I'm seeing these layout tests fast/dom/HTMLDocument/activeElement.html -> crashed fast/dom/HTMLDocument/hasFocus.html -> crashed fast/events/5056619.html -> crashed fast/events/autoscroll-in-textfield.html -> crashed fast/events/autoscroll-with-non-scrollable-parent.html -> crashed (maybe others) crash here: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x033f4248 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 568 (EventTargetNode.cpp:238) 1 com.apple.WebCore 0x033f4a3f WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 339 (EventTargetNode.cpp:197) 2 com.apple.WebCore 0x0344d9dc WebCore::FrameView::scheduleEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTargetNode>, bool) + 108 (FrameView.cpp:929) 3 com.apple.WebCore 0x036f43df WebCore::RenderLayer::scrollToOffset(int, int, bool, bool) + 703 (RenderLayer.cpp:839) 4 com.apple.WebCore 0x03742eb6 WebCore::RenderTextControl::forwardEvent(WebCore::Event*) + 224 (RenderTextControl.cpp:874) 5 com.apple.WebCore 0x034966e5 WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event*) + 4197 (HTMLInputElement.cpp:1402) 6 com.apple.WebCore 0x033f47ec WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 2012 (EventTargetNode.cpp:311) 7 com.apple.WebCore 0x033f4a3f WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 339 (EventTargetNode.cpp:197) 8 com.apple.WebCore 0x033f610c WebCore::EventTargetNode::dispatchEventForType(WebCore::AtomicString const&, bool, bool) + 174 (EventTargetNode.cpp:585) 9 com.apple.WebCore 0x033f6158 WebCore::EventTargetNode::dispatchBlurEvent() + 52 (EventTargetNode.cpp:579) 10 com.apple.WebCore 0x03490af9 WebCore::HTMLInputElement::dispatchBlurEvent() + 159 (HTMLInputElement.cpp:262) 11 com.apple.WebCore 0x0339287e WebCore::Document::setFocusedNode(WTF::PassRefPtr<WebCore::Node>) + 640 (Document.cpp:2428) 12 com.apple.WebCore 0x034038e8 WebCore::FocusController::setFocusedNode(WebCore::Node*, WTF::PassRefPtr<WebCore::Frame>) + 696 (FocusController.cpp:280) 13 com.apple.WebCore 0x033e0f7b WebCore::Element::focus(bool) + 179 (Element.cpp:1156) 14 com.apple.WebCore 0x035804f1 WebCore::jsHTMLElementPrototypeFunctionFocus(JSC::ExecState*, JSC::JSObject*, JSC::JSValue*, JSC::ArgList const&) + 113 (JSHTMLElement.cpp:309) 15 com.apple.JavaScriptCore 0x004bab84 JSC::Machine::cti_op_call_NotJSFunction(void*) + 390 (Machine.cpp:4504) 16 ??? 0x06966340 0 + 110519104 17 com.apple.JavaScriptCore 0x004b913b JSC::Machine::execute(JSC::FunctionBodyNode*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue**) + 697 (Machine.cpp:975) 18 com.apple.JavaScriptCore 0x0040ee23 JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue*, JSC::ArgList const&) + 139 (JSFunction.cpp:71) 19 com.apple.JavaScriptCore 0x0040eebf JSC::call(JSC::ExecState*, JSC::JSValue*, JSC::CallType, JSC::CallData const&, JSC::JSValue*, JSC::ArgList const&) + 149 (CallData.cpp:39) 20 com.apple.WebCore 0x038c3fd4 WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 664 (JSEventListener.cpp:97) 21 com.apple.WebCore 0x0338e859 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 281 (Document.cpp:2688) 22 com.apple.WebCore 0x033f37cf WebCore::EventTargetNode::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event>) + 265 (EventTargetNode.cpp:350) 23 com.apple.WebCore 0x033f6240 WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 168 (EventTargetNode.cpp:357) 24 com.apple.WebCore 0x033951d3 WebCore::Document::implicitClose() + 717 (Document.cpp:1557) 25 com.apple.WebCore 0x034326d2 WebCore::FrameLoader::checkCallImplicitClose() + 226 (FrameLoader.cpp:1351) 26 com.apple.WebCore 0x0343ee84 WebCore::FrameLoader::checkCompleted() + 268 (FrameLoader.cpp:1306) 27 com.apple.WebCore 0x0343e78a WebCore::FrameLoader::completed() + 156 (FrameLoader.cpp:2032) 28 com.apple.WebCore 0x0343eee2 WebCore::FrameLoader::checkCompleted() + 362 (FrameLoader.cpp:1310) 29 com.apple.WebCore 0x034418ff WebCore::FrameLoader::finishedParsing() + 87 (FrameLoader.cpp:1254) 30 com.apple.WebCore 0x03391e58 WebCore::Document::finishedParsing() + 174 (Document.cpp:3813) 31 com.apple.WebCore 0x034bacbf WebCore::HTMLParser::finished() + 205 (HTMLParser.cpp:1556) 32 com.apple.WebCore 0x034d1b7b WebCore::HTMLTokenizer::end() + 301 (HTMLTokenizer.cpp:1849) 33 com.apple.WebCore 0x034d1f35 WebCore::HTMLTokenizer::finish() + 929 (HTMLTokenizer.cpp:1890) 34 com.apple.WebCore 0x0338bb30 WebCore::Document::finishParsing() + 40 (Document.cpp:1700) 35 com.apple.WebCore 0x0343f073 WebCore::FrameLoader::endIfNotLoadingMainResource() + 153 (FrameLoader.cpp:1075) 36 com.apple.WebCore 0x0343f0a9 WebCore::FrameLoader::end() + 27 (FrameLoader.cpp:1060) 37 com.apple.WebCore 0x033bd60c WebCore::DocumentLoader::finishedLoading() + 76 (DocumentLoader.cpp:345) 38 com.apple.WebCore 0x03439fda WebCore::FrameLoader::finishedLoading() + 72 (FrameLoader.cpp:2962) 39 com.apple.WebCore 0x03655bd1 WebCore::MainResourceLoader::didFinishLoading() + 207 (MainResourceLoader.cpp:321) 40 com.apple.WebCore 0x0376e832 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:399) 41 com.apple.WebCore 0x0376be10 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 160 (ResourceHandleMac.mm:530) 42 com.apple.Foundation 0x9026e3f7 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87 43 com.apple.Foundation 0x9026e363 _NSURLConnectionDidFinishLoading + 147 44 com.apple.CFNetwork 0x9565fcef sendDidFinishLoadingCallback + 148 45 com.apple.CFNetwork 0x9565cdd6 _CFURLConnectionSendCallbacks + 2022 46 com.apple.CFNetwork 0x9565c573 muxerSourcePerform + 283 47 com.apple.CoreFoundation 0x9496b615 CFRunLoopRunSpecific + 3141 48 com.apple.CoreFoundation 0x9496bcf8 CFRunLoopRunInMode + 88 49 com.apple.Foundation 0x9023d4a5 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 213 50 DumpRenderTree 0x00005e8c runTest(char const*) + 928 51 DumpRenderTree 0x00006227 runTestingServerLoop() + 73 52 DumpRenderTree 0x00006344 dumpRenderTree(int, char const**) + 240 53 DumpRenderTree 0x000064fc main + 94 (DumpRenderTree.mm:538) 54 DumpRenderTree 0x00002822 start + 54
Created attachment 23737 [details] Fix crashes Oops, my fault. Off-by-one while moving around EventTarget code.
Comment on attachment 23737 [details] Fix crashes Looks fine.
Landed in r36838.