[Webkit-unassigned] [Bug 205132] New: Null Ptr Deref @ WTF::TypeCastTraits<WebCore::HTMLTextFormControlElement const, WebCore::Element const, false>::isType
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 11 13:05:06 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=205132
Bug ID: 205132
Summary: Null Ptr Deref @
WTF::TypeCastTraits<WebCore::HTMLTextFormControlElemen
t const, WebCore::Element const, false>::isType
Product: WebKit
Version: WebKit Local Build
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: shihchieh_lee at apple.com
<rdar://problem/56625854>
0 com.apple.WebCore 0x000000012134b8d0 WTF::TypeCastTraits<WebCore::HTMLTextFormControlElement const, WebCore::Element const, false>::isType(WebCore::Element const&) + 16
1 com.apple.WebCore 0x000000012134b8b5 WTF::TypeCastTraits<WebCore::HTMLTextFormControlElement const, WebCore::Element const, false>::isOfType(WebCore::Element const&) + 21
2 com.apple.WebCore 0x000000012133aaa5 bool WTF::is<WebCore::HTMLTextFormControlElement, WebCore::Element>(WebCore::Element&) + 21
3 com.apple.WebCore 0x000000012133aac5 WTF::match_constness<WebCore::Element, WebCore::HTMLTextFormControlElement>::type& WTF::downcast<WebCore::HTMLTextFormControlElement, WebCore::Element>(WebCore::Element&) + 21
4 com.apple.WebCore 0x000000012246243c WebCore::TextControlInnerTextElement::resolveCustomStyle(WebCore::RenderStyle const&, WebCore::RenderStyle const*) + 60
5 com.apple.WebCore 0x00000001234b1f82 WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) + 226
6 com.apple.WebCore 0x00000001234b24e7 WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) + 231
7 com.apple.WebCore 0x00000001234b3d5f WebCore::Style::TreeResolver::resolveComposedTree() + 1455
8 com.apple.WebCore 0x00000001234b4b26 WebCore::Style::TreeResolver::resolve() + 566
9 com.apple.WebCore 0x0000000121d6052d WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1037
10 com.apple.WebCore 0x0000000121d6110d WebCore::Document::updateStyleIfNeeded() + 493
11 com.apple.WebCore 0x0000000121d5c729 WebCore::Document::updateLayout() + 393
12 com.apple.WebCore 0x0000000121d5dc9e WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 94
13 com.apple.WebCore 0x00000001222526bc WebCore::HTMLObjectElement::renderWidgetLoadingPlugin() const + 44
14 com.apple.WebCore 0x0000000122260a7b WebCore::HTMLPlugInElement::pluginWidget(WebCore::HTMLPlugInElement::PluginLoadingPolicy) const + 75
15 com.apple.WebCore 0x0000000121862eee WebCore::pluginScriptObjectFromPluginViewBase(WebCore::HTMLPlugInElement&, JSC::JSGlobalObject*) + 30
16 com.apple.WebCore 0x0000000121862e56 WebCore::pluginScriptObject(JSC::JSGlobalObject*, WebCore::JSHTMLElement*) + 150
17 com.apple.WebCore 0x000000012186326d WebCore::pluginElementCustomPut(WebCore::JSHTMLElement*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&, bool&) + 45
18 com.apple.WebCore 0x00000001201ab04d WebCore::JSHTMLObjectElement::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 477
19 com.apple.JavaScriptCore 0x000000010e45533c JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 204
20 com.apple.JavaScriptCore 0x000000010e457473 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 163
21 com.apple.JavaScriptCore 0x000000010e861105 llint_slow_path_put_by_id + 693
22 com.apple.JavaScriptCore 0x000000010da7a3c8 llint_entry + 42794
23 com.apple.JavaScriptCore 0x000000010da8c15e llint_entry + 115904
24 com.apple.JavaScriptCore 0x000000010da6fa33 vmEntryToJavaScript + 273
25 com.apple.JavaScriptCore 0x000000010e753d87 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 199
26 com.apple.JavaScriptCore 0x000000010e7543e4 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1508
27 com.apple.JavaScriptCore 0x000000010ea253ec JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 236
28 com.apple.JavaScriptCore 0x000000010ea254da JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 218
29 com.apple.JavaScriptCore 0x000000010ea257ce JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 142
