[Webkit-unassigned] [Bug 155694] Segfault when setting attribute value via DOM in WebKitGTK+2.4.10
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Apr 1 19:44:17 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=155694
--- Comment #6 from Michael Catanzaro <mcatanzaro at igalia.com> ---
(In reply to comment #5)
> This is how Evolution is crashing as well (at least, it's the report for
> which we received a description and full backtrace, see the See Also field).
Sigh, I realize this is a private bug... I think thread 1 is probably the only important part; note the string "aria-" in the crash frame.
Core was generated by `/usr/bin/evolution'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 WTF::StringImpl::startsWith (this=0xbad801d800000002, matchString=matchString at entry=0x7f85ba36fea7 "aria-", matchLength=matchLength at entry=5, caseSensitive=caseSensitive at entry=true) at Source/WTF/wtf/text/StringImpl.cpp:1363
1363 if (matchLength > length())
[Current thread is 1 (Thread 0x7f85c0247ac0 (LWP 17496))]
Thread 1 (Thread 0x7f85c0247ac0 (LWP 17496)):
#0 WTF::StringImpl::startsWith (this=0xbad801d800000002, matchString=matchString at entry=0x7f85ba36fea7 "aria-", matchLength=matchLength at entry=5, caseSensitive=caseSensitive at entry=true) at Source/WTF/wtf/text/StringImpl.cpp:1363
No locals.
#1 0x00007f85b8f3e00f in WTF::StringImpl::startsWith<6u> (caseSensitive=true, prefix=..., this=<optimized out>) at Source/WTF/wtf/text/StringImpl.h:730
No locals.
#2 WTF::String::startsWith<6u> (caseSensitive=true, prefix=..., this=<optimized out>) at Source/WTF/wtf/text/WTFString.h:281
No locals.
#3 WebCore::AXObjectCache::handleAttributeChanged (this=0x7f851b997f00, attrName=..., element=0x558fcfb67cb0) at Source/WebCore/accessibility/AXObjectCache.cpp:880
No locals.
#4 0x00007f85b91641ea in WebCore::Element::attributeChanged (this=0x558fcfb67cb0, name=..., oldValue=..., newValue=...) at Source/WebCore/dom/Element.cpp:1137
cache = <optimized out>
styleResolver = <optimized out>
testShouldInvalidateStyle = true
shouldInvalidateStyle = <optimized out>
#5 0x00007f85b9163520 in WebCore::Element::didModifyAttribute (this=this at entry=0x558fcfb67cb0, name=..., oldValue=..., newValue=...) at Source/WebCore/dom/Element.cpp:2851
No locals.
#6 0x00007f85b916b449 in WebCore::Element::setAttributeInternal (this=0x558fcfb67cb0, index=<optimized out>, name=..., newValue=..., inSynchronizationOfLazyAttribute=WebCore::Element::NotInSynchronizationOfLazyAttribute) at Source/WebCore/dom/Element.cpp:1075
oldValue = {m_string = {m_impl = {m_ptr = 0x7f858c676000}}}
valueChanged = <optimized out>
attributeName = <optimized out>
#7 0x00007f85b91de4b9 in WebCore::CompositeEditCommand::applyCommandToComposite (this=this at entry=0x7f853a37c900, prpCommand=...) at Source/WebCore/editing/CompositeEditCommand.cpp:278
command = {m_ptr = 0x7f853a56ad20}
#8 0x00007f85b91e4f1a in WebCore::CompositeEditCommand::setNodeAttribute (this=this at entry=0x7f853a37c900, element=..., attribute=..., value=...) at Source/WebCore/editing/CompositeEditCommand.cpp:664
No locals.
