Potential overflow in RenderLayer::hitTestList(): 1 com.apple.JavaScriptCore 0x7fff8d8dd7ce WTFCrash + 0x3e 2 com.apple.WebCore 0x7fff9772ccc9 WTF::CrashOnOverflow::crash() + 0x9 3 com.apple.WebCore 0x7fff9772ccb9 WTF::CrashOnOverflow::overflowed() + 0x9 > 4 com.apple.WebCore 0x7fff9804d8ee WebCore::RenderLayer::hitTestList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, WebCore::HitTestingTransformState const*, double*, double*, WebCore::HitTestingTransformState const*, bool) + 0x1ae 5 com.apple.WebCore 0x7fff9758ae95 WebCore::RenderLayer::hitTestLayer(WebCore::RenderLayer*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, bool, WebCore::HitTestingTransformState const*, double*) + 0x565 6 com.apple.WebCore 0x7fff9804d85f WebCore::RenderLayer::hitTestList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, WebCore::HitTestingTransformState const*, double*, double*, WebCore::HitTestingTransformState const*, bool) + 0x11f 7 com.apple.WebCore 0x7fff9758ae04 WebCore::RenderLayer::hitTestLayer(WebCore::RenderLayer*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, bool, WebCore::HitTestingTransformState const*, double*) + 0x4d4 8 com.apple.WebCore 0x7fff9758a8a0 WebCore::RenderLayer::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) + 0x250 9 com.apple.WebCore 0x7fff97634a8e WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) + 0x6e 10 com.apple.WebCore 0x7fff9758a45f WebCore::EventHandler::hitTestResultAtPoint(WebCore::LayoutPoint const&, unsigned int, WebCore::LayoutSize const&) + 0xcf 11 com.apple.WebKit 0x7fff8f250c34 WebKit::WebFrame::hitTest(WebCore::IntPoint) const + 0xc2 12 com.apple.WebKit 0x7fff8f250b3d WKBundleFrameCreateHitTestResult + 0x35 13 com.apple.Safari.framework 0x7fff966d3bc5 Safari::WK::BundleFrame::hitTest(CGPoint) const + 0x1f 14 com.apple.Safari.framework 0x7fff965b2e09 Safari::ArticleFinderJSController::nodeAtPoint(double, double) const + 0x23 15 com.apple.JavaScriptCore 0x7fff8dbda39b long long JSC::APICallbackFunction::call<JSC::JSCallbackFunction>(JSC::ExecState*) + 0x23b 16 com.apple.JavaScriptCore 0x7fff8d77fda0 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 0x210
rdar://problem/23249479
Created attachment 276841 [details] Patch
Comment on attachment 276841 [details] Patch This is a good change but I don't think it fixes the underlying cause of the bug.
(In reply to comment #3) > Comment on attachment 276841 [details] > Patch > > This is a good change but I don't think it fixes the underlying cause of the > bug. Similar fix at https://bugs.webkit.org/show_bug.cgi?id=156796 where there were also overflow crashes.
Comment on attachment 276841 [details] Patch Clearing flags on attachment: 276841 Committed r199781: <http://trac.webkit.org/changeset/199781>
All reviewed patches have been landed. Closing bug.