[Webkit-unassigned] [Bug 199224] New: Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 26 09:58:02 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=199224
Bug ID: 199224
Summary: Crash in
WebCore::StyledMarkupAccumulator::traverseNodesForSeri
alization
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: CSS
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at igalia.com
Created attachment 372932
--> https://bugs.webkit.org/attachment.cgi?id=372932&action=review
Full backtrace
Looks like the problem is here in StyledMarkupAccumulator::traverseNodesForSerialization:
Node* lastNode = nullptr;
Node* next = nullptr;
for (auto* n = startNode; n != pastEnd; lastNode = n, n = next) {
Vector<Node*, 8> exitedAncestors;
next = nullptr;
if (auto* child = firstChild(*n)) // <-- n dereferenced when nullptr
next = child;
Don't have a reproducer, only have the backtrace:
#0 WebCore::Node::firstChild (this=0x0) at ../Source/WebCore/dom/Node.h:595
No locals.
#1 WebCore::StyledMarkupAccumulator::firstChild (this=0x7ffcf45d82e0, node=...)
at ../Source/WebCore/editing/markup.cpp:265
No locals.
#2 WebCore::StyledMarkupAccumulator::traverseNodesForSerialization (this=0x7ffcf45d82e0, startNode=<optimized out>,
pastEnd=0x7fedf4002838, traversalMode=WebCore::StyledMarkupAccumulator::NodeTraversalMode::DoNotEmitString)
at ../Source/WebCore/editing/markup.cpp:629
child = <optimized out>
exitedAncestors = {<WTF::VectorBuffer<WebCore::Node*, 8>> = {<WTF::VectorBufferBase<WebCore::Node*>> = {
m_buffer = 0x7ffcf45d8090, m_capacity = 8, m_size = 0}, m_inlineBuffer = {{
__data = "H9\240\n\356\177\000", __align = {<No data fields>}}, {__data = "\360\267*?\357\177\000",
__align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000",
__align = {<No data fields>}}, {__data = "\000\215s\256\212\060\215\022",
__align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000",
__align = {<No data fields>}}, {__data = "\016\000\000\000\370\177\000",
__align = {<No data fields>}}, {__data = "\001\000\000\000\000\000\000",
__align = {<No data fields>}}, {__data = "\000\215s\256\212\060\215\022",
__align = {<No data fields>}}}}, <No data fields>}
n = 0x0
shouldEmit = false
depth = 0
enterNode = {__this = 0x7ffcf45d82e0, __shouldEmit = <synthetic pointer><error reading variable>,
__depth = <synthetic pointer><error reading variable>}
lastClosed = 0x7fee0aa03948
exitNode = {__depth = <synthetic pointer><error reading variable>,
__shouldEmit = <synthetic pointer><error reading variable>, __this = 0x7ffcf45d82e0,
__lastClosed = <synthetic pointer><error reading variable>}
lastNode = 0x0
next = 0x0
#3 0x00007fef3f2b94fd in WebCore::StyledMarkupAccumulator::serializeNodes (this=this at entry=0x7ffcf45d82e0,
start=..., end=...) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43
lastClosed = <optimized out>
startNode = {
static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >::isRefPtr".>, m_ptr = 0x7fedf3e01008}
pastEnd = 0x7fedf4002838
See attachment for the remaining frames. Note: crash occurs with WebKitGTK 2.25.2 (r246495).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190626/6b2741b5/attachment.html>
More information about the webkit-unassigned
mailing list