85866 – [Chromium] Crash Report - Stack Signature: WebCore::DocumentMarkerController::markersI...

RESOLVED FIXED 85866

[Chromium] Crash Report - Stack Signature: WebCore::DocumentMarkerController::markersI...

https://bugs.webkit.org/show_bug.cgi?id=85866

Summary [Chromium] Crash Report - Stack Signature: WebCore::DocumentMarkerController:...

Hironori Bono

Reported 2012-05-07 23:42:25 PDT

(Copied from <http://crbug.com/126208>) Product: Chrome Stack Signature: WebCore::DocumentMarkerController::markersInRange(WebCore::Range *,WebCore::DocumentMarker::MarkerTy... New Signature Label: WebCore::DocumentMarkerController::markersInRange(WebCore::Range *,WebCore::DocumentMarker::MarkerTy... New Signature Hash: c20b9abb_ea6cb482_bc6a0535_db5e4a89_6bd69908 Report link: http://go/crash/reportdetail?reportid=a82f8370be288511 Meta information: Product Name: Chrome Product Version: 20.0.1125.0 Report ID: a82f8370be288511 Report Time: 2012/05/03 15:10:20, Thu Uptime: 85 sec Cumulative Uptime: 0 sec OS Name: Windows NT OS Version: 5.1.2600 Service Pack 3 CPU Architecture: x86 CPU Info: GenuineIntel family 6 model 15 stepping 13 ptype: renderer Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000008 ) 0x0273c060 [chrome.dll] - documentmarkercontroller.cpp:367 WebCore::DocumentMarkerController::markersInRange(WebCore::Range *,WebCore::DocumentMarker::MarkerTypes) 0x02f4f709 [chrome.dll] - contextmenuclientimpl.cpp:282 WebKit::ContextMenuClientImpl::getCustomMenuFromDefaultItems(WebCore::ContextMenu *) 0x024d8284 [chrome.dll] - contextmenucontroller.cpp:171 WebCore::ContextMenuController::showContextMenu(WebCore::Event *) 0x024d7f20 [chrome.dll] - contextmenucontroller.cpp:116 WebCore::ContextMenuController::handleContextMenuEvent(WebCore::Event *) 0x01d58e66 [chrome.dll] - node.cpp:2870 WebCore::Node::defaultEventHandler(WebCore::Event *) 0x026bec45 [chrome.dll] - textcontrolinnerelements.cpp:97 WebCore::TextControlInnerTextElement::defaultEventHandler(WebCore::Event *) 0x01d581f5 [chrome.dll] - eventdispatcher.cpp:339 WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) 0x01ded03a [chrome.dll] - mouseevent.cpp:207 WebCore::MouseEventDispatchMediator::dispatchEvent(WebCore::EventDispatcher *) 0x01d57d94 [chrome.dll] - eventdispatcher.cpp:55 WebCore::EventDispatcher::dispatchEvent(WebCore::Node *,WTF::PassRefPtr<WebCore::EventDispatchMediator>) 0x01dec3ce [chrome.dll] - node.cpp:2799 WebCore::Node::dispatchMouseEvent(WebCore::PlatformMouseEvent const &,WTF::AtomicString const &,int,WebCore::Node *) 0x01debc1e [chrome.dll] - eventhandler.cpp:2226 WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const &,WebCore::Node *,bool,int,WebCore::PlatformMouseEvent const &,bool) 0x02592ab8 [chrome.dll] - eventhandler.cpp:2522 WebCore::EventHandler::sendContextMenuEvent(WebCore::PlatformMouseEvent const &) 0x02f3b288 [chrome.dll] - webviewimpl.cpp:551 WebKit::WebViewImpl::mouseContextMenu(WebKit::WebMouseEvent const &) 0x02f3b2bc [chrome.dll] - webviewimpl.cpp:602 WebKit::WebViewImpl::handleMouseUp(WebCore::Frame &,WebKit::WebMouseEvent const &) 0x01de2371 [chrome.dll] - pagewidgetdelegate.cpp:130 WebKit::PageWidgetDelegate::handleInputEvent(WebCore::Page *,WebKit::PageWidgetEventHandler &,WebKit::WebInputEvent const &) 0x01de178b [chrome.dll] - webviewimpl.cpp:1680 WebKit::WebViewImpl::handleInputEvent(WebKit::WebInputEvent const &) 0x01de0d57 [chrome.dll] - render_widget.cc:570 RenderWidget::OnHandleInputEvent(IPC::Message const &) 0x01de0bfb [chrome.dll] - ipc_message.h:172 IPC::Message::Dispatch<RenderWidget,RenderWidget>(IPC::Message const *,RenderWidget *,RenderWidget *,void ( RenderWidget::*)(IPC::Message const &)) 0x01da8eb7 [chrome.dll] - render_widget.cc:245 RenderWidget::OnMessageReceived(IPC::Message const &) 0x01da1ee4 [chrome.dll] - render_view_impl.cc:878 RenderViewImpl::OnMessageReceived(IPC::Message const &) 0x01d1746d [chrome.dll] - message_router.cc:46 MessageRouter::RouteMessage(IPC::Message const &) 0x01d17420 [chrome.dll] - message_router.cc:38 MessageRouter::OnMessageReceived(IPC::Message const &) 0x01c673aa [chrome.dll] - child_thread.cc:207 ChildThread::OnMessageReceived(IPC::Message const &) 0x01c59f8b [chrome.dll] - ipc_channel_proxy.cc:247 IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &) 0x01c5924b [chrome.dll] - bind_internal.h:1254 base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void ( content::PepperPlatformAudioOutputImpl::*)(media::AudioParameters const &)>,void (content::PepperPlatformAudioOutputImpl *,media::AudioParameters const &),void (content::PepperPlatformAudioOutputImpl *,media::AudioParameters)>,void (content::PepperPlatformAudioOutputImpl *,media::AudioParameters const &)>::Run(base::internal::BindStateBase *) 0x01c57881 [chrome.dll] - message_loop.cc:458 MessageLoop::RunTask(base::PendingTask const &) 0x01c561ef [chrome.dll] - message_loop.cc:647 MessageLoop::DoWork() 0x01c682e8 [chrome.dll] - message_pump_default.cc:55 base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 0x01c55d3f [chrome.dll] - message_loop.cc:390 MessageLoop::RunHandler() 0x01c55ced [chrome.dll] - message_loop.cc:300 MessageLoop::Run() 0x01cd6e12 [chrome.dll] - renderer_main.cc:271 RendererMain(content::MainFunctionParams const &) 0x01c5218d [chrome.dll] - content_main_runner.cc:290 `anonymous namespace'::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x01c52112 [chrome.dll] - content_main_runner.cc:548 `anonymous namespace'::ContentMainRunnerImpl::Run() 0x01c44239 [chrome.dll] - content_main.cc:35 content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *) 0x01c441c4 [chrome.dll] - chrome_main.cc:28 ChromeMain 0x00427f22 [chrome.exe] - client_util.cc:423 MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *) 0x00427225 [chrome.exe] - chrome_exe_main_win.cc:31 RunChrome(HINSTANCE__ *) 0x00427290 [chrome.exe] - chrome_exe_main_win.cc:47 wWinMain 0x00447719 [chrome.exe] - crt0.c:263 __tmainCRTStartup 0x7c817076 [kernel32.dll] + 0x00017076] BaseProcessStart This is another stupid mistake of my WebKit r113405 that I forgot adding a NULL check before calling DocumentMarkerController::markersInRange(). Sorry for your inconvenience. Regards, Hironori Bono

