Bug 85866 - [Chromium] Crash Report - Stack Signature: WebCore::DocumentMarkerController::markersI...
Summary: [Chromium] Crash Report - Stack Signature: WebCore::DocumentMarkerController:...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-07 23:42 PDT by Hironori Bono
Modified: 2012-05-10 10:50 PDT (History)
5 users (show)

See Also:

Attachments
A quick fix (added a NULL check) (3.16 KB, patch)
2012-05-09 03:12 PDT, Hironori Bono 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hironori Bono 2012-05-07 23:42:25 PDT 
(Copied from <http://crbug.com/126208>)

Product: Chrome
Stack Signature: WebCore::DocumentMarkerController::markersInRange(WebCore::Range *,WebCore::DocumentMarker::MarkerTy...
New Signature Label: WebCore::DocumentMarkerController::markersInRange(WebCore::Range *,WebCore::DocumentMarker::MarkerTy...
New Signature Hash: c20b9abb_ea6cb482_bc6a0535_db5e4a89_6bd69908

Report link: http://go/crash/reportdetail?reportid=a82f8370be288511

Meta information:
Product Name: Chrome
Product Version: 20.0.1125.0
Report ID: a82f8370be288511
Report Time: 2012/05/03 15:10:20, Thu
Uptime: 85 sec
Cumulative Uptime: 0 sec
OS Name: Windows NT
OS Version: 5.1.2600 Service Pack 3
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 15 stepping 13
ptype: renderer

Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000008 )

0x0273c060	 [chrome.dll]	 - documentmarkercontroller.cpp:367	WebCore::DocumentMarkerController::markersInRange(WebCore::Range *,WebCore::DocumentMarker::MarkerTypes)
0x02f4f709	 [chrome.dll]	 - contextmenuclientimpl.cpp:282	WebKit::ContextMenuClientImpl::getCustomMenuFromDefaultItems(WebCore::ContextMenu *)
0x024d8284	 [chrome.dll]	 - contextmenucontroller.cpp:171	WebCore::ContextMenuController::showContextMenu(WebCore::Event *)
0x024d7f20	 [chrome.dll]	 - contextmenucontroller.cpp:116	WebCore::ContextMenuController::handleContextMenuEvent(WebCore::Event *)
0x01d58e66	 [chrome.dll]	 - node.cpp:2870	WebCore::Node::defaultEventHandler(WebCore::Event *)
0x026bec45	 [chrome.dll]	 - textcontrolinnerelements.cpp:97	WebCore::TextControlInnerTextElement::defaultEventHandler(WebCore::Event *)
0x01d581f5	 [chrome.dll]	 - eventdispatcher.cpp:339	WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>)
0x01ded03a	 [chrome.dll]	 - mouseevent.cpp:207	WebCore::MouseEventDispatchMediator::dispatchEvent(WebCore::EventDispatcher *)
0x01d57d94	 [chrome.dll]	 - eventdispatcher.cpp:55	WebCore::EventDispatcher::dispatchEvent(WebCore::Node *,WTF::PassRefPtr<WebCore::EventDispatchMediator>)
0x01dec3ce	 [chrome.dll]	 - node.cpp:2799	WebCore::Node::dispatchMouseEvent(WebCore::PlatformMouseEvent const &,WTF::AtomicString const &,int,WebCore::Node *)
0x01debc1e	 [chrome.dll]	 - eventhandler.cpp:2226	WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const &,WebCore::Node *,bool,int,WebCore::PlatformMouseEvent const &,bool)
0x02592ab8	 [chrome.dll]	 - eventhandler.cpp:2522	WebCore::EventHandler::sendContextMenuEvent(WebCore::PlatformMouseEvent const &)
0x02f3b288	 [chrome.dll]	 - webviewimpl.cpp:551	WebKit::WebViewImpl::mouseContextMenu(WebKit::WebMouseEvent const &)
0x02f3b2bc	 [chrome.dll]	 - webviewimpl.cpp:602	WebKit::WebViewImpl::handleMouseUp(WebCore::Frame &,WebKit::WebMouseEvent const &)
0x01de2371	 [chrome.dll]	 - pagewidgetdelegate.cpp:130	WebKit::PageWidgetDelegate::handleInputEvent(WebCore::Page *,WebKit::PageWidgetEventHandler &,WebKit::WebInputEvent const &)
0x01de178b	 [chrome.dll]	 - webviewimpl.cpp:1680	WebKit::WebViewImpl::handleInputEvent(WebKit::WebInputEvent const &)
0x01de0d57	 [chrome.dll]	 - render_widget.cc:570	RenderWidget::OnHandleInputEvent(IPC::Message const &)
0x01de0bfb	 [chrome.dll]	 - ipc_message.h:172	IPC::Message::Dispatch<RenderWidget,RenderWidget>(IPC::Message const *,RenderWidget *,RenderWidget *,void ( RenderWidget::*)(IPC::Message const &))
0x01da8eb7	 [chrome.dll]	 - render_widget.cc:245	RenderWidget::OnMessageReceived(IPC::Message const &)
0x01da1ee4	 [chrome.dll]	 - render_view_impl.cc:878	RenderViewImpl::OnMessageReceived(IPC::Message const &)
0x01d1746d	 [chrome.dll]	 - message_router.cc:46	MessageRouter::RouteMessage(IPC::Message const &)
0x01d17420	 [chrome.dll]	 - message_router.cc:38	MessageRouter::OnMessageReceived(IPC::Message const &)
0x01c673aa	 [chrome.dll]	 - child_thread.cc:207	ChildThread::OnMessageReceived(IPC::Message const &)
0x01c59f8b	 [chrome.dll]	 - ipc_channel_proxy.cc:247	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x01c5924b	 [chrome.dll]	 - bind_internal.h:1254	base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void ( content::PepperPlatformAudioOutputImpl::*)(media::AudioParameters const &)>,void (content::PepperPlatformAudioOutputImpl *,media::AudioParameters const &),void (content::PepperPlatformAudioOutputImpl *,media::AudioParameters)>,void (content::PepperPlatformAudioOutputImpl *,media::AudioParameters const &)>::Run(base::internal::BindStateBase *)
0x01c57881	 [chrome.dll]	 - message_loop.cc:458	MessageLoop::RunTask(base::PendingTask const &)
0x01c561ef	 [chrome.dll]	 - message_loop.cc:647	MessageLoop::DoWork()
0x01c682e8	 [chrome.dll]	 - message_pump_default.cc:55	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x01c55d3f	 [chrome.dll]	 - message_loop.cc:390	MessageLoop::RunHandler()
0x01c55ced	 [chrome.dll]	 - message_loop.cc:300	MessageLoop::Run()
0x01cd6e12	 [chrome.dll]	 - renderer_main.cc:271	RendererMain(content::MainFunctionParams const &)
0x01c5218d	 [chrome.dll]	 - content_main_runner.cc:290	`anonymous namespace'::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x01c52112	 [chrome.dll]	 - content_main_runner.cc:548	`anonymous namespace'::ContentMainRunnerImpl::Run()
0x01c44239	 [chrome.dll]	 - content_main.cc:35	content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *)
0x01c441c4	 [chrome.dll]	 - chrome_main.cc:28	ChromeMain
0x00427f22	 [chrome.exe]	 - client_util.cc:423	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x00427225	 [chrome.exe]	 - chrome_exe_main_win.cc:31	RunChrome(HINSTANCE__ *)
0x00427290	 [chrome.exe]	 - chrome_exe_main_win.cc:47	wWinMain
0x00447719	 [chrome.exe]	 - crt0.c:263	__tmainCRTStartup
0x7c817076	 [kernel32.dll]	 + 0x00017076]	BaseProcessStart

