[Webkit-unassigned] [Bug 205476] New: Nullptr crash in WebCore::RenderTreeBuilder::attach
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Dec 19 15:27:59 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=205476
Bug ID: 205476
Summary: Nullptr crash in WebCore::RenderTreeBuilder::attach
Product: WebKit
Version: WebKit Local Build
Hardware: All
OS: All
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P2
Component: Layout and Rendering
Assignee: webkit-unassigned at lists.webkit.org
Reporter: shihchieh_lee at apple.com
CC: bfulgham at webkit.org, simon.fraser at apple.com,
zalan at apple.com
Created attachment 386155
--> https://bugs.webkit.org/attachment.cgi?id=386155&action=review
Test html
<rdar://57213478>
0 libsystem_kernel.dylib 0x00007fff6a83931a __pthread_kill + 10
1 libsystem_pthread.dylib 0x00007fff6a8fa5cc pthread_kill + 430
2 libsystem_c.dylib 0x00007fff6a7c09d8 abort + 120
3 0x000000010f41f48c + 60
4 0x000000010f40bf44 + 196
5 0x000000010f3f3cd9 + 409
6 0x000000010f3f1d8d __asan::ReportDeadlySignal(__sanitizer::SignalContext const&) + 157
7 0x000000010f3f15e4 __asan::AsanOnDeadlySignal(int, void*, void*) + 84
8 libsystem_platform.dylib 0x00007fff6a8efb1d _sigtramp + 29
9 ??? 000000000000000000 0 + 0
10 com.apple.WebCore 0x000000030cef1e7b WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 507
11 com.apple.WebCore 0x000000030cf0dc61 WebCore::RenderTreeBuilder::Ruby::attach(WebCore::RenderRubyRun&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 785
12 com.apple.WebCore 0x000000030cef21c3 WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 1347
13 com.apple.WebCore 0x000000030cef2a57 WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)::$_0::operator()(WebCore::RenderElement&) const + 375
14 com.apple.WebCore 0x000000030cef2152 WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 1234
15 com.apple.WebCore 0x000000030cef4ee4 WebCore::RenderTreeBuilder::attach(WebCore::RenderTreePosition&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>) + 244
16 com.apple.WebCore 0x000000030cf169a6 WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) + 998
17 com.apple.WebCore 0x000000030cf14c0c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) + 668
18 com.apple.WebCore 0x000000030cf142e2 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 1170
19 com.apple.WebCore 0x000000030cf13900 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 688
20 com.apple.WebCore 0x000000030b0f8838 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1992
21 com.apple.WebCore 0x000000030b0f96bc WebCore::Document::updateStyleIfNeeded() + 572
22 com.apple.WebCore 0x000000030b0f2486 WebCore::Document::updateLayout() + 406
23 com.apple.WebCore 0x000000030b51e8cd WebCore::VisibleSelection::toNormalizedRange() const + 285
24 com.apple.WebCore 0x000000030bfbe858 WebCore::DOMSelection::containsNode(WebCore::Node&, bool) const + 488
25 com.apple.WebCore 0x000000030898d76b WebCore::jsDOMSelectionPrototypeFunctionContainsNodeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMSelection*, JSC::ThrowScope&) + 507
26 com.apple.WebCore 0x000000030880d921 long long WebCore::IDLOperation<WebCore::JSDOMSelection>::call<&(WebCore::jsDOMSelectionPrototypeFunctionContainsNodeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMSelection*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 257
27 ??? 0x000028d7bce0116b 0 + 44907051880811
28 com.apple.JavaScriptCore 0x0000000321d168fb llint_entry + 92452
29 com.apple.JavaScriptCore 0x0000000321cffe29 vmEntryToJavaScript + 200
30 com.apple.JavaScriptCore 0x0000000323310b5c JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1212
31 com.apple.JavaScriptCore 0x000000032390c691 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 113
32 com.apple.JavaScriptCore 0x000000032390c792 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 226
33 com.apple.JavaScriptCore 0x000000032390cb70 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 272
34 com.apple.WebCore 0x000000030aa215b5 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 229
35 com.apple.WebCore 0x000000030aa49dfd WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1917
36 com.apple.WebCore 0x000000030b22ade5 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 917
37 com.apple.WebCore 0x000000030b2260b8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
38 com.apple.WebCore 0x000000030b202ca7 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 455
39 com.apple.WebCore 0x000000030b203eaa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
40 com.apple.WebCore 0x000000030b203827 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 791
41 com.apple.WebCore 0x000000030b20322f WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) + 367
