RESOLVED FIXED 87431
[Win] LayoutTests/editing/selection/selection-plugin-clear-crash.html crashes in ScrollView::delegatesScrolling 
https://bugs.webkit.org/show_bug.cgi?id=87431
Summary [Win] LayoutTests/editing/selection/selection-plugin-clear-crash.html crashes...
Jessie Berlin
Reported 2012-05-24 14:53:32 PDT
run-webkit-tests LayoutTests/editing/selection/selection-plugin-clear-crash.html Unhandled exception at 0x62c595c1 (WebKit.dll) in DumpRenderTree.exe: 0xC0000005: Access violation reading location 0x000000c8. > WebKit.dll!WebCore::ScrollView::delegatesScrolling() Line 125 + 0x11 bytes C++ WebKit.dll!WebCore::ScrollView::contentsToWindow(const WebCore::IntPoint & contentsPoint={...}) Line 739 + 0x8 bytes C++ WebKit.dll!WebCore::PluginView::setNPWindowRect(const WebCore::IntRect & rect={...}) Line 816 C++ WebKit.dll!WebCore::PluginView::platformStart() Line 1020 C++ WebKit.dll!WebCore::PluginView::start() Line 269 + 0x8 bytes C++ WebKit.dll!WebCore::PluginView::startOrAddToUnstartedList() Line 225 C++ WebKit.dll!WebCore::PluginView::init() Line 202 + 0x8 bytes C++ WebKit.dll!WebCore::PluginView::setParent(WebCore::ScrollView * parent=0x01c51ff8) Line 770 C++ WebKit.dll!WebCore::ScrollView::addChild(WTF::PassRefPtr<WebCore::Widget> prpChild={...}) Line 74 + 0x13 bytes C++ WebKit.dll!WebCore::moveWidgetToParentSoon(WebCore::Widget * child=0x03103828, WebCore::FrameView * parent=0x01c51ff8) Line 92 C++ WebKit.dll!WebCore::RenderWidget::setWidget(WTF::PassRefPtr<WebCore::Widget> widget={...}) Line 219 + 0x18 bytes C++ WebKit.dll!WebCore::RenderPart::setWidget(WTF::PassRefPtr<WebCore::Widget> widget={...}) Line 59 C++ WebKit.dll!WebCore::SubframeLoader::loadPlugin(WebCore::HTMLPlugInImageElement * pluginElement=0x01cb94d8, const WebCore::KURL & url={...}, const WTF::String & mimeType={...}, const WTF::Vector<WTF::String,0> & paramNames={...}, const WTF::Vector<WTF::String,0> & paramValues={...}, bool useFallback=false) Line 385 C++ WebKit.dll!WebCore::SubframeLoader::requestPlugin(WebCore::HTMLPlugInImageElement * ownerElement=0x01cb94d8, const WebCore::KURL & url={...}, const WTF::String & mimeType={...}, const WTF::Vector<WTF::String,0> & paramNames={...}, const WTF::Vector<WTF::String,0> & paramValues={...}, bool useFallback=false) Line 132 C++ WebKit.dll!WebCore::SubframeLoader::requestObject(WebCore::HTMLPlugInImageElement * ownerElement=0x01cb94d8, const WTF::String & url={...}, const WTF::AtomicString & frameName={...}, const WTF::String & mimeType={...}, const WTF::Vector<WTF::String,0> & paramNames={...}, const WTF::Vector<WTF::String,0> & paramValues={...}) Line 151 + 0x20 bytes C++ WebKit.dll!WebCore::HTMLEmbedElement::updateWidget(WebCore::PluginCreationOption pluginCreationOption=CreateAnyWidgetType) Line 176 C++ WebKit.dll!WebCore::FrameView::updateWidget(WebCore::RenderEmbeddedObject * object=0x01c1dd44) Line 2283 + 0x14 bytes C++ WebKit.dll!WebCore::FrameView::updateWidgets() Line 2317 C++ WebKit.dll!WebCore::FrameView::performPostLayoutTasks() Line 2369 + 0x8 bytes C++ WebKit.dll!WebCore::FrameView::layout(bool allowSubtree=true) Line 1157 C++ WebKit.dll!WebCore::Document::updateLayout() Line 1850 C++ WebKit.dll!WebCore::Document::updateLayoutIgnorePendingStylesheets() Line 1883 C++ WebKit.dll!WebCore::VisiblePosition::canonicalPosition(const WebCore::Position & passedPosition={...