Bug 95380 - REGRESSION(r126780): Crash using StringImpl::is8Bit before checking if there is an impl
Summary: REGRESSION(r126780): Crash using StringImpl::is8Bit before checking if there ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Template Framework (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Benjamin Poulain
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2012-08-29 14:28 PDT by Jessie Berlin
Modified: 2012-08-29 20:55 PDT (History)
6 users (show)

See Also:

Attachments
Patch (3.05 KB, patch)
2012-08-29 15:09 PDT, Benjamin Poulain 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jessie Berlin 2012-08-29 14:28:52 PDT 
No crash: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r126778%20(282)/results.html
Crash: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r126780%20(283)/http/tests/security/xss-DENIED-xsl-document-crash-log.txt

Process:         WebProcess [71736]
Path:            /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess
Identifier:      com.apple.WebProcess
Version:         537+ (537.6+)
Code Type:       X86-64 (Native)
Parent Process:  ??? [1]
User ID:         501

Date/Time:       2012-08-27 12:27:59.687 -0700
OS Version:      Mac OS X 10.8 (12A269)
Report Version:  10

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000018

VM Regions Near 0x18:
--> 
    __TEXT                 000000010aa55000-000000010aa56000 [    4K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010baa187c WTF::StringImpl::is8Bit() const + 12 (StringImpl.h:375)
1   com.apple.JavaScriptCore      	0x000000010bb3b7bd WTF::String::is8Bit() const + 29 (WTFString.h:204)
2   com.apple.JavaScriptCore      	0x000000010bee1c36 WTF::String::ascii() const + 54 (WTFString.cpp:607)
3   com.apple.WebCore             	0x000000010d11b8b0 WebCore::IconController::continueLoadWithDecision(WebCore::IconLoadDecision) + 240 (IconController.cpp:217)
4   com.apple.WebCore             	0x000000010cc8ced3 WebCore::DocumentLoader::continueIconLoadWithDecision(WebCore::IconLoadDecision) + 195 (DocumentLoader.cpp:921)
5   com.apple.WebCore             	0x000000010cc8ce04 WebCore::iconLoadDecisionCallback(WebCore::IconLoadDecision, void*) + 36 (DocumentLoader.cpp:905)
6   com.apple.WebKit2             	0x000000010ac8a730 WebCore::EnumCallback<WebCore::IconLoadDecision>::performCallback(WebCore::IconLoadDecision) + 80 (IconDatabaseBase.h:97)
7   com.apple.WebKit2             	0x000000010ac89d9d WebKit::WebIconDatabaseProxy::receivedIconLoadDecision(int, unsigned long long) + 93 (WebIconDatabaseProxy.cpp:124)
8   com.apple.WebKit2             	0x000000010ac8d9f1 void CoreIPC::callMemberFunction<WebKit::WebIconDatabaseProxy, void (WebKit::WebIconDatabaseProxy::*)(int, unsigned long long), int, unsigned long long>(CoreIPC::Arguments2<int, unsigned long long> const&, WebKit::WebIconDatabaseProxy*, void (WebKit::WebIconDatabaseProxy::*)(int, unsigned long long)) + 145 (HandleMessage.h:26)
9   com.apple.WebKit2             	0x000000010ac8d8ff void CoreIPC::handleMessage<Messages::WebIconDatabaseProxy::ReceivedIconLoadDecision, WebKit::WebIconDatabaseProxy, void (WebKit::WebIconDatabaseProxy::*)(int, unsigned long long)>(CoreIPC::ArgumentDecoder*, WebKit::WebIconDatabaseProxy*, void (WebKit::WebIconDatabaseProxy::*)(int, unsigned long long)) + 111 (HandleMessage.h:303)
10  com.apple.WebKit2             	0x000000010ac8d750 WebKit::WebIconDatabaseProxy::didReceiveWebIconDatabaseProxyMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 160 (WebIconDatabaseProxyMessageReceiver.cpp:43)
11  com.apple.WebKit2             	0x000000010ac89f51 WebKit::WebIconDatabaseProxy::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 49 (WebIconDatabaseProxy.cpp:149)
