[Webkit-unassigned] [Bug 77346] New: NULL ptr deref in xmlXPathNodeCollectAndTest

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 30 10:54:41 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=77346

           Summary: NULL ptr deref in xmlXPathNodeCollectAndTest
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P3
         Component: XML
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: palmer at google.com


http://code.google.com/p/chromium/issues/detail?id=111655

==23077== ERROR: AddressSanitizer crashed on unknown address 0x000000000010 (pc 0x7f70859091a2 sp 0x7f7056598b80 bp 0x7f7056598d90 T15)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7f70859091a2 in xmlXPathNodeCollectAndTest third_party/libxml/src/xpath.c:0
    #1 0x7f70858ffa33 in xmlXPathCompOpEval third_party/libxml/src/xpath.c:0
    #2 0x7f7085902e9e in xmlXPathCompOpEval third_party/libxml/src/xpath.c:0
    #3 0x7f70858fa8b3 in xmlXPathRunEval third_party/libxml/src/xpath.c:0
    #4 0x7f70858f9a20 in xmlXPathCompiledEvalInternal third_party/libxml/src/xpath.c:0
    #5 0x7f70858f975c in xmlXPathCompiledEval 
    #6 0x7f708950df47 in xsltValueOf 
    #7 0x7f7089505f96 in xsltApplySequenceConstructor third_party/libxslt/libxslt/transform.c:0
    #8 0x7f708950490e in xsltApplyXSLTTemplate third_party/libxslt/libxslt/transform.c:0
    #9 0x7f708950392f in xsltProcessOneNode 
    #10 0x7f7089513a04 in xsltApplyStylesheetInternal third_party/libxslt/libxslt/transform.c:0
    #11 0x7f7086b4c293 in WebCore::XSLTProcessor::transformToString(WebCore::Node*, WTF::String&, WTF::String&, WTF::String&) 
    #12 0x7f7085c5742e in WebCore::Document::applyXSLTransform(WebCore::ProcessingInstruction*) 
    #13 0x7f7085c5710f in WebCore::Document::collectActiveStylesheets(WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>, 0ul>&) 
    #14 0x7f7085c46f69 in WebCore::Document::updateActiveStylesheets(WebCore::StyleSelectorUpdateFlag) 
    #15 0x7f7085c4903c in WebCore::Document::styleSelectorChanged(WebCore::StyleSelectorUpdateFlag) 
    #16 0x7f7085c54e67 in WebCore::Document::removePendingSheet() 
    #17 0x7f7085d1bff3 in WebCore::ProcessingInstruction::sheetLoaded() 
    #18 0x7f7086b444a1 in WebCore::XSLStyleSheet::checkLoaded() 
    #19 0x7f708695d3b0 in WebCore::CachedXSLStyleSheet::checkNotify() 
    #20 0x7f708695cfeb in WebCore::CachedXSLStyleSheet::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) 
    #21 0x7f7086920f7b in WebCore::SubresourceLoader::didFinishLoading(double) 
    #22 0x7f7087f9aa22 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) 
    #23 0x7f70855d169a in ResourceDispatcher::OnRequestComplete(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) 
    #24 0x7f70855d288b in bool ResourceMsg_RequestComplete::Dispatch<ResourceDispatcher, ResourceDispatcher, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)>(IPC::Message const*, ResourceDispatcher*, ResourceDispatcher*, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)) 
    #25 0x7f70855cee5c in ResourceDispatcher::DispatchMessage(IPC::Message const&) 
    #26 0x7f70855ccde0 in ResourceDispatcher::OnMessageReceived(IPC::Message const&) 
    #27 0x7f70854d879f in ChildThread::OnMessageReceived(IPC::Message const&) 
    #28 0x7f70856242b9 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) 
    #29 0x7f7083eab506 in MessageLoop::RunTask(base::PendingTask const&) 
    #30 0x7f7083eabd66 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) 
    #31 0x7f7083ead04b in MessageLoop::DoWork() 
    #32 0x7f7083eb7a87 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) 
    #33 0x7f7083eaa0ce in MessageLoop::RunInternal() 
    #34 0x7f7083ea82bf in MessageLoop::Run() 
    #35 0x7f7083f224ac in base::Thread::ThreadMain() 
    #36 0x7f7083f1952c in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0
    #37 0x7f7089c51d17 in __asan::AsanThread::ThreadStart() 
Stats: 278M malloced (506M for red zones) by 1475372 calls
Stats: 1M realloced by 7882 calls
Stats: 272M freed by 1427276 calls
Stats: 176M really freed by 998418 calls
Stats: 396M (101434 full pages) mmaped in 99 calls
  mmaps   by size class: 8:524256; 9:24573; 10:12285; 11:6141; 12:2048; 13:1024; 14:1280; 15:1024; 16:576; 17:64; 18:208; 19:8; 20:8; 21:28;
  mallocs by size class: 8:1404910; 9:32643; 10:16480; 11:8596; 12:3694; 13:2034; 14:3144; 15:2016; 16:1382; 17:47; 18:389; 19:5; 20:5; 21:27;
  frees   by size class: 8:1360388; 9:30502; 10:15785; 11:8222; 12:3483; 13:1943; 14:3121; 15:2005; 16:1366; 17:37; 18:387; 19:5; 20:5; 21:27;
  rfrees  by size class: 8:957082; 9:19174; 10:9424; 11:4657; 12:1993; 13:1229; 14:2097; 15:1561; 16:848; 17:6; 18:339; 19:4; 21:4;
Stats: malloc large: 473 small slow: 5033

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list