Bug 55062 - Crash beneath EditingDelegate::checkSpellingOfString when running fast/forms/input-text-maxlength.html or fast/forms/input-text-paste-maxlength.html on Windows with full page heap enabled
Summary: Crash beneath EditingDelegate::checkSpellingOfString when running fast/forms/...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Tools / Tests (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar, LayoutTestFailure, PlatformOnly
Depends on:
Blocks:
 
Reported: 2011-02-23 11:01 PST by Adam Roben (:aroben)
Modified: 2011-02-27 14:13 PST (History)
1 user (show)

See Also:


Attachments
Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate (1.95 KB, patch)
2011-02-27 13:48 PST, Adam Roben (:aroben)
andersca: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Roben (:aroben) 2011-02-23 11:01:36 PST
To reproduce:

1. gflags /p /enable dumprendertree.exe /full
2. run-webkit-tests fast/forms/input-text-maxlength.html

You'll crash inside isalpha beneath EditingDelegate::checkSpellingOfString. Looks like we're passing a non-ASCII character to isalpha, which isn't allowed. Here's the backtrace:


 	msvcr80.dll!_isalpha_l(int c=773, localeinfo_struct * plocinfo=0x00000000)  Line 60 + 0x2b bytes	C++
 	msvcr80.dll!isalpha(int c=773)  Line 73 + 0xb bytes	C++
 	DumpRenderTree.exe!wordLength(const wchar_t * text=0x0012dd5c)  Line 368 + 0x19 bytes	C++
>	DumpRenderTree.exe!EditingDelegate::checkSpellingOfString(IWebView * view=0x08af6ee8, const wchar_t * text=0x1f712fec, int length=7, int * misspellingLocation=0x0012de0c, int * misspellingLength=0x0012de00)  Line 414 + 0x1e bytes	C++
 	WebKit.dll!WebEditorClient::checkSpellingOfString(const wchar_t * text=0x1f712fec, int length=7, int * misspellingLocation=0x0012de0c, int * misspellingLength=0x0012de00)  Line 666 + 0x32 bytes	C++
 	WebKit.dll!WebCore::TextCheckingHelper::findFirstMisspelling(int & firstMisspellingOffset=0, bool markAll=true, WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} })  Line 183 + 0x54 bytes	C++
 	WebKit.dll!WebCore::TextCheckingHelper::markAllMisspellings(WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} })  Line 590 + 0x16 bytes	C++
 	WebKit.dll!WebCore::Editor::markMisspellingsOrBadGrammar(const WebCore::VisibleSelection & selection={...}, bool checkSpelling=true, WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} })  Line 2199	C++
 	WebKit.dll!WebCore::Editor::markMisspellings(const WebCore::VisibleSelection & selection={...}, WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} })  Line 2227	C++
 	WebKit.dll!WebCore::Editor::markMisspellingsAndBadGrammar(const WebCore::VisibleSelection & spellingSelection={...}, bool markGrammar=false, const WebCore::VisibleSelection & grammarSelection={...})  Line 2514	C++
 	WebKit.dll!WebCore::Editor::respondToChangedSelection(const WebCore::VisibleSelection & oldSelection={...}, unsigned int options=3)  Line 3537	C++
 	WebKit.dll!WebCore::SelectionController::setSelection(const WebCore::VisibleSelection & s={...}, unsigned int options=3, WebCore::SelectionController::CursorAlignOnScroll align=AlignCursorOnScrollIfNeeded, WebCore::TextGranularity granularity=CharacterGranularity, WebCore::DirectionalityPolicy directionalityPolicy=MakeDirectionalSelection)  Line 191	C++
 	WebKit.dll!WebCore::SelectionController::clear()  Line 955 + 0x19 bytes	C++
 	WebKit.dll!WebCore::clearSelectionIfNeeded(WebCore::Frame * oldFocusedFrame=0x08d268a8, WebCore::Frame * newFocusedFrame=0x08d268a8, WebCore::Node * newFocusedNode=0x214e2f78)  Line 347	C++
