[Webkit-unassigned] [Bug 145981] New: Crash when right clicking in input box with -webkit-user-select: none
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 15 12:38:45 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=145981
Bug ID: 145981
Summary: Crash when right clicking in input box with
-webkit-user-select: none
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Forms
Assignee: webkit-unassigned at lists.webkit.org
Reporter: bjonesbe at adobe.com
Created attachment 254888
--> https://bugs.webkit.org/attachment.cgi?id=254888&action=review
Test Case
Load the attached test case, then right click in the input box. Watch the renderer crash:
Note that if you do type in the box, only one character shows up, and doesn't seem to be able to be deleted. But once the box has been left clicked on or typed in, a crash will no longer occur.
Stack:
* thread #1: tid = 0xae932b, 0x000000011830247f WebCore`WebCore::Node::getFlag(this=0x0000000000000000, mask=HasRareDataFlag) const + 15 at Node.h:631, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18)
* frame #0: 0x000000011830247f WebCore`WebCore::Node::getFlag(this=0x0000000000000000, mask=HasRareDataFlag) const + 15 at Node.h:631
frame #1: 0x000000011830243a WebCore`WebCore::Node::hasRareData(this=0x0000000000000000) const + 26 at Node.h:658
frame #2: 0x00000001183023d9 WebCore`WebCore::Node::renderer(this=0x0000000000000000) const + 25 at Node.h:441
frame #3: 0x0000000118a3095f WebCore`WebCore::Editor::hasBidiSelection(this=0x00007f8520c29900) const + 447 at Editor.cpp:712
frame #4: 0x0000000118648adb WebCore`WebCore::ContextMenuController::populate(this=0x0000000121fcf0b8) + 15547 at ContextMenuController.cpp:1098
frame #5: 0x00000001186448af WebCore`WebCore::ContextMenuController::handleContextMenuEvent(this=0x0000000121fcf0b8, event=0x0000000121f586e0) + 799 at ContextMenuController.cpp:105
frame #6: 0x00000001199432e0 WebCore`WebCore::Node::defaultEventHandler(this=0x0000000121fef9c0, event=0x0000000121f586e0) + 592 at Node.cpp:2088
frame #7: 0x000000011a2555c9 WebCore`WebCore::TextControlInnerTextElement::defaultEventHandler(this=0x0000000121fef9c0, event=0x0000000121f586e0) + 185 at TextControlInnerElements.cpp:111
frame #8: 0x0000000118a872a6 WebCore`WebCore::callDefaultEventHandlersInTheBubblingOrder(event=0x0000000121f586e0, path=0x00007fff51913ee8) + 102 at EventDispatcher.cpp:257
frame #9: 0x0000000118a86c39 WebCore`WebCore::EventDispatcher::dispatchEvent(origin=0x0000000121fef9c0, prpEvent=PassRefPtr<WebCore::Event> at 0x00007fff51914040) + 1065 at EventDispatcher.cpp:368
frame #10: 0x0000000119942bbd WebCore`WebCore::Node::dispatchEvent(this=0x0000000121fef9c0, event=<unavailable>) + 45 at Node.cpp:2011
frame #11: 0x0000000118a5749f WebCore`WebCore::Element::dispatchMouseEvent(this=0x0000000121fef9c0, platformEvent=0x00007fff51914598, eventType=0x0000000120038d70, detail=0, relatedTarget=0x0000000000000000) + 559 at Element.cpp:264
frame #12: 0x0000000118a9641f WebCore`WebCore::EventHandler::dispatchMouseEvent(this=0x00000001217e5000, eventType=0x0000000120038d70, targetNode=0x0000000121fef9c0, (null)=true, clickCount=0, platformMouseEvent=0x00007fff51914598, setUnder=false) + 207 at EventHandler.cpp:2582
frame #13: 0x0000000118a9af5f WebCore`WebCore::EventHandler::sendContextMenuEvent(this=0x00000001217e5000, event=0x00007fff51914598) + 495 at EventHandler.cpp:2833
frame #14: 0x000000011a31a5cc WebCore`WebCore::UserInputBridge::handleContextMenuEvent(this=0x00007f8520c135b0, mouseEvent=0x00007fff51914598, frame=0x00000001217e6000, (null)=User) + 44 at UserInputBridge.cpp:74
frame #15: 0x00000001138338aa WebKit`WebKit::handleContextMenuEvent(platformMouseEvent=0x00007fff51914598, page=0x00007f8521012410) + 298 at WebPage.cpp:1918
frame #16: 0x0000000113828cef WebKit`WebKit::handleMouseEvent(mouseEvent=0x00007fff519147c0, page=0x00007f8521012410, onlyUpdateScrollbars=false) + 271 at WebPage.cpp:1944
frame #17: 0x0000000113828b79 WebKit`WebKit::WebPage::mouseEvent(this=0x00007f8521012410, mouseEvent=0x00007fff519147c0) + 521 at WebPage.cpp:2006
frame #18: 0x00000001138a43ef WebKit`void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&), std::__1::tuple<WebKit::WebMouseEvent>, 0ul>(object=0x00007f8521012410, function=0x0000000113828970, args=0x00007fff519147c0, (null)=index_sequence<0> at 0x00007fff51914700)(WebKit::WebMouseEvent const&), std::__1::tuple<WebKit::WebMouseEvent>&&, std::index_sequence<0ul>) + 159 at HandleMessage.h:16
