Bug 150210 - Null dereference loading Blink layout test editing/selection/selectstart-event-crash.html
Summary: Null dereference loading Blink layout test editing/selection/selectstart-even...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Jiewen Tan
URL:
Keywords: BlinkMergeCandidate, HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2015-10-15 17:02 PDT by Jon Honeycutt
Modified: 2016-01-12 12:17 PST (History)
4 users (show)

See Also:

Attachments
crashing test (593 bytes, text/html)
2015-10-15 17:02 PDT, Jon Honeycutt 		no flags Details
Patch (2.99 KB, patch)
2016-01-12 11:47 PST, Jiewen Tan 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jon Honeycutt 2015-10-15 17:02:47 PDT 
Created attachment 263227 [details]
crashing test

Null dereference loading Blink layout test editing/selection/selectstart-event-crash.html.

Stack trace:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGABRT)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000020

VM Regions Near 0x20:
--> 
    __TEXT                 0000000106e12000-0000000106eac000 [  616K] r-x/rwx SM=COW  /Users/USER/*

Application Specific Information:
CRASHING TEST: blink-tests-that-are-unknown/editing/selection/selectstart-event-crash.html
================================================================
==21984==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x00010c55e1c1 bp 0x7fff58de9100 sp 0x7fff58de9100 T0)
    #0 0x10c55e1c0 in WebCore::Node::treeScope() const Node.h:405
    #1 0x10c55e188 in WebCore::Node::document() const Node.h:399
    #2 0x10ead6e80 in WebCore::VisibleSelection::firstRange() const VisibleSelection.cpp:132
    #3 0x10d00545c in WebCore::FrameSelection::respondToNodeModification(WebCore::Node&, bool, bool, bool, bool) FrameSelection.cpp:474
    #4 0x10d00527c in WebCore::FrameSelection::nodeWillBeRemoved(WebCore::Node&) FrameSelection.cpp:439
    #5 0x10cbe4285 in WebCore::Document::nodeChildrenWillBeRemoved(WebCore::ContainerNode&) Document.cpp:3936
    #6 0x10c8a7c82 in WebCore::willRemoveChildren(WebCore::ContainerNode&) ContainerNode.cpp:500
    #7 0x10c8a77a5 in WebCore::ContainerNode::removeChildren() ContainerNode.cpp:634
    #8 0x10df79963 in WebCore::Node::setTextContent(WTF::String const&, int&) Node.cpp:1466
    #9 0x10d993590 in WebCore::setJSNodeTextContent(JSC::ExecState*, JSC::JSObject*, long long, long long) JSNode.cpp:628
    #10 0x107ae0590 in JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) JSObject.cpp:422
    #11 0x107c2c1fd in llint_slow_path_put_by_id LLIntSlowPaths.cpp:622
    #12 0x107c4096a in llint_entry (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xab196a)
    #13 0x107c3da0a in vmEntryToJavaScript (/Users/jhoneycutt/src/OpenSource/WebKitBuild2/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xaaea0a)
    #14 0x10799f07d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:80
    #15 0x10795c714 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) Interpreter.cpp:1024
    #16 0x10726d9d1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) CallData.cpp:39
    #17 0x10726dac1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) CallData.cpp:44
    #18 0x10d5879c7 in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) JSMainThreadExecState.h:56
    #19 0x10e544d4b in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) ScheduledAction.cpp:104
    #20 0x10e5447b2 in WebCore::ScheduledAction::execute(WebCore::Document&) ScheduledAction.cpp:125
    #21 0x10cd73ef6 in WebCore::DOMTimer::fired() DOMTimer.cpp:356
    #22 0x10ea470e4 in WebCore::ThreadTimers::sharedTimerFiredInternal() ThreadTimers.cpp:132
    #23 0x10e6b0658 in WebCore::timerFired(__CFRunLoopTimer*, void*) SharedTimerCF.cpp:82
    #24 0x7fff96fa2c83 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92c83)
    #25 0x7fff96fa2912 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92912)
    #26 0x7fff96fa2469 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92469)
    #27 0x7fff96f99960 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89960)
    #28 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7)
    #29 0x106e3498d in runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:2030
    #30 0x106e33f39 in runTestingServerLoop() DumpRenderTree.mm:1180
    #31 0x106e33267 in dumpRenderTree(int, char const**) DumpRenderTree.mm:1288
    #32 0x106e352b1 in DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1418
    #33 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #34 0x1  (<unknown module>)
Comment 1 Radar WebKit Bug Importer 2015-10-15 17:03:38 PDT 
<rdar://problem/23137259>
Comment 2 Brent Fulgham 2016-01-08 17:02:26 PST 
Our attempts to reproduce this crash on current ToT have failed. I think this was corrected by other changes we've made recently, but I can't identify what those changes are.
Comment 3 Brent Fulgham 2016-01-11 11:26:08 PST 
This test case needs to be added to trunk.
Comment 4 Jiewen Tan 2016-01-12 11:47:50 PST 
Created attachment 268793 [details]
Patch
Comment 5 Brent Fulgham 2016-01-12 12:14:51 PST 
Comment on attachment 268793 [details]
Patch

r=me.
Comment 6 WebKit Commit Bot 2016-01-12 12:17:05 PST 
Comment on attachment 268793 [details]
Patch

Clearing flags on attachment: 268793

Committed r194917: <http://trac.webkit.org/changeset/194917>
Comment 7 WebKit Commit Bot 2016-01-12 12:17:08 PST 
All reviewed patches have been landed.  Closing bug.