42449 2010-07-16 06:17:02 -0700 [Chromium] Crash in Position::getInlineBoxAndOffset (node()->renderer() == NULL) 2010-07-16 07:07:50 -0700 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) All All RESOLVED FIXED P1 Normal --- 0 caseq webkit-unassigned commit-queue fishd pfeldman oldest_to_newest 252471 0 caseq 2010-07-16 06:17:02 -0700 1) Open DevTools (Ctrl+Shift+I) 2) Open Console (Esc) 3) Type "window" and hit enter. 4) Start expanding and collapsing 'DOMWindow' node rapidly Observe crash: chrome.dll!WebCore::RenderObject::isText() Line 375 + 0x11 bytes C++ chrome.dll!WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity affinity=UPSTREAM, WebCore::TextDirection primaryDirection=LTR, WebCore::InlineBox * & inlineBox=0xcccccccc, int & caretOffset=0) Line 1014 + 0x8 bytes C++ chrome.dll!WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity affinity=UPSTREAM, WebCore::InlineBox * & inlineBox=0xcccccccc, int & caretOffset=0) Line 950 C++ chrome.dll!WebCore::Frame::firstRectForRange(WebCore::Range * range=0x0c20d540) Line 312 + 0x20 bytes C++ chrome.dll!WebKit::WebViewImpl::caretOrSelectionBounds() Line 1249 + 0x15 bytes C++ chrome.dll!RenderWidget::UpdateInputMethod() Line 876 + 0x19 bytes C++ chrome.dll!RenderWidget::DoDeferredUpdate() Line 527 C++ chrome.dll!RenderWidget::CallDoDeferredUpdate() Line 427 C++ chrome.dll!RenderWidget::OnUpdateRectAck() Line 283 C++ chrome.dll!IPC::Message::Dispatch<RenderWidget>(const IPC::Message * msg=0x0caade28, RenderWidget * obj=0x07254400, void (void)* func=0x5fde3f50) Line 134 + 0x1b bytes C++ chrome.dll!RenderWidget::OnMessageReceived(const IPC::Message & msg={...}) Line 143 + 0x38 bytes C++ chrome.dll!RenderView::OnMessageReceived(const IPC::Message & message={...}) Line 737 + 0xc bytes C++ chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...}) Line 40 + 0x13 bytes C++ chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg={...}) Line 31 + 0x13 bytes C++ chrome.dll!ChildThread::OnMessageReceived(const IPC::Message & msg={...}) Line 146 + 0x17 bytes C++ chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message={...}) Line 206 + 0x19 bytes C++ chrome.dll!DispatchToMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &),IPC::Message>(IPC::ChannelProxy::Context * obj=0x04236c00, void (const IPC::Message &)* method=0x5fa65cb0, const Tuple1<IPC::Message> & arg={...}) Line 422 + 0xf bytes C++ chrome.dll!RunnableMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &),Tuple1<IPC::Message> ::Run() Line 326 + 0x1e bytes C++ chrome.dll!MessageLoop::RunTask(Task * task=0x0caade00) Line 409 + 0xf bytes C++ chrome.dll!MessageLoop::DeferOrRunPendingTask(const MessageLoop::PendingTask & pending_task={...