#9 0x00007f85b926c8f9 in WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline (this=this at entry=0x7f853a37c900, insertedNodes=...) at Source/WebCore/editing/ReplaceSelectionCommand.cpp:525
element = 0x558fcfb67cb0
inlineStyle = 0x7f853a3cb410
newInlineStyle = {m_ptr = 0x7f851b975b70}
node = {m_ptr = 0x558fcfb67cb0}
next = {m_ptr = 0x558fd14d9630}
#10 0x00007f85b926f714 in WebCore::ReplaceSelectionCommand::doApply (this=0x7f853a37c900) at Source/WebCore/editing/ReplaceSelectionCommand.cpp:1151
selection = {m_base = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_extent = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_start = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_end = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM, m_selectionType = WebCore::VisibleSelection::CaretSelection, m_baseIsFirst = true, m_isDirectional = true}
fragment = {m_document = {m_ptr = 0x7f853a276d00}, m_fragment = {m_ptr = 0x558fd0f6ad00}, m_hasInterchangeNewlineAtStart = false, m_hasInterchangeNewlineAtEnd = false}
visibleStart = {m_deepPosition = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM}
visibleEnd = {m_deepPosition = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM}
selectionEndWasEndOfParagraph = true
selectionStartWasStartOfParagraph = true
startBlock = <optimized out>
insertionPos = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}
startIsInsideMailBlockquote = false
selectionIsPlainText = <optimized out>
currentRoot = <optimized out>
endBR = <optimized out>
originalVisPosBeforeEndBR = {m_deepPosition = {m_anchorNode = {m_ptr = 0x558fd02d50a0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM}
insertionBlock = {m_ptr = 0x558fcff56940}
insertedNodes = {m_firstNodeInserted = {m_ptr = 0x558fcfb67cb0}, m_lastNodeInserted = {m_ptr = 0x558fd1a7b1f0}}
refNode = {m_ptr = 0x558fd1a7b1f0}
node = <optimized out>
blockStart = <optimized out>
plainTextFragment = false
startOfInsertedContent = {m_deepPosition = {m_anchorNode = {m_ptr = 0x558fd14d9630}, m_offset = 0, m_anchorType = 0, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM}
lastPositionToSelect = {m_anchorNode = {m_ptr = 0x558fd1a7b1f0}, m_offset = -1204594578, m_anchorType = 5, m_isLegacyEditingPosition = false}
#11 0x00007f85b91de107 in WebCore::CompositeEditCommand::apply (this=0x7f853a37c900) at Source/WebCore/editing/CompositeEditCommand.cpp:227
No locals.
#12 0x00007f85b91de21d in WebCore::applyCommand (command=...) at Source/WebCore/editing/CompositeEditCommand.cpp:182
No locals.
#13 0x00007f85b9207946 in WebCore::executeInsertFragment (frame=..., fragment=...) at Source/WebCore/editing/EditorCommand.cpp:195
No locals.
#14 0x00007f85b9207df1 in WebCore::executeInsertHTML (frame=..., value=...) at Source/WebCore/editing/EditorCommand.cpp:508
No locals.
#15 0x00007f85b913c9df in WebCore::Document::execCommand (this=this at entry=0x7f853a276d00, commandName=..., userInterface=<optimized out>, value=...) at Source/WebCore/dom/Document.cpp:4227
No locals.
#16 0x00007f85b9e5d5dd in webkit_dom_document_exec_command (self=<optimized out>, command=<optimized out>, userInterface=userInterface at entry=0, value=0x558fd1496580 "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"><span style=\"color: rgb(0, 0, 0); font-family: myriadpro-regular, Arial, sans-serif; font-size: 15px; font-style: normal; font-varian"...) at DerivedSources/webkitdom/WebKitDOMDocument.cpp:1157
state = {m_previousState = 0x0}
__PRETTY_FUNCTION__ = "gboolean webkit_dom_document_exec_command(WebKitDOMDocument*, const gchar*, gboolean, const gchar*)"
item = 0x7f853a276d00
convertedCommand = {m_impl = {m_ptr = 0x7f853a45fa50}}
convertedValue = {m_impl = {m_ptr = 0x7f853a278700}}
result = <optimized out>
#17 0x00007f85bfb7471b in e_html_editor_view_exec_command (view=view at entry=0x558fd0302790, command=command at entry=E_HTML_EDITOR_VIEW_COMMAND_INSERT_HTML, value=value at entry=0x558fd1496580 "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"><span style=\"color: rgb(0, 0, 0); font-family: myriadpro-regular, Arial, sans-serif; font-size: 15px; font-style: normal; font-varian"...) at e-html-editor-view.c:8915
document = <optimized out>
cmd_str = <optimized out>
has_value = <optimized out>
__func__ = "e_html_editor_view_exec_command"
#18 0x00007f85bfb638ab in e_html_editor_selection_insert_html (selection=0x558fd15c6c90, html_text=0x558fd1496580 "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"><span style=\"color: rgb(0, 0, 0); font-family: myriadpro-regular, Arial, sans-serif; font-size: 15px; font-style: normal; font-varian"...) at e-html-editor-selection.c:5673
view = 0x558fd0302790
command = E_HTML_EDITOR_VIEW_COMMAND_INSERT_HTML
ev = 0x558fd13c0e00
html_mode = -1
__func__ = "e_html_editor_selection_insert_html"
#19 0x00007f859c2caca4 in e_composer_paste_html (r=<optimized out>, clipboard=<optimized out>) at e-composer-private.c:533
editor = <optimized out>
view = 0x558fd0302790
editor_selection = 0x558fd15c6c90
html = 0x558fd1496580 "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"><span style=\"color: rgb(0, 0, 0); font-family: myriadpro-regular, Arial, sans-serif; font-size: 15px; font-style: normal; font-varian"...