12  com.apple.WebKit2             	0x000000010ad783e1 WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 449 (WebProcess.cpp:669)
13  com.apple.WebKit2             	0x000000010ac1ab4e WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 350 (WebConnectionToUIProcess.cpp:88)
14  com.apple.WebKit2             	0x000000010ac1ab9d non-virtual thunk to WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 61
15  com.apple.WebKit2             	0x000000010aab92bc CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder>&) + 348 (Connection.cpp:691)
16  com.apple.WebKit2             	0x000000010aabba6b CoreIPC::Connection::dispatchOneMessage() + 203 (Connection.cpp:718)
17  com.apple.WebKit2             	0x000000010aac2572 WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>::operator()(CoreIPC::Connection*) + 114 (Functional.h:173)
18  com.apple.WebKit2             	0x000000010aac24f5 WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() + 53 (Functional.h:405)
19  com.apple.WebCore             	0x000000010dcc0bd5 WTF::Function<void ()>::operator()() const + 133 (Functional.h:613)
20  com.apple.WebCore             	0x000000010dcc081f WebCore::RunLoop::performWork() + 207 (RunLoop.cpp:89)
21  com.apple.WebCore             	0x000000010dcc1d0e WebCore::RunLoop::performWork(void*) + 62 (RunLoopCF.cpp:66)
22  com.apple.CoreFoundation      	0x00007fff9682f841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
23  com.apple.CoreFoundation      	0x00007fff9682f22d __CFRunLoopDoSources0 + 445
24  com.apple.CoreFoundation      	0x00007fff968524e5 __CFRunLoopRun + 789
25  com.apple.CoreFoundation      	0x00007fff96851dd2 CFRunLoopRunSpecific + 290
26  com.apple.HIToolbox           	0x00007fff91c7b774 RunCurrentEventLoopInMode + 209
27  com.apple.HIToolbox           	0x00007fff91c7b512 ReceiveNextEventCommon + 356
28  com.apple.HIToolbox           	0x00007fff91c7b3a3 BlockUntilNextEventMatchingListInMode + 62
29  com.apple.AppKit              	0x00007fff9077ffa3 _DPSNextEvent + 685
30  com.apple.AppKit              	0x00007fff9077f862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
31  com.apple.AppKit              	0x00007fff90776c03 -[NSApplication run] + 517
32  com.apple.WebCore             	0x000000010dcc296c WebCore::RunLoop::run() + 92 (RunLoopMac.mm:37)
33  com.apple.WebKit2             	0x000000010ad8e3ea WebKit::WebProcessMain(WebKit::CommandLine const&) + 3386 (WebProcessMainMac.mm:228)
34  com.apple.WebKit2             	0x000000010ac9f3a8 WebKitMain(WebKit::CommandLine const&) + 200 (WebKitMain.cpp:50)
35  com.apple.WebKit2             	0x000000010ac9f2c4 WebKitMain + 148 (WebKitMain.cpp:74)
36  com.apple.WebProcess          	0x000000010aa55da2 main + 274
37  libdyld.dylib                 	0x00007fff923477e1 start + 1
Comment 1 Radar WebKit Bug Importer 2012-08-29 14:29:18 PDT 
<rdar://problem/12201121>
Comment 2 Jessie Berlin 2012-08-29 14:30:01 PDT 
http://trac.webkit.org/changeset/126780
Comment 3 Michael Saboff 2012-08-29 14:51:34 PDT 
In the case of a null m_impl in a WTFString, a length check should be done before call int is8Bit().  I think that is the source of the issue here.
Comment 4 Benjamin Poulain 2012-08-29 15:09:35 PDT 
Created attachment 161327 [details]
Patch
Comment 5 WebKit Review Bot 2012-08-29 20:55:50 PDT 
Comment on attachment 161327 [details]
Patch

Clearing flags on attachment: 161327

Committed r127093: <http://trac.webkit.org/changeset/127093>
Comment 6 WebKit Review Bot 2012-08-29 20:55:53 PDT 
All reviewed patches have been landed.  Closing bug.