.cpp:500 #7 0x10c8a77a5 in WebCore::ContainerNode::removeChildren() ContainerNode.cpp:634 #8 0x10df79963 in WebCore::Node::setTextContent(WTF::String const&, int&) Node.cpp:1466 #9 0x10d993590 in WebCore::setJSNodeTextContent(JSC::ExecState*, JSC::JSObject*, long long, long long) JSNode.cpp:628 #10 0x107ae0590 in JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) JSObject.cpp:422 #11 0x107c2c1fd in llint_slow_path_put_by_id LLIntSlowPaths.cpp:622 #12 0x107c4096a in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab196a) #13 0x107c3da0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a) #14 0x10799f07d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:80 #15 0x10795c714 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) Interpreter.cpp:1024 #16 0x10726d9d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) CallData.cpp:39 #17 0x10726dac1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) CallData.cpp:44 #18 0x10d5879c7 in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) JSMainThreadExecState.h:56 #19 0x10e544d4b in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) ScheduledAction.cpp:104 #20 0x10e5447b2 in WebCore::ScheduledAction::execute(WebCore::Document&) ScheduledAction.cpp:125 #21 0x10cd73ef6 in WebCore::DOMTimer::fired() DOMTimer.cpp:356 #22 0x10ea470e4 in WebCore::ThreadTimers::sharedTimerFiredInternal() ThreadTimers.cpp:132 #23 0x10e6b0658 in WebCore::timerFired(__CFRunLoopTimer*, void*) SharedTimerCF.cpp:82 #24 0x7fff96fa2c83 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92c83) #25 0x7fff96fa2912 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92912) #26 0x7fff96fa2469 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92469) #27 0x7fff96f99960 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89960) #28 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #29 0x106e3498d in runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:2030 #30 0x106e33f39 in runTestingServerLoop() DumpRenderTree.mm:1180 #31 0x106e33267 in dumpRenderTree(int, char const**) DumpRenderTree.mm:1288 #32 0x106e352b1 in DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1418 #33 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #34 0x1 (<unknown module>)
Attachments
crashing test (593 bytes, text/html)
2015-10-15 17:02 PDT, Jon Honeycutt 		no flags
Details
Patch (2.99 KB, patch)
2016-01-12 11:47 PST, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2015-10-15 17:03:38 PDT
<rdar://problem/23137259>
Brent Fulgham
Comment 2 2016-01-08 17:02:26 PST
Our attempts to reproduce this crash on current ToT have failed. I think this was corrected by other changes we've made recently, but I can't identify what those changes are.
Brent Fulgham
Comment 3 2016-01-11 11:26:08 PST
This test case needs to be added to trunk.
Jiewen Tan
Comment 4 2016-01-12 11:47:50 PST
Created attachment 268793 [details] Patch
Brent Fulgham
Comment 5 2016-01-12 12:14:51 PST
Comment on attachment 268793 [details] Patch r=me.
WebKit Commit Bot
Comment 6 2016-01-12 12:17:05 PST
Comment on attachment 268793 [details] Patch Clearing flags on attachment: 268793 Committed r194917: <http://trac.webkit.org/changeset/194917>
WebKit Commit Bot
Comment 7 2016-01-12 12:17:08 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.