__func__ = "e_composer_paste_html"
#20 0x00007f85b7548d61 in request_targets_received_func (clipboard=0x558fcf7f5ee0, selection_data=selection_data at entry=0x7ffeb58e68a0, data=data at entry=0x558fd14b6fc0) at gtkclipboard.c:1325
info = 0x558fd14b6fc0
targets = 0x558fd0856fd0
n_targets = 8
#21 0x00007f85b7548ff9 in selection_received (widget=0x558fcf5d1220, selection_data=0x7ffeb58e68a0, time=<optimized out>) at gtkclipboard.c:960
request_info = 0x558fd1024e20
#22 0x00007f85b5b6c7a5 in g_closure_invoke (closure=0x558fcf1e9be0, return_value=return_value at entry=0x0, n_param_values=3, param_values=param_values at entry=0x7ffeb58e6530, invocation_hint=invocation_hint at entry=0x7ffeb58e64b0) at gclosure.c:801
marshal = <optimized out>
marshal_data = <optimized out>
in_marshal = 0
real_closure = 0x558fcf1e9bc0
__func__ = "g_closure_invoke"
#23 0x00007f85b5b7e851 in signal_emit_unlocked_R (node=node at entry=0x558fccc28bc0, detail=detail at entry=0, instance=instance at entry=0x558fcf5d1220, emission_return=emission_return at entry=0x0, instance_and_params=instance_and_params at entry=0x7ffeb58e6530) at gsignal.c:3627
tmp = <optimized out>
handler = 0x558fcf1e8f00
accumulator = 0x0
emission = {next = 0x7ffeb58e6ad0, instance = 0x558fcf5d1220, ihint = {signal_id = 70, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4}
class_closure = 0x558fccc28b30
handler_list = 0x558fcf1e8f00
return_accu = 0x0
accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
signal_id = 70
max_sequential_handler_number = 110677
return_value_altered = 0
#24 0x00007f85b5b87530 in g_signal_emit_valist (instance=instance at entry=0x558fcf5d1220, signal_id=signal_id at entry=70, detail=detail at entry=0, var_args=var_args at entry=0x7ffeb58e6768) at gsignal.c:3383
instance_and_params = 0x7ffeb58e6530
signal_return_type = <optimized out>
param_values = 0x7ffeb58e6548
node = <optimized out>
i = <optimized out>
n_params = <optimized out>
__func__ = "g_signal_emit_valist"
#25 0x00007f85b5b87dc5 in g_signal_emit_by_name (instance=0x558fcf5d1220, detailed_signal=detailed_signal at entry=0x7f85b75c3e83 "selection-received") at gsignal.c:3479
var_args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffeb58e68a0, reg_save_area = 0x7ffeb58e67b0}}
detail = 0
signal_id = 70
itype = 94076144637376
__func__ = "g_signal_emit_by_name"
#26 0x00007f85b746dd13 in gtk_selection_retrieval_report (info=info at entry=0x558fd1a7aef0, type=<optimized out>, format=<optimized out>, buffer=<optimized out>, length=length at entry=64, time=30218102) at gtkselection.c:3033
data = {selection = 0x45, target = 0x95, type = 0x4, format = 32, data = 0x558fd14d96b0 "\225", length = 64, display = 0x558fccbf6020}
#27 0x00007f85b7471cbd in _gtk_selection_notify (widget=<optimized out>, event=0x558fd12b72f0) at gtkselection.c:2837
tmp_list = 0x7f8534ecbd20
info = 0x558fd1a7aef0
window = <optimized out>
buffer = 0x558fd14d96b0 "\225"
length = 64
type = 0x4
format = 32
#28 0x00007f85b73e5fda in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x558fccc28790, return_value=0x7ffeb58e6b00, instance=<optimized out>, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x558fccc287c0) at gtkmarshalers.c:131
cc = <optimized out>
data1 = <optimized out>
data2 = <optimized out>
callback = <optimized out>
arg0 = 0x558fd12b72f0
args_copy = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffeb58e6cb0, reg_save_area = 0x7ffeb58e6bf0}}
v_return = <optimized out>
__func__ = "_gtk_marshal_BOOLEAN__BOXEDv"
#29 0x00007f85b5b6c9d4 in _g_closure_invoke_va (closure=closure at entry=0x558fccc28790, return_value=return_value at entry=0x7ffeb58e6b00, instance=instance at entry=0x558fcf5d1220, args=args at entry=0x7ffeb58e6bd0, n_params=<optimized out>, param_types=0x558fccc287c0) at gclosure.c:864
marshal = <optimized out>
marshal_data = <optimized out>
in_marshal = 0
real_closure = 0x558fccc28770
__func__ = "_g_closure_invoke_va"
#30 0x00007f85b5b86dd3 in g_signal_emit_valist (instance=0x558fcf5d1220, signal_id=<optimized out>, detail=0, var_args=var_args at entry=0x7ffeb58e6bd0) at gsignal.c:3292
