[Webkit-unassigned] [Bug 136947] New: Null pointer dereference in WebCore::StyleProperties::findPropertyIndex
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 19 02:26:14 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=136947
Summary: Null pointer dereference in
WebCore::StyleProperties::findPropertyIndex
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: CSS
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: rhodovan.u-szeged at partner.samsung.com
CC: akling at apple.com, ltilve at igalia.com
Blocks: 116980
Created an attachment (id=238364)
--> (https://bugs.webkit.org/attachment.cgi?id=238364&action=review)
Test case
The crashing test case:
<!DOCTYPE html>
<style>
* {
position:absolute;
}
</style>
<script>
onload = function() {
document.designMode = 'on';
document.execCommand("selectAll", false, null);
document.execCommand("insertParagraph", true, null);
document.execCommand("useCSS", true, false);
document.execCommand("insertOrderedList", false, null);
document.execCommand("insertOrderedList", false, null);
document.execCommand("insertOrderedList", false, null);
document.execCommand("undo", false, null);
document.execCommand("insertOrderedList", false, null);
document.execCommand("redo", false, null);
}
</script>
<li>
<b>
<embed></embed>
</b>
</li>
The backtrace:
0x00007ffff2fb9711 in WebCore::StyleProperties::findPropertyIndex (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.h:291
291 if (m_isMutable)
#0 0x00007ffff2fb9711 in WebCore::StyleProperties::findPropertyIndex (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.h:291
#1 0x00007ffff2fb61d8 in WebCore::StyleProperties::getPropertyCSSValue (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.cpp:578
#2 0x00007ffff2fb330c in WebCore::StyleProperties::getPropertyValue (this=0x0, propertyID=WebCore::CSSPropertyFontWeight) at ../../Source/WebCore/css/StyleProperties.cpp:120
#3 0x00007ffff31fd21a in WebCore::RemoveCSSPropertyCommand::doApply (this=0x8931f0) at ../../Source/WebCore/editing/RemoveCSSPropertyCommand.cpp:53
#4 0x00007ffff31a9549 in WebCore::SimpleEditCommand::doReapply (this=0x8931f0) at ../../Source/WebCore/editing/EditCommand.cpp:117
#5 0x00007ffff318d82d in WebCore::EditCommandComposition::reapply (this=0x96ecb0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:146
#6 0x00007ffff2a35584 in WebKit::WebPage::reapplyEditCommand (this=0xaff070, stepID=0x4) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:3112
#7 0x00007ffff2b92dee in IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long), std::tuple<unsigned long>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long), std::tuple<unsigned long>&&, std::index_sequence<0ul>) (object=0xaff070, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ffff2a3552e <WebKit::WebPage::reapplyEditCommand(unsigned long)>, args=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x6da7251, DIE 0x6e79cc3>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:16
#8 0x00007ffff2b90c7e in IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long), std::tuple<unsigned long>, std::make_index_sequence<1ul> >(std::tuple<unsigned long>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long)) (args=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x6da7251, DIE 0x6e79cc3>, object=0xaff070, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ffff2a3552e <WebKit::WebPage::reapplyEditCommand(unsigned long)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:22
#9 0x00007ffff2b8cc6f in IPC::handleMessage<Messages::WebPage::ReapplyEditCommand, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long)> (decoder=..., object=0xaff070, function=(void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ffff2a3552e <WebKit::WebPage::reapplyEditCommand(unsigned long)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:120
#10 0x00007ffff2b87f28 in WebKit::WebPage::didReceiveWebPageMessage (this=0xaff070, decoder=...) at DerivedSources/WebKit2/WebPageMessageReceiver.cpp:612
#11 0x00007ffff2a362b0 in WebKit::WebPage::didReceiveMessage (this=0xaff070, connection=0xaa8200, decoder=...) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:3505
#12 0x00007ffff2752042 in IPC::MessageReceiverMap::dispatchMessage (this=0x8ec6e8, connection=0xaa8200, decoder=...) at ../../Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:87
#13 0x00007ffff29203f9 in WebKit::WebProcess::didReceiveMessage (this=0x8ec600, connection=0xaa8200, decoder=...) at ../../Source/WebKit2/WebProcess/WebProcess.cpp:599
#14 0x00007ffff27411be in IPC::Connection::dispatchMessage (this=0xaa8200, decoder=...) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:809
#15 0x00007ffff274128a in IPC::Connection::dispatchMessage (this=0xaa8200, message=...) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:828
#16 0x00007ffff273d30d in IPC::Connection::SyncMessageState::dispatchMessages (this=0xacd600, allowedConnection=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:201
#17 0x00007ffff273f51d in IPC::Connection::waitForSyncReply (this=0xaa8200, syncRequestID=0x7, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:537
#18 0x00007ffff273ef7a in IPC::Connection::sendSyncMessage (this=0xaa8200, syncRequestID=0x7, encoder=..., timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:478
#19 0x00007ffff29e8cbb in IPC::Connection::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, Messages::WebPageProxy::ExecuteUndoRedo::Reply&&, unsigned long, std::chrono::duration<long, std::ratio<1l, 1000l> >, unsigned int) (this=0xaa8200, message=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d34>, reply=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4207c50>, destinationID=0x1, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/Connection.h:359
#20 0x00007ffff29e8030 in IPC::MessageSender::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, Messages::WebPageProxy::ExecuteUndoRedo::Reply&&, unsigned long, std::chrono::duration<long, std::ratio<1l, 1000l> >, unsigned int) (this=0xaff088, message=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d34>, reply=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x42065fb>, destinationID=0x1, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/MessageSender.h:66
#21 0x00007ffff29e741a in IPC::MessageSender::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, Messages::WebPageProxy::ExecuteUndoRedo::Reply&&, std::chrono::duration<long, std::ratio<1l, 1000l> >, unsigned int) (this=0xaff088, message=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d34>, reply=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x4136c8e, DIE 0x4204d39>, timeout=..., syncSendFlags=0x0) at ../../Source/WebKit2/Platform/IPC/MessageSender.h:58
#22 0x00007ffff29e5812 in WebKit::WebEditorClient::redo (this=0x6ffa80) at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebEditorClient.cpp:280
#23 0x00007ffff31bde1e in WebCore::Editor::redo (this=0xa84360) at ../../Source/WebCore/editing/Editor.cpp:1617
#24 0x00007ffff31d3277 in WebCore::executeRedo (frame=...) at ../../Source/WebCore/editing/EditorCommand.cpp:977
#25 0x00007ffff31d5121 in WebCore::Editor::Command::execute (this=0x7fffffffc780, parameter=..., triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1726
#26 0x00007ffff3068d82 in WebCore::Document::execCommand (this=0xabf430, commandName=..., userInterface=0x0, value=...) at ../../Source/WebCore/dom/Document.cpp:4284
#27 0x00007ffff4064ccf in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffffffc880) at DerivedSources/WebCore/JSDocument.cpp:4526
#28 0x00007fff9b2060b4 in ?? ()
#29 0x00007fffffffc8e0 in ?? ()
#30 0x00007fffedbda6ae in llint_entry () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list