}) Line 521 C++ WebKit.dll!WebCore::VisiblePosition::init(const WebCore::Position & position={...}, WebCore::EAffinity affinity=DOWNSTREAM) Line 58 + 0x10 bytes C++ WebKit.dll!WebCore::VisiblePosition::VisiblePosition(const WebCore::Position & pos={...}, WebCore::EAffinity affinity=DOWNSTREAM) Line 52 C++ WebKit.dll!WebCore::DOMSelection::setPosition(WebCore::Node * node=0x030d14c0, int offset=0, int & ec=0) Line 283 + 0x2b bytes C++ WebKit.dll!WebCore::jsDOMSelectionPrototypeFunctionSetPosition(JSC::ExecState * exec=0x036200e0) Line 537 C++ 02480def() JavaScriptCore.dll!cti_vm_lazyLinkCall() Line 2265 + 0x1c bytes C++ JavaScriptCore.dll!JSC::JSValue::decode(__int64 encodedJSValue=7882617061044649984) Line 154 + 0xf bytes C++ 0313a04c() JavaScriptCore.dll!JSC::Interpreter::executeCall(JSC::ExecState * callFrame=0x0255fcb8, JSC::JSObject * function=0x024df400, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 1305 + 0x2a bytes C++ JavaScriptCore.dll!JSC::call(JSC::ExecState * exec=0x0255fcb8, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 39 + 0x3c bytes C++ WebKit.dll!WebCore::JSMainThreadExecState::call(JSC::ExecState * exec=0x0255fcb8, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 56 + 0x29 bytes C++ WebKit.dll!WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext * scriptExecutionContext=0x03120004, WebCore::Event * event=0x0317c4b8) Line 133 + 0x64 bytes C++ WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x0317c4b8, WebCore::EventTargetData * d=0x01c58020, WTF::Vector<WebCore::RegisteredEventListener,1> & entry={...}) Line 231 + 0x22 bytes C++ WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x0317c4b8) Line 200 C++ WebKit.dll!WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event> prpEvent={...}, WTF::PassRefPtr<WebCore::EventTarget> prpTarget={...}) Line 1656 + 0x11 bytes C++ WebKit.dll!WebCore::DOMWindow::dispatchLoadEvent() Line 1631 C++ WebKit.dll!WebCore::Document::dispatchWindowLoadEvent() Line 3979 C++ WebKit.dll!WebCore::Document::implicitClose() Line 2442 C++ WebKit.dll!WebCore::FrameLoader::checkCallImplicitClose() Line 762 C++ WebKit.dll!WebCore::FrameLoader::checkCompleted() Line 709 C++ WebKit.dll!WebCore::FrameLoader::finishedParsing() Line 642 C++ WebKit.dll!WebCore::Document::finishedParsing() Line 4729 C++ WebKit.dll!WebCore::HTMLTreeBuilder::finished() Line 2807 + 0x18 bytes C++ WebKit.dll!WebCore::HTMLDocumentParser::end() Line 382 C++ WebKit.dll!WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() Line 391 C++ WebKit.dll!WebCore::HTMLDocumentParser::prepareToStopParsing() Line 154 C++ WebKit.dll!WebCore::HTMLDocumentParser::attemptToEnd() Line 402 + 0xf bytes C++ WebKit.dll!WebCore::HTMLDocumentParser::finish() Line 430 C++ WebKit.dll!WebCore::DocumentWriter::end() Line 241 + 0x1d bytes C++ WebKit.dll!WebCore::DocumentLoader::finishedLoading() Line 300 C++ WebKit.dll!WebCore::MainResourceLoader::didFinishLoading(double finishTime=0.00000000000000000) Line 545 C++ WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x030d6b78, double finishTime=0.00000000000000000) Line 435 + 0x18 bytes C++ WebKit.