42 com.apple.WebCore 0x000000030b2a92cb WebCore::Node::dispatchSubtreeModifiedEvent() + 459
43 com.apple.WebCore 0x000000030b1f0b83 WebCore::Element::didRemoveAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) + 467
44 com.apple.WebCore 0x000000030b1dc110 WebCore::Element::removeAttributeInternal(unsigned int, WebCore::Element::SynchronizationOfLazyAttribute) + 720
45 com.apple.WebCore 0x000000030b1dc2c6 WebCore::Element::removeAttribute(WebCore::QualifiedName const&) + 134
46 com.apple.WebCore 0x0000000308d0e1ef WebCore::setJSHTMLButtonElementAutofocusSetter(JSC::JSGlobalObject&, WebCore::JSHTMLButtonElement&, JSC::JSValue, JSC::ThrowScope&) + 367
47 com.apple.WebCore 0x0000000308c02ea7 bool WebCore::IDLAttribute<WebCore::JSHTMLButtonElement>::set<&(WebCore::setJSHTMLButtonElementAutofocusSetter(JSC::JSGlobalObject&, WebCore::JSHTMLButtonElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*) + 263
48 com.apple.JavaScriptCore 0x00000003239acd59 JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSValue, JSC::JSValue) + 57
49 com.apple.JavaScriptCore 0x00000003239ace96 JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 294
50 com.apple.JavaScriptCore 0x0000000323b9ad95 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1749
51 com.apple.JavaScriptCore 0x00000003235908d1 llint_slow_path_put_by_id + 2097
52 com.apple.JavaScriptCore 0x0000000321d08d78 llint_entry + 36257
53 com.apple.JavaScriptCore 0x0000000321d16804 llint_entry + 92205
54 com.apple.JavaScriptCore 0x0000000321cffe29 vmEntryToJavaScript + 200
55 com.apple.JavaScriptCore 0x0000000323310b5c JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1212
56 com.apple.JavaScriptCore 0x000000032390c691 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 113
57 com.apple.JavaScriptCore 0x000000032390c792 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 226
58 com.apple.JavaScriptCore 0x000000032390cb70 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 272
59 com.apple.WebCore 0x000000030aa215b5 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 229
60 com.apple.WebCore 0x000000030aa49dfd WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1917
61 com.apple.WebCore 0x000000030b22ade5 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 917
62 com.apple.WebCore 0x000000030b2260b8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
63 com.apple.WebCore 0x000000030b202ca7 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 455
64 com.apple.WebCore 0x000000030b203eaa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
65 com.apple.WebCore 0x000000030b203827 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 791
66 com.apple.WebCore 0x000000030b638604 WebCore::HTMLDetailsElement::dispatchPendingEvent(WebCore::EventSender<WebCore::HTMLDetailsElement>*) + 212
67 com.apple.WebCore 0x000000030b63b931 WebCore::EventSender<WebCore::HTMLDetailsElement>::dispatchPendingEvents() + 161
68 com.apple.WebCore 0x000000030b63cb84 std::__1::__bind_return<void (WebCore::EventSender<WebCore::HTMLDetailsElement>::*)(), std::__1::tuple<WebCore::EventSender<WebCore::HTMLDetailsElement>*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::EventSender<WebCore::HTMLDetailsElement>::*)(), std::__1::tuple<WebCore::EventSender<WebCore::HTMLDetailsElement>*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (WebCore::EventSender<WebCore::HTMLDetailsElement>::*&)(), WebCore::EventSender<WebCore::HTMLDetailsElement>*>::operator()<>() + 180
69 com.apple.WebCore 0x000000030c304b76 WebCore::ThreadTimers::sharedTimerFiredInternal() + 918
70 com.apple.WebCore 0x000000030c383faa WebCore::timerFired(__CFRunLoopTimer*, void*) + 186
71 com.apple.CoreFoundation 0x00007fff32724218 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
72 com.apple.CoreFoundation 0x00007fff32723d7e __CFRunLoopDoTimer + 872
73 com.apple.CoreFoundation 0x00007fff32723799 __CFRunLoopDoTimers + 322
74 com.apple.CoreFoundation 0x00007fff32704a5d __CFRunLoopRun + 1885
75 com.apple.CoreFoundation 0x00007fff32704083 CFRunLoopRunSpecific + 466
76 com.apple.Foundation 0x00007fff34e4fe67 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
77 com.apple.Foundation 0x00007fff34e4fd80 -[NSRunLoop(NSRunLoop) run] + 76
78 libxpc.dylib 0x00007fff6a9558c2 _xpc_objc_main.cold.4 + 49
79 libxpc.dylib 0x00007fff6a93e006 _xpc_objc_main + 559
80 libxpc.dylib 0x00007fff6a93db21 xpc_main + 377
81 com.apple.WebKit 0x0000000106aa3231 WebKit::XPCServiceMain(int, char const**) + 337
82 0x00007fff6a6e9885 start + 1
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191219/7e6e23f3/attachment-0001.htm>
More information about the webkit-unassigned
mailing list