[Webkit-unassigned] [Bug 155642] New: SEGV in WebCore::RenderTableCell::setCol
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 18 09:16:38 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=155642
Bug ID: 155642
Summary: SEGV in WebCore::RenderTableCell::setCol
Classification: Unclassified
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
Assignee: webkit-unassigned at lists.webkit.org
Reporter: rhodovan.u-szeged at partner.samsung.com
CC: akling at apple.com, simon.fraser at apple.com,
zalan at apple.com
Blocks: 116980
Created attachment 274419
--> https://bugs.webkit.org/attachment.cgi?id=274419&action=review
Test case
Load the attached test with minibrowser:
<!DOCTYPE html>
<table>
<td colspan="53927142"></td>
<th>
<td></td>
</th>
</table>
OS: Mac OS X 10.11.1 (x86_64), x86_64
Checked build: ASAN debug
Checked version: 5e169ea
Backtrace:
1 0x114f8f0d4 WTFCrash
2 0x11de0307c WebCore::RenderTableCell::setCol(unsigned int)
3 0x11dde57ca WebCore::RenderTableSection::addCell(WebCore::RenderTableCell*, WebCore::RenderTableRow*)
4 0x11dde12c8 WebCore::RenderTableRow::addChild(WebCore::RenderObject*, WebCore::RenderObject*)
5 0x11e938c1a WebCore::RenderTreePosition::insert(WebCore::RenderObject&)
6 0x11e92d0b6 WebCore::Style::TreeResolver::createRenderer(WebCore::Element&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&)
7 0x11e92e0aa WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&)
8 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&)
9 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&)
10 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&)
11 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&)
12 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&)
13 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&)
14 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&)
15 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&)
16 0x11e92daaf WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&)
17 0x11e92e204 WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&)
18 0x11e92f7e9 WebCore::Style::TreeResolver::resolveElement(WebCore::Element&)
19 0x11e9319f6 WebCore::Style::TreeResolver::resolveComposedTree()
20 0x11e93220c WebCore::Style::TreeResolver::resolve(WebCore::Style::Change)
21 0x119d97665 WebCore::Document::recalcStyle(WebCore::Style::Change)
22 0x119d8124b WebCore::Document::updateStyleIfNeeded()
23 0x119dbb961 WebCore::Document::finishedParsing()
24 0x11ab76e96 WebCore::HTMLConstructionSite::finishedParsing()
25 0x11aea743c WebCore::HTMLTreeBuilder::finished()
26 0x11abebb8c WebCore::HTMLDocumentParser::end()
27 0x11abe7d9a WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
28 0x11abe7a09 WebCore::HTMLDocumentParser::prepareToStopParsing()
29 0x11abebc2e WebCore::HTMLDocumentParser::attemptToEnd()
30 0x11abebc88 WebCore::HTMLDocumentParser::finish()
31 0x119f775e0 WebCore::DocumentWriter::end()
ASAN:SIGSEGV
=================================================================
==82191==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x000114f8f10c bp 0x7fff53d407f0 sp 0x7fff53d407e0 T0)
#0 0x114f8f10b in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b2110b)
#1 0x11de0307b in WebCore::RenderTableCell::setCol(unsigned int) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x517a07b)
#2 0x11dde57c9 in WebCore::RenderTableSection::addCell(WebCore::RenderTableCell*, WebCore::RenderTableRow*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x515c7c9)
#3 0x11dde12c7 in WebCore::RenderTableRow::addChild(WebCore::RenderObject*, WebCore::RenderObject*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x51582c7)
#4 0x11e938c19 in WebCore::RenderTreePosition::insert(WebCore::RenderObject&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cafc19)
#5 0x11e92d0b5 in WebCore::Style::TreeResolver::createRenderer(WebCore::Element&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca40b5)
#6 0x11e92e0a9 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca50a9)
#7 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae)
#8 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203)
#9 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae)
#10 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203)
#11 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae)
#12 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203)
#13 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae)
#14 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203)
#15 0x11e92daae in WebCore::Style::TreeResolver::createRenderTreeForChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca4aae)
#16 0x11e92e203 in WebCore::Style::TreeResolver::createRenderTreeRecursively(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::RefPtr<WebCore::RenderStyle>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca5203)
#17 0x11e92f7e8 in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca67e8)
#18 0x11e9319f5 in WebCore::Style::TreeResolver::resolveComposedTree() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca89f5)
#19 0x11e93220b in WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ca920b)
#20 0x119d97664 in WebCore::Document::recalcStyle(WebCore::Style::Change) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x110e664)
#21 0x119d8124a in WebCore::Document::updateStyleIfNeeded() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x10f824a)
#22 0x119dbb960 in WebCore::Document::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1132960)
#23 0x11ab76e95 in WebCore::HTMLConstructionSite::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eede95)
#24 0x11aea743b in WebCore::HTMLTreeBuilder::finished() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x221e43b)
#25 0x11abebb8b in WebCore::HTMLDocumentParser::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62b8b)
#26 0x11abe7d99 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5ed99)
#27 0x11abe7a08 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5ea08)
#28 0x11abebc2d in WebCore::HTMLDocumentParser::attemptToEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62c2d)
#29 0x11abebc87 in WebCore::HTMLDocumentParser::finish() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62c87)
#30 0x119f775df in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12ee5df)
#31 0x119ec9a5c in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1240a5c)
#32 0x119ec956a in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x124056a)
#33 0x1192a1e66 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x618e66)
#34 0x1192a2053 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x619053)
#35 0x1192983cc in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60f3cc)
#36 0x11e95dd20 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cd4d20)
#37 0x10d9e415c in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1315c)
#38 0x10d9f84f2 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b274f2)
#39 0x10d9f8171 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b27171)
#40 0x10d9f452e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2352e)
#41 0x10d9f15ad in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b205ad)
#42 0x10c7674f2 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x8964f2)
#43 0x10c0a4fa0 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d3fa0)
#44 0x10c08c501 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb501)
#45 0x10c0a5d90 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4d90)
#46 0x10c0d54dc in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2044dc)
#47 0x10c0d54ac in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2044ac)
#48 0x10c0d52cb in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2042cb)
#49 0x113dc79fa in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x19599fa)
#50 0x1150698dd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bfb8dd)
#51 0x11506a849 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bfc849)
#52 0x7fff888498b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0)
#53 0x7fff888290ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab)
#54 0x7fff888285ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce)
#55 0x7fff88827fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7)
#56 0x7fff86540d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54)
#57 0x7fff86540b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e)
#58 0x7fff865409ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce)
#59 0x7fff97bc6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95)
#60 0x7fff97bc61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4)
#61 0x7fff97bbad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27)
#62 0x7fff97b83fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd)
#63 0x7fff9408b4f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1)
#64 0x7fff94089f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d)
#65 0x10beb71cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb)
#66 0x7fff908b05ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
#67 0x0 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash
==82191==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 82191)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160318/2d5fc855/attachment-0001.html>
More information about the webkit-unassigned
mailing list