Bug 156715 - Crash in ElementDescendantIterator::operator--() when calling m_ancestorSiblingStack.last()
Summary: Crash in ElementDescendantIterator::operator--() when calling m_ancestorSibli...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-04-18 13:43 PDT by Chris Dumez
Modified: 2016-04-18 15:36 PDT (History)
6 users (show)

See Also:

Attachments
Patch (4.75 KB, patch)
2016-04-18 14:32 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2016-04-18 13:43:03 PDT 
Crash in ElementDescendantIterator::operator--() when calling m_ancestorSiblingStack.last():
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010f369b57 WTFCrash + 39 (Assertions.cpp:322)
1   com.apple.WebCore             	0x000000011158a7d9 WTF::CrashOnOverflow::crash() + 9
2   com.apple.WebCore             	0x000000011158a7c9 WTF::CrashOnOverflow::overflowed() + 9
3   com.apple.WebCore             	0x00000001115a6f9b WTF::Vector<WebCore::Element*, 16ul, WTF::CrashOnOverflow, 16ul>::at(unsigned long) + 75 (Vector.h:660)
4   com.apple.WebCore             	0x00000001115a6e1b WTF::Vector<WebCore::Element*, 16ul, WTF::CrashOnOverflow, 16ul>::last() + 43 (Vector.h:700)
5   com.apple.WebCore             	0x00000001115a68c4 WebCore::ElementDescendantIterator::operator--() + 244 (ElementDescendantIterator.h:174)
6   com.apple.WebCore             	0x000000011391a674 void WebCore::CollectionTraversal<(WebCore::CollectionTraversalType)0>::traverseBackward<WebCore::HTMLTagCollection>(WebCore::HTMLTagCollection const&, WebCore::ElementDescendantIterator&, unsigned int) + 148 (CollectionTraversal.h:108)
7   com.apple.WebCore             	0x000000011391a45b WebCore::CachedHTMLCollection<WebCore::HTMLTagCollection, (WebCore::CollectionTraversalType)0>::collectionTraverseBackward(WebCore::ElementDescendantIterator&, unsigned int) const + 43 (CachedHTMLCollection.h:53)
8   com.apple.WebCore             	0x000000011391a30a WebCore::CollectionIndexCache<WebCore::HTMLTagCollection, WebCore::ElementDescendantIterator>::traverseBackwardTo(WebCore::HTMLTagCollection const&, unsigned int) + 586 (CollectionIndexCache.h:125)
9   com.apple.WebCore             	0x00000001139197fe WebCore::CollectionIndexCache<WebCore::HTMLTagCollection, WebCore::ElementDescendantIterator>::nodeAt(WebCore::HTMLTagCollection const&, unsigned int) + 302 (CollectionIndexCache.h:181)
10  com.apple.WebCore             	0x0000000113916654 WebCore::CachedHTMLCollection<WebCore::HTMLTagCollection, (WebCore::CollectionTraversalType)0>::item(unsigned int) const + 52 (CachedHTMLCollection.h:43)
11  com.apple.WebCore             	0x0000000112814009 WebCore::jsHTMLCollectionPrototypeFunctionItem(JSC::ExecState*) + 537 (JSHTMLCollection.cpp:239)
12  ???                           	0x0000304244001028 0 + 53061166829608
Comment 1 Chris Dumez 2016-04-18 13:43:29 PDT 
rdar://problem/25750864
Comment 2 Chris Dumez 2016-04-18 14:32:49 PDT 
Created attachment 276671 [details]
Patch
Comment 3 WebKit Commit Bot 2016-04-18 15:36:03 PDT 
Comment on attachment 276671 [details]
Patch

Clearing flags on attachment: 276671

Committed r199693: <http://trac.webkit.org/changeset/199693>
Comment 4 WebKit Commit Bot 2016-04-18 15:36:09 PDT 
All reviewed patches have been landed.  Closing bug.