 	WebKit.dll!WebCore::FocusController::setFocusedNode(WebCore::Node * node=0x214e2f78, WTF::PassRefPtr<WebCore::Frame> newFocusedFrame={...})  Line 364 + 0x1b bytes	C++
 	WebKit.dll!WebCore::Element::focus(bool restorePreviousSelection=true)  Line 1508 + 0x24 bytes	C++
 	WebKit.dll!WebCore::jsElementPrototypeFunctionFocus(JSC::ExecState * exec=0x131e0198)  Line 1755 + 0x14 bytes	C++
 	0ff737ce()	
 	JavaScriptCore.dll!cti_vm_lazyLinkCall()  Line 2031 + 0x1c bytes	C++
 	JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval=0x22b7efa8, JSC::ExecState * callFrame=0x131e0088, JSC::JSObject * thisObj=0x13601020, int globalRegisterOffset=32, JSC::ScopeChainNode * scopeChain=0x22b74fe8)  Line 1153 + 0x2b bytes	C++
 	JavaScriptCore.dll!JSC::Interpreter::callEval(JSC::ExecState * callFrame=0x131e0088, JSC::RegisterFile * registerFile=0x11b31fcc, JSC::Register * argv=0x131e00c0, int argc=2, int registerOffset=15)  Line 418 + 0x71 bytes	C++
 	JavaScriptCore.dll!cti_op_call_eval(void * * args=0x0012e820)  Line 3125	C++
 	JavaScriptCore.dll!@cti_op_create_this@4()  + 0x1cf bytes	C++
 	JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x11b31fcc, JSC::ExecState * callFrame=0x131e0038, JSC::JSGlobalData * globalData=0x127b0e78)  Line 77 + 0x22 bytes	C++
 	JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program=0x1f8e1fa8, JSC::ExecState * callFrame=0x1b8c6e78, JSC::ScopeChainNode * scopeChain=0x1b91cfe8, JSC::JSObject * thisObj=0x13601020)  Line 780 + 0x25 bytes	C++
 	JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x1b8c6e78, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...})  Line 64	C++
 	WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec=0x1b8c6e78, JSC::ScopeChain & chain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...})  Line 54 + 0x1d bytes	C++
 	WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode={...}, WebCore::DOMWrapperWorld * world=0x11b7cf20)  Line 142 + 0x2f bytes	C++
 	WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode={...})  Line 165 + 0x16 bytes	C++
 	WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode={...})  Line 256 + 0x17 bytes	C++
 	WebKit.dll!WebCore::ScriptElement::prepareScript(const WTF::TextPosition<WTF::OneBasedNumber> & scriptStartPosition={...}, WebCore::ScriptElement::LegacyTypeSupport supportLegacyTypes=DisallowLegacyTypeInTypeAttribute)  Line 213 + 0x35 bytes	C++
 	WebKit.dll!WebCore::HTMLScriptRunner::runScript(WebCore::Element * script=0x1f1bafa0, const WTF::TextPosition<WTF::OneBasedNumber> & scriptStartPosition={...})  Line 291	C++
 	WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element> scriptElement={...}, const WTF::TextPosition<WTF::OneBasedNumber> & scriptStartPosition={...})  Line 175	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()  Line 200 + 0x23 bytes	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield, WebCore::PumpSession & session={...})  Line 211 + 0x8 bytes	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield)  Line 249 + 0x10 bytes	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield)  Line 171	C++
 	WebKit.dll!WebCore::HTMLDocumentParser::append(const WebCore::SegmentedString & source={...})  Line 338	C++
 	WebKit.dll!WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter * writer=0x175929c4, const char * data=0x1c2800b0, int length=3909, bool shouldFlush=false)  Line 54 + 0x1f bytes	C++
