RESOLVED FIXED 155642
SEGV in WebCore::RenderTableCell::setCol 
https://bugs.webkit.org/show_bug.cgi?id=155642
Summary SEGV in WebCore::RenderTableCell::setCol
Renata Hodovan
Reported 2016-03-18 09:16:38 PDT
Created attachment 274419 [details] Test case Load the attached test with minibrowser: <!DOCTYPE html> <table> <td colspan="53927142"></td> <th> <td></td> </th> </table> OS: Mac OS X 10.11.1 (x86_64), x86_64 Checked build: ASAN debug Checked version: 5e169ea Backtrace: 1 0x114f8f0d4 WTFCrash 2 0x11de0307c WebCore::RenderTableCell::setCol(unsigned int) 3 0x11dde57ca WebCore::RenderTableSection::addCell(WebCore::RenderTableCell*, WebCore::RenderTableRow*) 4 0x11dde12c8 WebCore::RenderTableRow::addChild(WebCore::RenderObject*, WebCore::RenderObject*) 5 0x11e938c1a WebCore::RenderTreePosition::insert(WebCore::RenderObject&) 6 0x11e92d0b6 WebCore::Style::TreeResolver::createRenderer(WebCore::Element&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) 7 0x11e92e0aa WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) 8 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) 9 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) 10 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) 11 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) 12 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) 13 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) 14 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) 15 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) 16 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) 17 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) 18 0x11e92f7e9 WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) 19 0x11e9319f6 WebCore::Style::TreeResolver::resolveComposedTree() 20 0x11e93220c WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) 21 0x119d97665 WebCore::Document::recalcStyle(WebCore::Style::Change) 22 0x119d8124b WebCore::Document::updateStyleIfNeeded() 23 0x119dbb961 WebCore::Document::finishedParsing() 24 0x11ab76e96 WebCore::HTMLConstructionSite::finishedParsing() 25 0x11aea743c WebCore::HTMLTreeBuilder::finished() 26 0x11abebb8c WebCore::HTMLDocumentParser::end() 27 0x11abe7d9a WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 28 0x11abe7a09 WebCore::HTMLDocumentParser::prepareToStopParsing() 29 0x11abebc2e WebCore::HTMLDocumentParser::attemptToEnd() 30 0x11abebc88 WebCore::HTMLDocumentParser::finish() 31 0x119f775e0 WebCore::DocumentWriter::end() ASAN:SIGSEGV ================================================================= ==82191==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x000114f8f10c bp 0x7fff53d407f0 sp 0x7fff53d407e0 T0) #0 0x114f8f10b in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b2110b) #1 0x11de0307b in WebCore::RenderTableCell::setCol(unsigned int) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x517a07b) #2 0x11dde57c9 in WebCore::RenderTableSection::addCell(WebCore::RenderTableCell*, WebCore::RenderTableRow*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x515c7c9) #3 0x11dde12c7 in WebCore::RenderTableRow::addChild(WebCore::RenderObject*, WebCore::RenderObject*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x51582c7) #4 0x11e938c19 in WebCore::RenderTreePosition::insert(WebCore::RenderObject&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cafc19) #5 0x11e92d0b5 in WebCore::Style::TreeResolver::createRenderer(WebCore::Element&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca40b5) #6 0x11e92e0a9 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca50a9) #7 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae) #8 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203) #9 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae) #10 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203) #11 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae) #12 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203) #13 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae) #14 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203) #15 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae) #16 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203) #17 0x11e92f7e8 in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca67e8) #18 0x11e9319f5 in WebCore::Style::TreeResolver::resolveComposedTree() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca89f5) #19 0x11e93220b in WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca920b) #20 0x119d97664 in WebCore::Document::recalcStyle(WebCore::Style::Change) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x110e664) #21 0x119d8124a in WebCore::Document::updateStyleIfNeeded() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x10f824a) #22 0x119dbb960 in WebCore::Document::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1132960) #23 0x11ab76e95 in WebCore::HTMLConstructionSite::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eede95) #24 0x11aea743b in WebCore::HTMLTreeBuilder::finished() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x221e43b) #25 0x11abebb8b in WebCore::HTMLDocumentParser::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62b8b) #26 0x11abe7d99 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5ed99) #27 0x11abe7a08 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5ea08) #28 0x11abebc2d in WebCore::HTMLDocumentParser::attemptToEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62c2d) #29 0x11abebc87 in WebCore::HTMLDocumentParser::finish() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62c87) #30 0x119f775df in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12ee5df) #31 0x119ec9a5c in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1240a5c) #32 0x119ec956a in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x124056a) #33 0x1192a1e66 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x618e66) #34 0x1192a2053 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x619053) #35 0x1192983cc in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60f3cc) #36 0x11e95dd20 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cd4d20) #37 0x10d9e415c in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1315c) #38 0x10d9f84f2 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b274f2) #39 0x10d9f8171 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b27171) #40 0x10d9f452e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2352e) #41 0x10d9f15ad in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b205ad) #42 0x10c7674f2 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x8964f2) #43 0x10c0a4fa0 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d3fa0) #44 0x10c08c501 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb501) #45 0x10c0a5d90 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4d90) #46 0x10c0d54dc in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2044dc) #47 0x10c0d54ac in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2044ac) #48 0x10c0d52cb in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2042cb) #49 0x113dc79fa in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x19599fa) #50 0x1150698dd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bfb8dd) #51 0x11506a849 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bfc849) #52 0x7fff888498b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #53 0x7fff888290ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #54 0x7fff888285ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #55 0x7fff88827fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #56 0x7fff86540d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54) #57 0x7fff86540b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e) #58 0x7fff865409ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce) #59 0x7fff97bc6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95) #60 0x7fff97bc61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4) #61 0x7fff97bbad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27) #62 0x7fff97b83fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd) #63 0x7fff9408b4f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1) #64 0x7fff94089f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d) #65 0x10beb71cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb) #66 0x7fff908b05ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #67 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash ==82191==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 82191) LEAK: 1 WebProcessPool LEAK: 1 WebPageProxy
Attachments
Test case (102 bytes, text/html)
2016-03-18 09:16 PDT, Renata Hodovan 		no flags
Details
Patch (3.31 KB, patch)
2016-03-21 15:27 PDT, zalan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2016-03-19 13:47:59 PDT
This is pretty weird: inline void RenderTableCell::setCol(unsigned column) { if (UNLIKELY(column > maxColumnIndex)) CRASH(); m_column = column; }
zalan
Comment 2 2016-03-19 13:49:42 PDT
(In reply to comment #1) > This is pretty weird: > > inline void RenderTableCell::setCol(unsigned column) > { > if (UNLIKELY(column > maxColumnIndex)) > CRASH(); > m_column = column; > } Indeed, it is. I am going to find a better way to address the bitfield overflow issue. see this for more info: bug 71135
zalan
Comment 3 2016-03-21 14:47:13 PDT
rdar://problem/15895201
zalan
Comment 4 2016-03-21 15:27:14 PDT
Created attachment 274626 [details] Patch
WebKit Commit Bot
Comment 5 2016-03-21 16:30:00 PDT
Comment on attachment 274626 [details] Patch Clearing flags on attachment: 274626 Committed r198506: <http://trac.webkit.org/changeset/198506>
WebKit Commit Bot
Comment 6 2016-03-21 16:30:05 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.