[Webkit-unassigned] [Bug 177791] New: [ToT] Web process occasionally crashes when dropping into MDN's DataTransferItemList.add() demo

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 2 16:11:16 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=177791

            Bug ID: 177791
           Summary: [ToT] Web process occasionally crashes when dropping
                    into MDN's DataTransferItemList.add() demo
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML Editing
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: wenson_hsieh at apple.com
                CC: wenson_hsieh at apple.com

Link: <https://developer.mozilla.org/en-US/docs/Web/API/DataTransferItemList/add>
Not reproducible 100% of the time. Crash is in DataTransferItemList::remove(), due to m_dataTransfer.pasteboard() being 0x0.


Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x00000001092f4e19 WebCore::DataTransferItemList::remove(unsigned int) + 281 (DataTransferItemList.cpp:112)
1   com.apple.WebCore                   0x00000001097cc35e WebCore::jsDataTransferItemListPrototypeFunctionRemove(JSC::ExecState*) + 190 (ExceptionOr.h:163)
2   ???                                 0x00003f0580601028 0 + 69292861165608
3   com.apple.JavaScriptCore            0x000000055098dcd3 llint_entry + 27787 (LowLevelInterpreter.asm:789)
4   com.apple.JavaScriptCore            0x000000055098dcd3 llint_entry + 27787 (LowLevelInterpreter.asm:789)
5   com.apple.JavaScriptCore            0x0000000550986e60 vmEntryToJavaScript + 304 (LowLevelInterpreter64.asm:258)
6   com.apple.JavaScriptCore            0x000000055129928f JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 127 (JITCode.cpp:82)
7   com.apple.JavaScriptCore            0x000000055126263f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 511 (Interpreter.cpp:985)
8   com.apple.JavaScriptCore            0x000000055144c145 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 165 (CallData.cpp:41)
9   com.apple.WebCore                   0x00000001098d6395 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1157 (JSMainThreadExecState.h:72)
10  com.apple.WebCore                   0x000000010940ca6b WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>) + 603 (InspectorInstrumentation.h:262)
11  com.apple.WebCore                   0x000000010940c60f WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 431 (EventTarget.cpp:238)
12  com.apple.WebCore                   0x0000000109d2acf0 WebCore::Node::handleLocalEvents(WebCore::Event&) + 80 (Node.cpp:2368)
13  com.apple.WebCore                   0x00000001093f3f05 WebCore::MouseOrFocusEventContext::handleLocalEvents(WebCore::Event&) const + 213 (EventContext.cpp:86)
14  com.apple.WebCore                   0x00000001093f42ad WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 685 (Event.h:144)
15  com.apple.WebCore                   0x00000001093fd530 WebCore::EventHandler::dispatchDragEvent(WTF::AtomicString const&, WebCore::Element&, WebCore::PlatformMouseEvent const&, WebCore::DataTransfer*) + 272 (Ref.h:113)
16  com.apple.WebCore                   0x0000000109400d34 WebCore::EventHandler::dragSourceEndedAt(WebCore::PlatformMouseEvent const&, WebCore::DragOperation, WebCore::MayExtendDragSession) + 340 (EventHandler.cpp:3548)
17  com.apple.WebKit                    0x0000000108085ac5 WebKit::WebPage::dragEnded(WebCore::IntPoint, WebCore::IntPoint, unsigned long long) + 213
18  com.apple.WebKit                    0x00000001080a12f6 void IPC::handleMessage<Messages::WebPage::DragEnded, WebKit::WebPage, void (WebKit::WebPage::*)(WebCore::IntPoint, WebCore::IntPoint, unsigned long long)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebCore::IntPoint, WebCore::IntPoint, unsigned long long)) + 84 (HandleMessage.h:127)
19  com.apple.WebKit                    0x0000000107ecfbd3 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 127
20  com.apple.WebKit                    0x0000000108107da4 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 28 (WebProcess.cpp:647)
21  com.apple.WebKit                    0x0000000107e960cf IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 119 (memory:2581)
22  com.apple.WebKit                    0x0000000107e98c08 IPC::Connection::dispatchOneMessage() + 176 (Connection.cpp:959)
23  com.apple.JavaScriptCore            0x00000005514d6888 WTF::RunLoop::performWork() + 328 (memory:2602)
24  com.apple.JavaScriptCore            0x00000005514d6a02 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39)
25  com.apple.CoreFoundation            0x00007fff494a1471 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
26  com.apple.CoreFoundation            0x00007fff4955b11c __CFRunLoopDoSource0 + 108
27  com.apple.CoreFoundation            0x00007fff49483f10 __CFRunLoopDoSources0 + 208
28  com.apple.CoreFoundation            0x00007fff4948338d __CFRunLoopRun + 1293
29  com.apple.CoreFoundation            0x00007fff49482bf3 CFRunLoopRunSpecific + 483
30  com.apple.HIToolbox                 0x00007fff4879d746 RunCurrentEventLoopInMode + 286
31  com.apple.HIToolbox                 0x00007fff4879d4b6 ReceiveNextEventCommon + 613
32  com.apple.HIToolbox                 0x00007fff4879d234 _BlockUntilNextEventMatchingListInModeWithFilter + 64
33  com.apple.AppKit                    0x00007fff46a6d44f _DPSNextEvent + 2085
34  com.apple.AppKit                    0x00007fff47202508 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
35  com.apple.AppKit                    0x00007fff46a6225d -[NSApplication run] + 764
36  com.apple.AppKit                    0x00007fff46a313fe NSApplicationMain + 804
37  libxpc.dylib                        0x00007fff71533657 _xpc_objc_main + 580
38  libxpc.dylib                        0x00007fff715322aa xpc_main + 417
39  com.apple.WebKit.WebContent         0x0000000107e446a1 main + 490 (XPCServiceMain.mm:122)
40  libdyld.dylib                       0x00007fff71267145 start + 1

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171002/27ae8cf3/attachment-0001.html>

More information about the webkit-unassigned mailing list