30 com.apple.WebCore 0x00000001217fa0c8 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 136
31 com.apple.WebCore 0x0000000121815cda WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1962
32 com.apple.WebCore 0x0000000121e5ef6c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 956
33 com.apple.WebCore 0x0000000121e5b172 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 354
34 com.apple.WebCore 0x00000001228dbee5 WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) + 533
35 com.apple.WebCore 0x00000001228e5895 WebCore::DOMWindow::dispatchLoadEvent() + 309
36 com.apple.WebCore 0x0000000121d672b8 WebCore::Document::dispatchWindowLoadEvent() + 136
37 com.apple.WebCore 0x0000000121d66d72 WebCore::Document::implicitClose() + 610
38 com.apple.WebCore 0x000000012277225b WebCore::FrameLoader::checkCallImplicitClose() + 155
39 com.apple.WebCore 0x0000000122771d44 WebCore::FrameLoader::checkCompleted() + 532
40 com.apple.WebCore 0x0000000121d6717c WebCore::Document::checkCompleted() + 60
41 com.apple.WebCore 0x0000000121d544cd WebCore::Document::loadEventDelayTimerFired() + 45
42 com.apple.WebCore 0x0000000121db89b1 decltype(*(std::__1::forward<WebCore::Document*&>(fp0)).*fp()) std::__1::__invoke<void (WebCore::Document::*&)(), WebCore::Document*&, void>(void (WebCore::Document::*&)(), WebCore::Document*&) + 113
43 com.apple.WebCore 0x0000000121db8930 std::__1::__bind_return<void (WebCore::Document::*)(), std::__1::tuple<WebCore::Document*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::Document::*)(), std::__1::tuple<WebCore::Document*>, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void (WebCore::Document::*)(), std::__1::tuple<WebCore::Document*>, 0ul, std::__1::tuple<> >(void (WebCore::Document::*&)(), std::__1::tuple<WebCore::Document*>&, std::__1::__tuple_indices<0ul>, std::__1::tuple<>&&) + 64
44 com.apple.WebCore 0x0000000121db88dc std::__1::__bind_return<void (WebCore::Document::*)(), std::__1::tuple<WebCore::Document*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::Document::*)(), std::__1::tuple<WebCore::Document*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (WebCore::Document::*&)(), WebCore::Document*>::operator()<>() + 60
45 com.apple.WebCore 0x0000000121db8879 WTF::Detail::CallableWrapper<std::__1::__bind<void (WebCore::Document::*&)(), WebCore::Document*>, void>::call() + 25
46 com.apple.WebCore 0x000000011f70d87a WTF::Function<void ()>::operator()() const + 138
47 com.apple.WebCore 0x000000011f7aba19 WebCore::Timer::fired() + 25
48 com.apple.WebCore 0x0000000122b6cf4a WebCore::ThreadTimers::sharedTimerFiredInternal() + 650
49 com.apple.WebCore 0x0000000122b77741 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const + 33
50 com.apple.WebCore 0x0000000122b776f9 WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call() + 25
51 com.apple.WebCore 0x000000011f70d87a WTF::Function<void ()>::operator()() const + 138
52 com.apple.WebCore 0x0000000122b44d77 WebCore::MainThreadSharedTimer::fired() + 135
53 com.apple.WebCore 0x0000000122bd97e6 WebCore::timerFired(__CFRunLoopTimer*, void*) + 38
54 com.apple.CoreFoundation 0x00007fff352eb218 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
55 com.apple.CoreFoundation 0x00007fff352ead7e __CFRunLoopDoTimer + 872
56 com.apple.CoreFoundation 0x00007fff352ea799 __CFRunLoopDoTimers + 322
57 com.apple.CoreFoundation 0x00007fff352cba5d __CFRunLoopRun + 1885
58 com.apple.CoreFoundation 0x00007fff352cb083 CFRunLoopRunSpecific + 466
59 DumpRenderTree 0x000000010aa0c57d runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 3405 (DumpRenderTree.mm:2103)
60 DumpRenderTree 0x000000010aa0af24 dumpRenderTree(int, char const**) + 708 (DumpRenderTree.mm:1333)
61 DumpRenderTree 0x000000010aa0cf7d DumpRenderTreeMain(int, char const**) + 109 (DumpRenderTree.mm:1449)
62 DumpRenderTree 0x000000010aa8c1b2 main + 34 (DumpRenderTreeMain.mm:34)
63 0x00007fff6d0622d5 start + 1
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191211/d1b49556/attachment-0001.htm>
More information about the webkit-unassigned
mailing list