return_accu = 0x7ffeb58e6b00
accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
accumulator = 0x558fccc287e0
emission = {next = 0x0, instance = 0x558fcf5d1220, ihint = {signal_id = 69, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 94076144637376}
signal_id = 69
instance_type = 94076144637376
emission_return = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
rtype = 20
static_scope = 0
fastpath_handler = <optimized out>
closure = <optimized out>
run_type = <optimized out>
l = <optimized out>
fastpath = <optimized out>
instance_and_params = <optimized out>
signal_return_type = <optimized out>
param_values = <optimized out>
node = <optimized out>
i = <optimized out>
n_params = <optimized out>
__func__ = "g_signal_emit_valist"
#31 0x00007f85b5b878ff in g_signal_emit (instance=instance at entry=0x558fcf5d1220, signal_id=<optimized out>, detail=detail at entry=0) at gsignal.c:3439
var_args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7ffeb58e6cb0, reg_save_area = 0x7ffeb58e6bf0}}
#32 0x00007f85b75234bc in gtk_widget_event_internal (widget=0x558fcf5d1220, event=0x558fd12b72f0) at gtkwidget.c:7692
signal_num = <optimized out>
return_val = 0
handled = 0
event = 0x558fd12b72f0
widget = 0x558fcf5d1220
#33 0x00007f85b73e50b6 in gtk_main_do_event (event=0x558fd12b72f0) at gtkmain.c:1795
event_widget = 0x558fcf5d1220
grab_widget = 0x558fcf5d1220
topmost_widget = <optimized out>
window_group = 0x558fd0131840
rewritten_event = <optimized out>
device = 0x0
tmp_list = <optimized out>
__func__ = "gtk_main_do_event"
#34 0x00007f85b6f5de92 in gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at gdkeventsource.c:369
display = <optimized out>
event = <optimized out>
#35 0x00007f85b586de3a in g_main_dispatch (context=0x558fccbe7840) at gmain.c:3154
dispatch = 0x7f85b6f5de70 <gdk_event_source_dispatch>
prev_source = 0x0
was_in_call = 0
user_data = 0x0
callback = 0x0
cb_funcs = 0x0
cb_data = 0x0
need_destroy = <optimized out>
source = 0x558fccbe7750
current = 0x558fccc54d40
i = 0
#36 g_main_context_dispatch (context=context at entry=0x558fccbe7840) at gmain.c:3769
No locals.
#37 0x00007f85b586e1d0 in g_main_context_iterate (context=0x558fccbe7840, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at gmain.c:3840
max_priority = 0
timeout = 0
some_ready = 1
nfds = <optimized out>
allocated_nfds = 4
fds = 0x558fcf754da0
#38 0x00007f85b586e4f2 in g_main_loop_run (loop=0x558fcf32d5d0) at gmain.c:4034
__func__ = "g_main_loop_run"
#39 0x00007f85b73e4325 in gtk_main () at gtkmain.c:1241
loop = 0x558fcf32d5d0
#40 0x0000558fcc45d089 in main (argc=1, argv=0x7ffeb58e7008) at main.c:660
shell = 0x558fcccc11e0
settings = <optimized out>
error = 0x0
We also have a valgrind log (available on request); I think the main interesting part is:
==21341== Conditional jump or move depends on uninitialised value(s)
==21341== at 0xCEBA8FF: WTF::fastFree(void*) (in /usr/lib64/libjavascriptcoregtk-3.0.so.0.16.18)
==21341== by 0xB15E1A4: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16)
==21341== by 0xB15DA6B: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16)
==21341== by 0xB15F451: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16)
==21341== by 0xA9F7B32: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16)
==21341== by 0xA9F8173: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16)
==21341== by 0xA9FA28D: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16)
==21341== by 0xA9FA9D1: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16)
==21341== by 0xB71B5DC: webkit_dom_document_exec_command (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16)
==21341== by 0x5173D20: ??? (in /usr/lib64/evolution/libevolution-util.so)
==21341== by 0xF1D4BEA: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.4600.2)
==21341== by 0xF1B6B7A: ??? (in /usr/lib64/libgobject-2.0.so.0.4600.2)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160402/30de7bd7/attachment-0001.html>
More information about the webkit-unassigned
mailing list