 	WebKit.dll!WebCore::DocumentWriter::addData(const char * str=0x1c2800b0, int len=3909, bool flush=false)  Line 201 + 0x1f bytes	C++
 	WebKit.dll!WebCore::DocumentLoader::commitData(const char * bytes=0x1c2800b0, int length=3909)  Line 317	C++
 	WebKit.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * loader=0x17592908, const char * data=0x1c2800b0, int length=3909)  Line 499	C++
 	WebKit.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x1c2800b0, int length=3909)  Line 302 + 0x29 bytes	C++
 	WebKit.dll!WebCore::DocumentLoader::receivedData(const char * data=0x1c2800b0, int length=3909)  Line 329	C++
 	WebKit.dll!WebCore::MainResourceLoader::addData(const char * data=0x1c2800b0, int length=3909, bool allAtOnce=false)  Line 159	C++
 	WebKit.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x1c2800b0, int length=3909, __int64 lengthReceived=3909, bool allAtOnce=false)  Line 279 + 0x1b bytes	C++
 	WebKit.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x1c2800b0, int length=3909, __int64 lengthReceived=3909, bool allAtOnce=false)  Line 444	C++
 	WebKit.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x20264ff0, const char * data=0x1c2800b0, int length=3909, int lengthReceived=3909)  Line 430 + 0x1f bytes	C++
 	WebKit.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x2273efe0, const __CFData * data=0x1c280090, long originalLength=3909, const void * clientInfo=0x20264ff0) + 0x2a bytes	C++
 	CFNetwork.dll!URLConnectionClient::_clientDidReceiveData() + 0x4c bytes	C++
 	CFNetwork.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload()	C++
 	CFNetwork.dll!URLConnectionClient::processEvents() + 0x21 bytes	C++
 	CFNetwork.dll!URLConnectionWndProc()	C++
 	user32.dll!_InternalCallWinProc@20()  + 0x28 bytes	
 	user32.dll!_UserCallWinProcCheckWow@32()  + 0xb7 bytes	
 	user32.dll!_DispatchMessageWorker@8()  + 0xdc bytes	
 	user32.dll!_DispatchMessageW@4()  + 0xf bytes	
 	DumpRenderTree.exe!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & testPathOrURL="c:\Documents and Settings\Adam Roben\dev\WebKit\OpenSource\LayoutTests\fast\forms\input-text-maxlength.html")  Line 1002 + 0xf bytes	C++
 	DumpRenderTree.exe!main(int argc=2, char * * argv=0x07c57f98)  Line 1379 + 0x28 bytes	C++
 	DumpRenderTree.exe!__tmainCRTStartup()  Line 597 + 0x17 bytes	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes
Comment 1 Adam Roben (:aroben) 2011-02-23 11:01:54 PST
Just to be clear: this is a bug in DumpRenderTree, not WebKit.
Comment 2 Adam Roben (:aroben) 2011-02-23 11:02:29 PST
fast/forms/input-text-paste-maxlength.html triggers this same crash.
Comment 3 Adam Roben (:aroben) 2011-02-23 11:54:52 PST
and fast/text/atsui-bidi-control.html
Comment 4 Adam Roben (:aroben) 2011-02-27 10:17:44 PST
<rdar://problem/9059907>
Comment 5 Adam Roben (:aroben) 2011-02-27 12:42:37 PST
fast/forms/focus-control-to-page.html just crashed in a Release build: http://build.webkit.org/results/Windows%207%20Release%20(Tests)/r79821%20(9819)/fast/forms/focus-control-to-page-crash-log.txt
Comment 6 Adam Roben (:aroben) 2011-02-27 13:48:35 PST
Created attachment 83992 [details]
Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate
Comment 7 Adam Roben (:aroben) 2011-02-27 13:53:10 PST
Committed r79830: <http://trac.webkit.org/changeset/79830>
Comment 8 Eric Seidel (no email) 2011-02-27 14:13:07 PST
Comment on attachment 83992 [details]
Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate

Wow.  Can't the compiler help us with this? I guess win32 is al C and thus compilers do nothing...