Attachments
A quick fix (added a NULL check) (3.16 KB, patch) 2012-05-09 03:12 PDT, Hironori Bono	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Hironori Bono

Comment 1 2012-05-09 03:12:25 PDT

Created attachment 140900 [details] A quick fix (added a NULL check) Greetings, Oops, I forgot attaching a patch. Would it be possible to review this change? Regards, Hironori Bono

Tony Chang

Comment 2 2012-05-09 10:13:05 PDT

Comment on attachment 140900 [details] A quick fix (added a NULL check) Can we add a test for this? Maybe something in webkit_unit_tests or at least a manual test.

Ryosuke Niwa

Comment 3 2012-05-09 10:22:32 PDT

Comment on attachment 140900 [details] A quick fix (added a NULL check) I would prefer having a test as tony said but the patch looks landable as us if coming up with a test is too hard

Hironori Bono

Comment 4 2012-05-09 21:43:35 PDT

Greeting Tony and Niwa-san, Thanks for your comments. In my honest opinion, I wrote this change only with crash dumps, i.e. I do not have clear thoughts about how to reproduce this crash. In theory, toNormalizedRange() returns NULL when there are any selections (NONE). Unfortunately, I could not figure out how to remove selections when we right-click a mouse in an editable element when I investigated this issue yesterday. I'm very sorry not to have provided layou tests or webkit tests with this change. Regards, Hironori Bono (In reply to comment #2) > (From update of attachment 140900 [details]) > Can we add a test for this? Maybe something in webkit_unit_tests or at least a manual test. (In reply to comment #3) > (From update of attachment 140900 [details]) > I would prefer having a test as tony said but the patch looks landable as us if coming up with a test is too hard

WebKit Review Bot

Comment 5 2012-05-09 22:08:00 PDT

Comment on attachment 140900 [details] A quick fix (added a NULL check) Clearing flags on attachment: 140900 Committed r116607: <http://trac.webkit.org/changeset/116607>

WebKit Review Bot

Comment 6 2012-05-09 22:08:05 PDT

All reviewed patches have been landed. Closing bug.

Tony Chang

Comment 7 2012-05-10 10:50:30 PDT

(In reply to comment #4) > In my honest opinion, I wrote this change only with crash dumps, i.e. I do not have clear thoughts about how to reproduce this crash. In theory, toNormalizedRange() returns NULL when there are any selections (NONE). Unfortunately, I could not figure out how to remove selections when we right-click a mouse in an editable element when I investigated this issue yesterday. I'm very sorry not to have provided layou tests or webkit tests with this change. It's OK to not have a repro. In the future, you should mention it in the ChangeLog. E.g., "No new tests because this is a speculative fix based on crash reports."

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit Misc.

Assignee

Nobody

Reported

2012-05-07 23:42 PDT

Modified

2012-05-10 10:50 PDT History

CC List

5 users Show

URL

Keywords

Depends on

Blocks