192347 – Crash in HTMLCollection::updateNamedElementCache

Bug 192347 - Crash in HTMLCollection::updateNamedElementCache

Summary: Crash in HTMLCollection::updateNamedElementCache

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-12-03 19:43 PST by Ryosuke Niwa
Modified:	2018-12-04 16:31 PST (History)
CC List:	8 users (show)

See Also:	143203

Attachments
Fixes the bug (4.41 KB, patch) 2018-12-03 19:50 PST, Ryosuke Niwa	darin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2018-12-03 19:43:03 PST

e.g.
0   com.apple.WebCore             	0x00007fff56800e90 WebCore::HTMLCollection::updateNamedElementCache() const + 192
1   com.apple.WebCore             	0x00007fff56800b76 WebCore::HTMLCollection::namedItemSlow(WTF::AtomicString const&) const + 22
2   com.apple.WebCore             	0x00007fff55fe674e WebCore::CachedHTMLCollection<WebCore::HTMLOptionsCollection, (WebCore::CollectionTraversalType)0>::namedItem(WTF::AtomicString const&) const + 590
3   com.apple.WebCore             	0x00007fff55fde376 WebCore::JSHTMLOptionsCollection::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 502
4   com.apple.JavaScriptCore      	0x00007fff4b979360 llint_slow_path_get_by_id + 2256
5   com.apple.JavaScriptCore      	0x00007fff4b983d56 llint_entry + 12436
6   com.apple.JavaScriptCore      	0x00007fff4b987ef7 llint_entry + 29237
7   com.apple.JavaScriptCore      	0x00007fff4b980ada vmEntryToJavaScript + 304
8   com.apple.JavaScriptCore      	0x00007fff4bfdf063 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 147
9   com.apple.JavaScriptCore      	0x00007fff4b7f6ea4 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 548

<rdar://problem/38054346>

Comment 1 Ryosuke Niwa 2018-12-03 19:50:47 PST

Created attachment 356451 [details]
Fixes the bug

Comment 2 Ryosuke Niwa 2018-12-04 16:30:25 PST

Committed r238880: <https://trac.webkit.org/changeset/238880>

Comment 3 Radar WebKit Bug Importer 2018-12-04 16:31:30 PST

<rdar://problem/46470500>