UNCONFIRMED 77346
NULL ptr deref in xmlXPathNodeCollectAndTest 
https://bugs.webkit.org/show_bug.cgi?id=77346
Summary NULL ptr deref in xmlXPathNodeCollectAndTest
Chris Palmer
Reported 2012-01-30 10:54:41 PST
http://code.google.com/p/chromium/issues/detail?id=111655 ==23077== ERROR: AddressSanitizer crashed on unknown address 0x000000000010 (pc 0x7f70859091a2 sp 0x7f7056598b80 bp 0x7f7056598d90 T15) AddressSanitizer can not provide additional info. ABORTING #0 0x7f70859091a2 in xmlXPathNodeCollectAndTest third_party/libxml/src/xpath.c:0 #1 0x7f70858ffa33 in xmlXPathCompOpEval third_party/libxml/src/xpath.c:0 #2 0x7f7085902e9e in xmlXPathCompOpEval third_party/libxml/src/xpath.c:0 #3 0x7f70858fa8b3 in xmlXPathRunEval third_party/libxml/src/xpath.c:0 #4 0x7f70858f9a20 in xmlXPathCompiledEvalInternal third_party/libxml/src/xpath.c:0 #5 0x7f70858f975c in xmlXPathCompiledEval #6 0x7f708950df47 in xsltValueOf #7 0x7f7089505f96 in xsltApplySequenceConstructor third_party/libxslt/libxslt/transform.c:0 #8 0x7f708950490e in xsltApplyXSLTTemplate third_party/libxslt/libxslt/transform.c:0 #9 0x7f708950392f in xsltProcessOneNode #10 0x7f7089513a04 in xsltApplyStylesheetInternal third_party/libxslt/libxslt/transform.c:0 #11 0x7f7086b4c293 in WebCore::XSLTProcessor::transformToString(WebCore::Node*, WTF::String&, WTF::String&, WTF::String&) #12 0x7f7085c5742e in WebCore::Document::applyXSLTransform(WebCore::ProcessingInstruction*) #13 0x7f7085c5710f in WebCore::Document::collectActiveStylesheets(WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>, 0ul>&) #14 0x7f7085c46f69 in WebCore::Document::updateActiveStylesheets(WebCore::StyleSelectorUpdateFlag) #15 0x7f7085c4903c in WebCore::Document::styleSelectorChanged(WebCore::StyleSelectorUpdateFlag) #16 0x7f7085c54e67 in WebCore::Document::removePendingSheet() #17 0x7f7085d1bff3 in WebCore::ProcessingInstruction::sheetLoaded() #18 0x7f7086b444a1 in WebCore::XSLStyleSheet::checkLoaded() #19 0x7f708695d3b0 in WebCore::CachedXSLStyleSheet::checkNotify() #20 0x7f708695cfeb in WebCore::CachedXSLStyleSheet::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) #21 0x7f7086920f7b in WebCore::SubresourceLoader::didFinishLoading(double) #22 0x7f7087f9aa22 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) #23 0x7f70855d169a in ResourceDispatcher::OnRequestComplete(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) #24 0x7f70855d288b in bool ResourceMsg_RequestComplete::Dispatch<ResourceDispatcher, ResourceDispatcher, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)>(IPC::Message const*, ResourceDispatcher*, ResourceDispatcher*, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)) #25 0x7f70855cee5c in ResourceDispatcher::DispatchMessage(IPC::Message const&) #26 0x7f70855ccde0 in ResourceDispatcher::OnMessageReceived(IPC::Message const&) #27 0x7f70854d879f in ChildThread::OnMessageReceived(IPC::Message const&) #28 0x7f70856242b9 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) #29 0x7f7083eab506 in MessageLoop::RunTask(base::PendingTask const&) #30 0x7f7083eabd66 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) #31 0x7f7083ead04b in MessageLoop::DoWork() #32 0x7f7083eb7a87 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) #33 0x7f7083eaa0ce in MessageLoop::RunInternal() #34 0x7f7083ea82bf in MessageLoop::Run() #35 0x7f7083f224ac in base::Thread::ThreadMain() #36 0x7f7083f1952c in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0 #37 0x7f7089c51d17 in __asan::AsanThread::ThreadStart() Stats: 278M malloced (506M for red zones) by 1475372 calls Stats: 1M realloced by 7882 calls Stats: 272M freed by 1427276 calls Stats: 176M really freed by 998418 calls Stats: 396M (101434 full pages) mmaped in 99 calls mmaps by size class: 8:524256; 9:24573; 10:12285; 11:6141; 12:2048; 13:1024; 14:1280; 15:1024; 16:576; 17:64; 18:208; 19:8; 20:8; 21:28; mallocs by size class: 8:1404910; 9:32643; 10:16480; 11:8596; 12:3694; 13:2034; 14:3144; 15:2016; 16:1382; 17:47; 18:389; 19:5; 20:5; 21:27; frees by size class: 8:1360388; 9:30502; 10:15785; 11:8222; 12:3483; 13:1943; 14:3121; 15:2005; 16:1366; 17:37; 18:387; 19:5; 20:5; 21:27; rfrees by size class: 8:957082; 9:19174; 10:9424; 11:4657; 12:1993; 13:1229; 14:2097; 15:1561; 16:848; 17:6; 18:339; 19:4; 21:4; Stats: malloc large: 473 small slow: 5033
Attachments
Add attachment proposed patch, testcase, etc.
Note You need to log in before you can comment on or make changes to this bug.