This is another stupid mistake of my WebKit r113405 that I forgot adding a NULL check before calling DocumentMarkerController::markersInRange(). Sorry for your inconvenience.

Regards,

Hironori Bono
Comment 1 Hironori Bono 2012-05-09 03:12:25 PDT 
Created attachment 140900 [details]
A quick fix (added a NULL check)

Greetings,

Oops, I forgot attaching a patch. Would it be possible to review this change?

Regards,

Hironori Bono
Comment 2 Tony Chang 2012-05-09 10:13:05 PDT 
Comment on attachment 140900 [details]
A quick fix (added a NULL check)

Can we add a test for this?  Maybe something in webkit_unit_tests or at least a manual test.
Comment 3 Ryosuke Niwa 2012-05-09 10:22:32 PDT 
Comment on attachment 140900 [details]
A quick fix (added a NULL check)

I would prefer having a test as tony said but the patch looks landable as us if coming up with a test is too hard
Comment 4 Hironori Bono 2012-05-09 21:43:35 PDT 
Greeting Tony and Niwa-san,

Thanks for your comments.
In my honest opinion, I wrote this change only with crash dumps, i.e. I do not have clear thoughts about how to reproduce this crash. In theory, toNormalizedRange() returns NULL when there are any selections (NONE). Unfortunately, I could not figure out how to remove selections when we right-click a mouse in an editable element when I investigated this issue yesterday. I'm very sorry not to have provided layou tests or webkit tests with this change.

Regards,

Hironori Bono

(In reply to comment #2)
> (From update of attachment 140900 [details])
> Can we add a test for this?  Maybe something in webkit_unit_tests or at least a manual test.

(In reply to comment #3)
> (From update of attachment 140900 [details])
> I would prefer having a test as tony said but the patch looks landable as us if coming up with a test is too hard
Comment 5 WebKit Review Bot 2012-05-09 22:08:00 PDT 
Comment on attachment 140900 [details]
A quick fix (added a NULL check)

Clearing flags on attachment: 140900

Committed r116607: <http://trac.webkit.org/changeset/116607>
Comment 6 WebKit Review Bot 2012-05-09 22:08:05 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Tony Chang 2012-05-10 10:50:30 PDT 
(In reply to comment #4)
> In my honest opinion, I wrote this change only with crash dumps, i.e. I do not have clear thoughts about how to reproduce this crash. In theory, toNormalizedRange() returns NULL when there are any selections (NONE). Unfortunately, I could not figure out how to remove selections when we right-click a mouse in an editable element when I investigated this issue yesterday. I'm very sorry not to have provided layou tests or webkit tests with this change.

It's OK to not have a repro.  In the future, you should mention it in the ChangeLog.  E.g., "No new tests because this is a speculative fix based on crash reports."