RESOLVED FIXED 10579
AppleStyleCommand::applyBlockStyle crash 
https://bugs.webkit.org/show_bug.cgi?id=10579
Summary AppleStyleCommand::applyBlockStyle crash
Graham Dennis
Reported 2006-08-26 01:40:27 PDT
If you have a selection that runs from within the table to just past the end of the table, the end position is the <table> element, with some positive offset. This causes a crash in ApplyStyleCommand::applyBlockStyle (if called), as the end node's next node is before the start node. To reproduce this crash, see attached testcase Crash report: 0 com.apple.WebCore 0x01263cbc WebCore::Node::traverseNextNode(WebCore::Node const*) const + 28 (Node.cpp:443) 1 com.apple.WebCore 0x011ed168 WebCore::ApplyStyleCommand::applyBlockStyle(WebCore::CSSMutableStyleDeclaration*) + 456 (ApplyStyleCommand.cpp:376) 2 com.apple.WebCore 0x011ed3b0 WebCore::ApplyStyleCommand::doApply() + 96 (ApplyStyleCommand.cpp:333) 3 com.apple.WebCore 0x011fa9a8 WebCore::EditCommand::apply() + 600 (EditCommand.cpp:90) 4 com.apple.WebCore 0x010c6d5c WebCore::Frame::applyStyle(WebCore::CSSStyleDeclaration*, WebCore::EditAction) + 172 (PassRefPtr.h:45)
Attachments
table selection crash testcase (732 bytes, text/html)
2006-08-26 01:41 PDT, Graham Dennis 		no flags
Details
patch (12.61 KB, patch)
2006-08-27 06:04 PDT, Graham Dennis 		justin.garcia: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Graham Dennis
Comment 1 2006-08-26 01:41:29 PDT
Created attachment 10238 [details] table selection crash testcase testcase
Graham Dennis
Comment 2 2006-08-26 01:45:12 PDT
Marking P1 as it is a reproducible crasher.
Graham Dennis
Comment 3 2006-08-27 06:04:46 PDT
Created attachment 10254 [details] patch Patch I was originally going to try to make sure that the end position of the selection couldn't end up at the end of a table element, but it seems that the table deletion code relies on this. So the patch is to make sure that the 'beyondEnd' node is after the start node. The only case when end.node()->traverseNextNode() is not after the start node is when the end node is before the start node, which itself can only happen when the end node is an ancestor of the start node. I think.
Justin Garcia
Comment 4 2006-08-31 18:01:55 PDT
Graham I think we should also put this piece of code in applyRelativeFontStyleChange(...) when we compute beyondEnd. r=me
Justin Garcia
Comment 5 2006-08-31 18:02:25 PDT
Comment on attachment 10254 [details] patch I think we also need this piece of code in applyRelativeFontStyleChange(...) when we compute beyondEnd. r=me
Graham Dennis
Comment 6 2006-08-31 18:11:41 PDT
Should I file a new bug for that, or just modify this patch?
Graham Dennis
Comment 7 2006-08-31 18:12:31 PDT
Should I file a new bug for that, or just modify this patch?
Timothy Hatcher
Comment 8 2006-09-02 12:12:45 PDT
Landed in r16194.
Graham Dennis
Comment 9 2006-09-04 04:20:51 PDT
Bug in applyRelativeFontStyleChange filed as bug #10726
Note You need to log in before you can comment on or make changes to this bug.