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x030d6e20, const void * clientInfo=0x030d6b78) Line 301 + 0x26 bytes C++ CFNetwork.dll!URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue * preQ=0x0014e6a8) Line 1739 + 0x2b bytes C++ CFNetwork.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<enum XClientEvent,XClientEventParams> * e=0x01cbd3e4, long count=3) Line 2256 C++ CFNetwork.dll!URLConnectionClient::processEvents() Line 360 + 0x21 bytes C++ CFNetwork.dll!URLConnectionWndProc(HWND__ * hWnd=0x001a0396, unsigned int message=1231, unsigned int wParam=51211808, long lParam=0) Line 109 C++ user32.dll!75c26238() [Frames below may be incorrect and/or missing, no symbols loaded for user32.dll] user32.dll!75c268ea() user32.dll!75c26899() user32.dll!75c27d31() user32.dll!75c27dfa() DumpRenderTree.dll!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & testPathOrURL="C:\cygwin\home\buildbot\OpenSource\LayoutTests\editing\selection\selection-plugin-clear-crash.html") Line 1053 + 0xf bytes C++ DumpRenderTree.dll!dllLauncherEntryPoint(int argc=2, const char * * argv=0x01ce2578) Line 1435 + 0x28 bytes C++ DumpRenderTree.exe!main(int argc=2, const char * * argv=0x01ce2578) Line 198 + 0x10 bytes C++ DumpRenderTree.exe!__tmainCRTStartup() Line 597 + 0x17 bytes C kernel32.dll!75103677() ntdll.dll!77989f42() ntdll.dll!77989f15()
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2012-05-24 14:54:28 PDT
<rdar://problem/11528666>
Abhishek Arya
Comment 2 2012-05-24 15:02:19 PDT
Any idea who regressed it. I do write a lot of security tests but this ones looks like a null ptr which someone else regressed it recently ?
Jessie Berlin
Comment 3 2012-05-24 15:33:38 PDT
Unfortunately, the bots are in such an awful state that I have no clue who regressed it. For all I know right now, it could have been crashing since the test was added. Added to the Windows Skipped list in http://trac.webkit.org/changeset/118435 in order to work towards getting the bots green.
Jessie Berlin
Comment 4 2012-05-24 15:39:23 PDT
First noticed on r118350
Abhishek Arya
Comment 5 2012-05-24 15:44:56 PDT
void PluginView::setNPWindowRect(const IntRect& rect) { ....... IntPoint p = static_cast<FrameView*>(parent())->contentsToWindow(rect.location()); // We are assuming our parent is non-null while crash stack says we are in the process of setting it up WebKit.dll!WebCore::PluginView::setParent(WebCore::ScrollView * parent=0x01c51ff8) Line 770 C++ WebKit.dll!WebCore::ScrollView::addChild(WTF::PassRefPtr<WebCore::Widget> prpChild={...}) Line 74 + 0x13 bytes C++ I think you need to cc some folks working on ScrollView/PluginView
Jessie Berlin
Comment 6 2012-05-24 19:23:00 PDT
This also affects plugins/destroy-during-npp-new-object-with-fallback-content.html
Brent Fulgham
Comment 7 2015-01-15 13:39:48 PST
I think this is another flavor of Bug 135514 (see also the stack trace for Bug 140455).
Brent Fulgham
Comment 8 2015-01-19 13:03:05 PST
This isn't happening anymore after resolving Bug 135514. Closing as resolved; please reopen if this recurs.
Note You need to log in before you can comment on or make changes to this bug.