frame #19: 0x00000001138a4348 WebKit`void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&), std::__1::tuple<WebKit::WebMouseEvent>, std::make_index_sequence<1ul> >(args=0x00007fff519147c0, object=0x00007f8521012410, function=0x0000000113828970)(WebKit::WebMouseEvent const&)) + 88 at HandleMessage.h:22
frame #20: 0x000000011388bf94 WebKit`void IPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(decoder=0x0000000121fe46e8, object=0x00007f8521012410, function=0x0000000113828970)(WebKit::WebMouseEvent const&)) + 244 at HandleMessage.h:92
frame #21: 0x00000001138860e6 WebKit`WebKit::WebPage::didReceiveWebPageMessage(this=0x00007f8521012410, connection=0x00000001217fa000, decoder=0x0000000121fe46e8) + 1574 at WebPageMessageReceiver.cpp:179
frame #22: 0x000000011382da5b WebKit`WebKit::WebPage::didReceiveMessage(this=0x00007f8521012410, connection=0x00000001217fa000, decoder=0x0000000121fe46e8) + 379 at WebPage.cpp:3630
frame #23: 0x000000011382daa7 WebKit`non-virtual thunk to WebKit::WebPage::didReceiveMessage(this=0x00007f8521012420, connection=0x00000001217fa000, decoder=0x0000000121fe46e8) + 55 at WebPage.cpp:3631
frame #24: 0x000000011328d61d WebKit`IPC::MessageReceiverMap::dispatchMessage(this=0x00007f8521814c58, connection=0x00000001217fa000, decoder=0x0000000121fe46e8) + 461 at MessageReceiverMap.cpp:87
frame #25: 0x00000001139add9d WebKit`WebKit::WebProcess::didReceiveMessage(this=0x00007f8521814c00, connection=0x00000001217fa000, decoder=0x0000000121fe46e8) + 61 at WebProcess.cpp:617
frame #26: 0x000000011313f3f3 WebKit`IPC::Connection::dispatchMessage(this=0x00000001217fa000, decoder=0x0000000121fe46e8) + 51 at Connection.cpp:870
frame #27: 0x00000001131378e0 WebKit`IPC::Connection::dispatchMessage(this=0x00000001217fa000, message=unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> > at 0x00007fff519169c8) + 416 at Connection.cpp:893
frame #28: 0x000000011313f9ef WebKit`IPC::Connection::dispatchOneMessage(this=0x00000001217fa000) + 1519 at Connection.cpp:921
frame #29: 0x000000011314126d WebKit`IPC::Connection::enqueueIncomingMessage(this=0x00007f8520f4d168)::$_9::operator()() const + 29 at Connection.cpp:864
frame #30: 0x000000011314123c WebKit`std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_9, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_9>, void ()>::operator()() [inlined] decltype(__f=0x00007f8520f4d168)::$_9&>(fp)(std::__1::forward<>(fp0))) std::__1::__invoke<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_9&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_9&&&) + 60 at __functional_base:413
frame #31: 0x000000011314122b WebKit`std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_9, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_9>, void ()>::operator(this=0x00007f8520f4d160)() + 43 at functional:1370
frame #32: 0x00000001166da92a JavaScriptCore`std::__1::function<void ()>::operator(this=0x00007fff51916ec0)() const + 26 at functional:1756
frame #33: 0x0000000116be5302 JavaScriptCore`WTF::RunLoop::performWork(this=0x0000000121ff9000) + 306 at RunLoop.cpp:104
frame #34: 0x0000000116be65b4 JavaScriptCore`WTF::RunLoop::performWork(context=0x0000000121ff9000) + 36 at RunLoopCF.cpp:38
frame #35: 0x00007fff8ec86681 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
frame #36: 0x00007fff8ec7880d CoreFoundation`__CFRunLoopDoSources0 + 269
frame #37: 0x00007fff8ec77e3f CoreFoundation`__CFRunLoopRun + 927
frame #38: 0x00007fff8ec77858 CoreFoundation`CFRunLoopRunSpecific + 296
frame #39: 0x00007fff9216aaef HIToolbox`RunCurrentEventLoopInMode + 235
frame #40: 0x00007fff9216a86a HIToolbox`ReceiveNextEventCommon + 431
frame #41: 0x00007fff9216a6ab HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
frame #42: 0x00007fff8a338f81 AppKit`_DPSNextEvent + 964
frame #43: 0x00007fff8a338730 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194
frame #44: 0x00007fff8a32c593 AppKit`-[NSApplication run] + 594
frame #45: 0x00007fff8a317a14 AppKit`NSApplicationMain + 1832
frame #46: 0x00007fff90f1eef2 libxpc.dylib`_xpc_objc_main + 793
frame #47: 0x00007fff90f20a9d libxpc.dylib`xpc_main + 490
frame #48: 0x000000010e2e8197 com.apple.WebKit.WebContent.Development`main(argc=1, argv=0x00007fff519187f0) + 39 at XPCServiceMain.Development.mm:170
frame #49: 0x00007fff935345c9 libdyld.dylib`start + 1
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150615/036bf00b/attachment-0001.html>
More information about the webkit-unassigned
mailing list