WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 55062
Crash beneath EditingDelegate::checkSpellingOfString when running fast/forms/input-text-maxlength.html or fast/forms/input-text-paste-maxlength.html on Windows with full page heap enabled
https://bugs.webkit.org/show_bug.cgi?id=55062
Summary
Crash beneath EditingDelegate::checkSpellingOfString when running fast/forms/...
Adam Roben (:aroben)
Reported
2011-02-23 11:01:36 PST
To reproduce: 1. gflags /p /enable dumprendertree.exe /full 2. run-webkit-tests fast/forms/input-text-maxlength.html You'll crash inside isalpha beneath EditingDelegate::checkSpellingOfString. Looks like we're passing a non-ASCII character to isalpha, which isn't allowed. Here's the backtrace: msvcr80.dll!_isalpha_l(int c=773, localeinfo_struct * plocinfo=0x00000000) Line 60 + 0x2b bytes C++ msvcr80.dll!isalpha(int c=773) Line 73 + 0xb bytes C++ DumpRenderTree.exe!wordLength(const wchar_t * text=0x0012dd5c) Line 368 + 0x19 bytes C++
> DumpRenderTree.exe!EditingDelegate::checkSpellingOfString(IWebView * view=0x08af6ee8, const wchar_t * text=0x1f712fec, int length=7, int * misspellingLocation=0x0012de0c, int * misspellingLength=0x0012de00) Line 414 + 0x1e bytes C++
WebKit.dll!WebEditorClient::checkSpellingOfString(const wchar_t * text=0x1f712fec, int length=7, int * misspellingLocation=0x0012de0c, int * misspellingLength=0x0012de00) Line 666 + 0x32 bytes C++ WebKit.dll!WebCore::TextCheckingHelper::findFirstMisspelling(int & firstMisspellingOffset=0, bool markAll=true, WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} }) Line 183 + 0x54 bytes C++ WebKit.dll!WebCore::TextCheckingHelper::markAllMisspellings(WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} }) Line 590 + 0x16 bytes C++ WebKit.dll!WebCore::Editor::markMisspellingsOrBadGrammar(const WebCore::VisibleSelection & selection={...}, bool checkSpelling=true, WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} }) Line 2199 C++ WebKit.dll!WebCore::Editor::markMisspellings(const WebCore::VisibleSelection & selection={...}, WTF::RefPtr<WebCore::Range> & firstMisspellingRange=0x00000000 {m_ownerDocument={...} m_start={...} m_end={...} }) Line 2227 C++ WebKit.dll!WebCore::Editor::markMisspellingsAndBadGrammar(const WebCore::VisibleSelection & spellingSelection={...}, bool markGrammar=false, const WebCore::VisibleSelection & grammarSelection={...}) Line 2514 C++ WebKit.dll!WebCore::Editor::respondToChangedSelection(const WebCore::VisibleSelection & oldSelection={...}, unsigned int options=3) Line 3537 C++ WebKit.dll!WebCore::SelectionController::setSelection(const WebCore::VisibleSelection & s={...}, unsigned int options=3, WebCore::SelectionController::CursorAlignOnScroll align=AlignCursorOnScrollIfNeeded, WebCore::TextGranularity granularity=CharacterGranularity, WebCore::DirectionalityPolicy directionalityPolicy=MakeDirectionalSelection) Line 191 C++ WebKit.dll!WebCore::SelectionController::clear() Line 955 + 0x19 bytes C++ WebKit.dll!WebCore::clearSelectionIfNeeded(WebCore::Frame * oldFocusedFrame=0x08d268a8, WebCore::Frame * newFocusedFrame=0x08d268a8, WebCore::Node * newFocusedNode=0x214e2f78) Line 347 C++ WebKit.dll!WebCore::FocusController::setFocusedNode(WebCore::Node * node=0x214e2f78, WTF::PassRefPtr<WebCore::Frame> newFocusedFrame={...}) Line 364 + 0x1b bytes C++ WebKit.dll!WebCore::Element::focus(bool restorePreviousSelection=true) Line 1508 + 0x24 bytes C++ WebKit.dll!WebCore::jsElementPrototypeFunctionFocus(JSC::ExecState * exec=0x131e0198) Line 1755 + 0x14 bytes C++ 0ff737ce() JavaScriptCore.dll!cti_vm_lazyLinkCall() Line 2031 + 0x1c bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval=0x22b7efa8, JSC::ExecState * callFrame=0x131e0088, JSC::JSObject * thisObj=0x13601020, int globalRegisterOffset=32, JSC::ScopeChainNode * scopeChain=0x22b74fe8) Line 1153 + 0x2b bytes C++ JavaScriptCore.dll!JSC::Interpreter::callEval(JSC::ExecState * callFrame=0x131e0088, JSC::RegisterFile * registerFile=0x11b31fcc, JSC::Register * argv=0x131e00c0, int argc=2, int registerOffset=15) Line 418 + 0x71 bytes C++ JavaScriptCore.dll!cti_op_call_eval(void * * args=0x0012e820) Line 3125 C++ JavaScriptCore.dll!@cti_op_create_this@4() + 0x1cf bytes C++ JavaScriptCore.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x11b31fcc, JSC::ExecState * callFrame=0x131e0038, JSC::JSGlobalData * globalData=0x127b0e78) Line 77 + 0x22 bytes C++ JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program=0x1f8e1fa8, JSC::ExecState * callFrame=0x1b8c6e78, JSC::ScopeChainNode * scopeChain=0x1b91cfe8, JSC::JSObject * thisObj=0x13601020) Line 780 + 0x25 bytes C++ JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec=0x1b8c6e78, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 64 C++ WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec=0x1b8c6e78, JSC::ScopeChain & chain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 54 + 0x1d bytes C++ WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode={...}, WebCore::DOMWrapperWorld * world=0x11b7cf20) Line 142 + 0x2f bytes C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode={...