}) Line 421 C++ See https://bugs.webkit.org/show_bug.cgi?id=41334 for a similar bug. Related Chromium bug: http://code.google.com/p/chromium/issues/detail?id=49294 252479 1 61799 caseq 2010-07-16 06:34:16 -0700 Created attachment 61799 patch 252496 2 61799 commit-queue 2010-07-16 07:07:45 -0700 Comment on attachment 61799 patch Clearing flags on attachment: 61799 Committed r63545: <http://trac.webkit.org/changeset/63545> 252497 3 commit-queue 2010-07-16 07:07:50 -0700 All reviewed patches have been landed. Closing bug. 61799 2010-07-16 06:34:16 -0700 2010-07-16 07:07:45 -0700 patch range-end-node-check.patch text/plain 1447 caseq SW5kZXg6IFdlYktpdC9jaHJvbWl1bS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViS2l0L2No cm9taXVtL0NoYW5nZUxvZwkocmV2aXNpb24gNjM1NDIpCisrKyBXZWJLaXQvY2hyb21pdW0vQ2hh bmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIwMTAtMDctMTYgIEFuZHJl eSBLb3N5YWtvdiAgPGNhc2VxQGNocm9taXVtLm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBO T0JPRFkgKE9PUFMhKS4KKworICAgICAgICBDaGVjayB0aGF0IGVuZCBub2RlIG9mIGEgcmFuZ2Ug aGFzIGEgdmFsaWQgcmVuZGVyZXIgaW4gV2ViVmlld0ltcGw6OmNhcmV0T3JTZWxlY3Rpb25Cb3Vu ZHMoKQorICAgICAgICB0byBhdm9pZCBjcmFzaCBpbiBQb3NpdGlvbjo6Z2V0SW5saW5lQm94QW5k T2Zmc2V0KCkgd2hlbiBzdGFydCBub2RlIGhhcyByZW5kZXJlciBidXQgZW5kIG9uZSBkb2Vzbid0 LgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NDI0NDkK KworICAgICAgICAqIHNyYy9XZWJWaWV3SW1wbC5jcHA6CisgICAgICAgIChXZWJLaXQ6OldlYlZp ZXdJbXBsOjpjYXJldE9yU2VsZWN0aW9uQm91bmRzKToKKwogMjAxMC0wNy0xNiAgTWlraGFpbCBO YWdhbm92ICA8bW5hZ2Fub3ZAY2hyb21pdW0ub3JnPgogCiAgICAgICAgIFJldmlld2VkIGJ5IFBh dmVsIEZlbGRtYW4uCkluZGV4OiBXZWJLaXQvY2hyb21pdW0vc3JjL1dlYlZpZXdJbXBsLmNwcAo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09Ci0tLSBXZWJLaXQvY2hyb21pdW0vc3JjL1dlYlZpZXdJbXBsLmNwcAkocmV2aXNp b24gNjMzMTYpCisrKyBXZWJLaXQvY2hyb21pdW0vc3JjL1dlYlZpZXdJbXBsLmNwcAkod29ya2lu ZyBjb3B5KQpAQCAtMTIzOCw2ICsxMjM4LDkgQEAgV2ViUmVjdCBXZWJWaWV3SW1wbDo6Y2FyZXRP clNlbGVjdGlvbkJvdQogICAgIGlmIChjb250cm9sbGVyLT5pc0NhcmV0KCkpCiAgICAgICAgIHJl Y3QgPSB2aWV3LT5jb250ZW50c1RvV2luZG93KGNvbnRyb2xsZXItPmFic29sdXRlQ2FyZXRCb3Vu ZHMoKSk7CiAgICAgZWxzZSBpZiAoY29udHJvbGxlci0+aXNSYW5nZSgpKSB7CisgICAgICAgIG5v ZGUgPSBjb250cm9sbGVyLT5lbmQoKS5ub2RlKCk7CisgICAgICAgIGlmICghbm9kZSB8fCAhbm9k ZS0+cmVuZGVyZXIoKSkKKyAgICAgICAgICAgIHJldHVybiByZWN0OwogICAgICAgICBSZWZQdHI8 UmFuZ2U+IHJhbmdlID0gY29udHJvbGxlci0+dG9Ob3JtYWxpemVkUmFuZ2UoKTsKICAgICAgICAg cmVjdCA9IHZpZXctPmNvbnRlbnRzVG9XaW5kb3coZm9jdXNlZC0+Zmlyc3RSZWN0Rm9yUmFuZ2Uo cmFuZ2UuZ2V0KCkpKTsKICAgICB9Cg==