[Webkit-unassigned] [Bug 140506] New: [Win] Crash in is<> Template due to corrupted/garbage WebCore::HTMLNames::selectTag

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 15 13:06:33 PST 2015 

https://bugs.webkit.org/show_bug.cgi?id=140506

            Bug ID: 140506
           Summary: [Win] Crash in is<> Template due to corrupted/garbage
                    WebCore::HTMLNames::selectTag
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: PC
                OS: All
            Status: NEW
          Severity: Major
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bfulgham at webkit.org

The test 'fast/forms/select/popup-closes-on-blur.html' crash with the following stack trace:

     DumpRenderTree.dll!std::unique_ptr<WTF::HashMap<int,WTF::RefPtr<JSC::WatchpointSet>,WTF::IntHash<int>,WTF::UnsignedWithZeroKeyHashTraits<int>,WTF::HashTraits<WTF::RefPtr<JSC::WatchpointSet> > >,std::default_delete<WTF::HashMap<int,WTF::RefPtr<JSC::WatchpointSet>,WTF::IntHash<int>,WTF::UnsignedWithZeroKeyHashTraits<int>,WTF::HashTraits<WTF::RefPtr<JSC::WatchpointSet> > > > >::get() Line 1453    C++
     DumpRenderTree.dll!WTF::Vector<COMPtr<IUnknown>,0,WTF::CrashOnOverflow>::data() Line 643    C++
     DumpRenderTree.dll!WTF::Vector<std::unique_ptr<tagSTGMEDIUM,StgMediumDeleter>,0,WTF::CrashOnOverflow>::begin() Line 647    C++
     DumpRenderTree.dll!WTF::operator==(const WTF::AtomicString & a, const WTF::AtomicString & b) Line 224    C++
     DumpRenderTree.dll!WebCore::Element::hasLocalName(const WTF::AtomicString & other) Line 260    C++
     DumpRenderTree.dll!WebCore::HTMLElement::hasTagName(const WebCore::HTMLQualifiedName & name) Line 99    C++
     DumpRenderTree.dll!WebCore::Node::hasTagName(const WebCore::HTMLQualifiedName & name) Line 145    C++
>	DumpRenderTree.dll!WTF::TypeCastTraits<WebCore::HTMLSelectElement const ,WebCore::Node const ,0>::checkTagName(const WebCore::Node & node) Line 689	C++
     DumpRenderTree.dll!WTF::TypeCastTraits<WebCore::HTMLSelectElement const ,WebCore::Node const ,0>::isOfType(const WebCore::Node & node) Line 686    C++
     DumpRenderTree.dll!WTF::is<WebCore::HTMLSelectElement,WebCore::Node>(WebCore::Node & source) Line 59    C++
     DumpRenderTree.dll!WebCore::Internals::isSelectPopupVisible(WebCore::Node * node) Line 2166    C++
     DumpRenderTree.dll!WebCore::jsInternalsPrototypeFunctionIsSelectPopupVisible(JSC::ExecState * exec) Line 3424    C++
     [External Code]    
     [Frames below may be incorrect and/or missing]    
     JavaScriptCore.dll!llint_entry() Line 7211    Unknown
     JavaScriptCore.dll!vmEntryToJavaScript() Line 109    Unknown
     JavaScriptCore.dll!JSC::JITCode::execute(JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame) Line 77    C++
     JavaScriptCore.dll!JSC::Interpreter::execute(JSC::EvalExecutable * eval, JSC::ExecState * callFrame, JSC::JSValue thisValue, JSC::JSScope * scope) Line 1201    C++
     JavaScriptCore.dll!JSC::eval(JSC::ExecState * callFrame) Line 134    C++
     JavaScriptCore.dll!llint_slow_path_call_eval(JSC::ExecState * exec, JSC::Instruction * pc) Line 1248    C++
     JavaScriptCore.dll!llint_entry() Line 7424    Unknown
     [External Code]    
     JavaScriptCore.dll!llint_entry() Line 7211    Unknown
     JavaScriptCore.dll!llint_entry() Line 7211    Unknown
     JavaScriptCore.dll!vmEntryToJavaScript() Line 109    Unknown
     JavaScriptCore.dll!JSC::JITCode::execute(JSC::VM * vm, JSC::ProtoCallFrame * protoCallFrame) Line 77    C++
     JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj) Line 914    C++
     JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException) Line 83    C++
     WebKit.dll!WebCore::JSMainThreadExecState::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * exception) Line 62    C++
     WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld & world) Line 150    C++
     WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode) Line 166    C++
     WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode) Line 301    C++
     WebKit.dll!WebCore::ScriptElement::prepareScript(const WTF::TextPosition & scriptStartPosition, WebCore::ScriptElement::LegacyTypeSupport supportLegacyTypes) Line 237    C++
     WebKit.dll!WebCore::HTMLScriptRunner::runScript(WebCore::Element * script, const WTF::TextPosition & scriptStartPosition) Line 304    C++
     WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element> scriptElement, const WTF::TextPosition & scriptStartPosition) Line 177    C++
     WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() Line 197    C++
     WebKit.dll!WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode mode, WebCore::PumpSession & session) Line 214    C++
     WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode) Line 259    C++
     WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode mode) Line 167    C++
     WebKit.dll!WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() Line 492    C++
     WebKit.dll!WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource * cachedResource) Line 532    C++
     WebKit.dll!WebCore::CachedResource::checkNotify() Line 294    C++
     WebKit.dll!WebCore::CachedResource::finishLoading(WebCore::SharedBuffer * __formal) Line 311    C++
     WebKit.dll!WebCore::CachedScript::finishLoading(WebCore::SharedBuffer * data) Line 87    C++
     WebKit.dll!WebCore::SubresourceLoader::didFinishLoading(double finishTime) Line 357    C++
     WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal, double finishTime) Line 503    C++
     WebKit.dll!WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didFinishLoading() Line 181    C++
     WebKit.dll!WebCore::ResourceHandleCFURLConnectionDelegate::didFinishLoadingCallback(_CFURLConnection * __formal, const void * clientInfo) Line 88    C++
     CFNetwork.dll!URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue * preQ) Line 1739    C++
     CFNetwork.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<enum XClientEvent,XClientEventParams> * e, long count) Line 2256    C++
     CFNetwork.dll!XConnectionEventQueue<enum XClientEvent,XClientEventParams>::processAllEvents() Line 231    C++
     CFNetwork.dll!URLConnectionClient::processEvents() Line 362    C++
     CFNetwork.dll!URLConnectionWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 109    C++
     [External Code]    
     DumpRenderTree.dll!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & inputLine) Line 1130    C++
     DumpRenderTree.dll!main(int argc, const char * * argv) Line 1488    C++
     DumpRenderTree.dll!dllLauncherEntryPoint(int argc, const char * * argv) Line 1518    C++
     DumpRenderTree.exe!main(int argc, const char * * argv) Line 239    C++
     [External Code]    

The crash is happening because the contents of WebCore::HTMLNames::selectTag is garbage.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150115/6ed49ceb/attachment-0002.html>

More information about the webkit-unassigned mailing list