Bug 192392 - Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm
Summary: Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedEl...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-12-04 20:29 PST by Ryosuke Niwa
Modified: 2018-12-05 15:06 PST (History)
11 users (show)

See Also:

Attachments
Fixes the bug (4.53 KB, patch)
2018-12-04 21:01 PST, Ryosuke Niwa 		dino: review+
Details | Formatted Diff | Diff
Archive of layout-test-results from ews103 for mac-sierra (2.46 MB, application/zip)
2018-12-04 21:40 PST, EWS Watchlist 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2018-12-04 20:29:15 PST 
e.g.
#0 0x113e06e0c in WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::get() const (WebCore:x86_64+0x16e0c)
#1 0x11602e168 in WebCore::DocumentOrderedMap::getElementById(WTF::AtomicStringImpl const&, WebCore::TreeScope const&) const::$_7::operator()(WTF::AtomicStringImpl const&, WebCore::Element const&) const (WebCore:x86_64+0x223e168)
#2 0x115fd0e4d in WebCore::Element* WebCore::DocumentOrderedMap::get<WebCore::DocumentOrderedMap::getElementById(WTF::AtomicStringImpl const&, WebCore::TreeScope const&) const::$_7>(WTF::AtomicStringImpl const&, WebCore::TreeScope const&, WebCore::DocumentOrderedMap::getElementById(WTF::AtomicStringImpl const&, WebCore::TreeScope const&) const::$_7 const&) const (WebCore:x86_64+0x21e0e4d)
#3 0x1162f4228 in WebCore::FormAssociatedElement::findAssociatedForm(WebCore::HTMLElement const*, WebCore::HTMLFormElement*) (WebCore:x86_64+0x2504228)
#4 0x1162f4d91 in WebCore::FormAssociatedElement::resetFormOwner() (WebCore:x86_64+0x2504d91)
#5 0x1160776b9 in WebCore::IdTargetObserverRegistry::notifyObserversInternal(WTF::AtomicStringImpl const&) (WebCore:x86_64+0x22876b9)
#6 0x11603a819 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (WebCore:x86_64+0x224a819)
#7 0x1160417cd in WebCore::Element::didRemoveAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (WebCore:x86_64+0x22517cd)
#8 0x116031759 in WebCore::Element::removeAttributeInternal(unsigned int, WebCore::Element::SynchronizationOfLazyAttribute) (WebCore:x86_64+0x2241759)
#9 0x116041e24 in WebCore::Element::removeAttribute(WTF::AtomicString const&) (WebCore:x86_64+0x2251e24)
#10 0x1146c29dd in WebCore::jsElementPrototypeFunctionRemoveAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (WebCore:x86_64+0x8d29dd)
#11 0x1146ab257 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionRemoveAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (WebCore:x86_64+0x8bb257)

<rdar://problem/38030356>
Comment 1 Ryosuke Niwa 2018-12-04 21:01:01 PST 
Created attachment 356577 [details]
Fixes the bug
Comment 2 EWS Watchlist 2018-12-04 21:40:30 PST 
Comment on attachment 356577 [details]
Fixes the bug

Attachment 356577 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/10273976

New failing tests:
http/tests/misc/resource-timing-resolution.html
Comment 3 EWS Watchlist 2018-12-04 21:40:31 PST 
Created attachment 356580 [details]
Archive of layout-test-results from ews103 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-sierra  Platform: Mac OS X 10.12.6
Comment 4 Ryosuke Niwa 2018-12-04 21:55:04 PST 
Comment on attachment 356580 [details]
Archive of layout-test-results from ews103 for mac-sierra

I don't believe this test failure is related to my patch.
Comment 5 Ryosuke Niwa 2018-12-05 15:06:51 PST 
Committed r238912: <https://trac.webkit.org/changeset/238912>