}) Line 165 + 0x16 bytes C++ WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode={...}) Line 256 + 0x17 bytes C++ WebKit.dll!WebCore::ScriptElement::prepareScript(const WTF::TextPosition<WTF::OneBasedNumber> & scriptStartPosition={...}, WebCore::ScriptElement::LegacyTypeSupport supportLegacyTypes=DisallowLegacyTypeInTypeAttribute) Line 213 + 0x35 bytes C++ WebKit.dll!WebCore::HTMLScriptRunner::runScript(WebCore::Element * script=0x1f1bafa0, const WTF::TextPosition<WTF::OneBasedNumber> & scriptStartPosition={...}) Line 291 C++ WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element> scriptElement={...}, const WTF::TextPosition<WTF::OneBasedNumber> & scriptStartPosition={...}) Line 175 C++ WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() Line 200 + 0x23 bytes C++ WebKit.dll!WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield, WebCore::PumpSession & session={...}) Line 211 + 0x8 bytes C++ WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield) Line 249 + 0x10 bytes C++ WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield) Line 171 C++ WebKit.dll!WebCore::HTMLDocumentParser::append(const WebCore::SegmentedString & source={...}) Line 338 C++ WebKit.dll!WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter * writer=0x175929c4, const char * data=0x1c2800b0, int length=3909, bool shouldFlush=false) Line 54 + 0x1f bytes C++ WebKit.dll!WebCore::DocumentWriter::addData(const char * str=0x1c2800b0, int len=3909, bool flush=false) Line 201 + 0x1f bytes C++ WebKit.dll!WebCore::DocumentLoader::commitData(const char * bytes=0x1c2800b0, int length=3909) Line 317 C++ WebKit.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * loader=0x17592908, const char * data=0x1c2800b0, int length=3909) Line 499 C++ WebKit.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x1c2800b0, int length=3909) Line 302 + 0x29 bytes C++ WebKit.dll!WebCore::DocumentLoader::receivedData(const char * data=0x1c2800b0, int length=3909) Line 329 C++ WebKit.dll!WebCore::MainResourceLoader::addData(const char * data=0x1c2800b0, int length=3909, bool allAtOnce=false) Line 159 C++ WebKit.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x1c2800b0, int length=3909, __int64 lengthReceived=3909, bool allAtOnce=false) Line 279 + 0x1b bytes C++ WebKit.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x1c2800b0, int length=3909, __int64 lengthReceived=3909, bool allAtOnce=false) Line 444 C++ WebKit.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x20264ff0, const char * data=0x1c2800b0, int length=3909, int lengthReceived=3909) Line 430 + 0x1f bytes C++ WebKit.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x2273efe0, const __CFData * data=0x1c280090, long originalLength=3909, const void * clientInfo=0x20264ff0) + 0x2a bytes C++ CFNetwork.dll!URLConnectionClient::_clientDidReceiveData() + 0x4c bytes C++ CFNetwork.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload() C++ CFNetwork.dll!URLConnectionClient::processEvents() + 0x21 bytes C++ CFNetwork.dll!URLConnectionWndProc() C++ user32.dll!_InternalCallWinProc@20() + 0x28 bytes user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes user32.dll!_DispatchMessageWorker@8() + 0xdc bytes user32.dll!_DispatchMessageW@4() + 0xf bytes DumpRenderTree.exe!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & testPathOrURL="c:\Documents and Settings\Adam Roben\dev\WebKit\OpenSource\LayoutTests\fast\forms\input-text-maxlength.html") Line 1002 + 0xf bytes C++ DumpRenderTree.exe!main(int argc=2, char * * argv=0x07c57f98) Line 1379 + 0x28 bytes C++ DumpRenderTree.exe!__tmainCRTStartup() Line 597 + 0x17 bytes C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
Attachments
Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate
(1.95 KB, patch)
2011-02-27 13:48 PST
,
Adam Roben (:aroben)
andersca
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1
2011-02-23 11:01:54 PST
Just to be clear: this is a bug in DumpRenderTree, not WebKit.
Adam Roben (:aroben)
Comment 2
2011-02-23 11:02:29 PST
fast/forms/input-text-paste-maxlength.html triggers this same crash.
Adam Roben (:aroben)
Comment 3
2011-02-23 11:54:52 PST
and fast/text/atsui-bidi-control.html
Adam Roben (:aroben)
Comment 4
2011-02-27 10:17:44 PST
<
rdar://problem/9059907
>
Adam Roben (:aroben)
Comment 5
2011-02-27 12:42:37 PST
fast/forms/focus-control-to-page.html just crashed in a Release build:
http://build.webkit.org/results/Windows%207%20Release%20(Tests)/r79821%20(9819)/fast/forms/focus-control-to-page-crash-log.txt
Adam Roben (:aroben)
Comment 6
2011-02-27 13:48:35 PST
Created
attachment 83992
[details]
Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate
Adam Roben (:aroben)
Comment 7
2011-02-27 13:53:10 PST
Committed
r79830
: <
http://trac.webkit.org/changeset/79830
>
Eric Seidel (no email)
Comment 8
2011-02-27 14:13:07 PST
Comment on
attachment 83992
[details]
Use iswalpha instead of isalpha when dealing with wchar_ts in EditingDelegate Wow. Can't the compiler help us with this? I guess win32 is al C and thus compilers do nothing...
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug