47888 2010-10-19 01:00:27 -0700 chrome.dll!WebCore::Node::shadowAncestorNode ReadAV@NULL (98643190851b5662363449cc7303d8a5) 2010-10-28 16:08:03 -0700 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) All All RESOLVED FIXED http://code.google.com/p/chromium/issues/detail?id=59747 P1 Normal --- 1 skylined rniwa darin eric ojan rniwa tkent tony oldest_to_newest 296042 0 skylined 2010-10-19 01:00:27 -0700 Repro: <html><head><script> function go() { document.execCommand("SelectAll", false, "ur"); document.designMode = "on"; document.execCommand("InsertOrderedList", false, "-.8"); document.execCommand("insertparagraph", false, "04"); document.execCommand("InsertImage", false, "///("); document.execCommand("SelectAll", false, "ur"); document.execCommand("strikethrough", false, null); } </script></head><body onload="go()"></body></html> stack: chrome.dll!WebCore::Node::shadowAncestorNode chrome.dll!WebCore::comparePositions chrome.dll!WebCore::isNodeVisiblyContainedWithin chrome.dll!WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle chrome.dll!(unknown) chrome.dll!WebCore::ApplyStyleCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::Editor::applyStyle chrome.dll!WebCore::executeToggleStyleInList chrome.dll!WebCore::executeStrikethrough chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback ... 301370 1 72242 rniwa 2010-10-28 15:17:11 -0700 Created attachment 72242 fixes the bug 301383 2 72242 tony 2010-10-28 15:33:07 -0700 Comment on attachment 72242 fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=72242&action=review > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:7 > + layoutTestController.waitUntilDone(); Does the crash trigger if you don't have the waitUntilDone? I think DRT makes sure that onload runs. > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:18 > + document.execCommand("SelectAll", false, "ur"); > + document.designMode = "on"; > + document.execCommand("InsertOrderedList", false, "-.8"); > + document.execCommand("insertparagraph", false, "04"); > + document.execCommand("InsertImage", false, "///("); > + document.execCommand("SelectAll", false, "ur"); > + document.execCommand("strikethrough", false, null); > + document.body.innerHTML = 'This tests ApplyStyleCommand::fixRangeAndApplyInlineStyle does not crash when startNode is body.<br>PASS'; Are all these calls necessary? 301403 3 rniwa 2010-10-28 16:02:05 -0700 (In reply to comment #2) > (From update of attachment 72242 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=72242&action=review > > > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:7 > > + layoutTestController.waitUntilDone(); > > Does the crash trigger if you don't have the waitUntilDone? I think DRT makes sure that onload runs. The test becomes flaky last time I tried. > > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:18 > > + document.execCommand("SelectAll", false, "ur"); > > + document.designMode = "on"; > > + document.execCommand("InsertOrderedList", false, "-.8"); > > + document.execCommand("insertparagraph", false, "04"); > > + document.execCommand("InsertImage", false, "///("); > > + document.execCommand("SelectAll", false, "ur"); > > + document.execCommand("strikethrough", false, null); > > + document.body.innerHTML = 'This tests ApplyStyleCommand::fixRangeAndApplyInlineStyle does not crash when startNode is body.<br>PASS'; > > Are all these calls necessary? Yes. But everything before the second SelectAll doesn't need to be done in script. So it'll simplify it to: function go() { document.designMode = "on"; document.execCommand("SelectAll", false, "ur"); document.execCommand("strikethrough", false, null); document.body.innerHTML = 'This tests ApplyStyleCommand::fixRangeAndApplyInlineStyle does not crash when startNode is body.<br>PASS'; layoutTestController.notifyDone(); } </script> </head> <body onload="go()"><div><img></div></body> 301408 4 rniwa 2010-10-28 16:08:03 -0700 Committed r70821: <http://trac.webkit.org/changeset/70821> 72242 2010-10-28 15:17:11 -0700 2010-10-28 15:33:06 -0700 fixes the bug bug-47888-20101028151710.patch text/plain 4540 rniwa SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA3MDgxNSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTkgQEAKKzIwMTAtMTAtMjggIFJ5b3N1a2UgTml3YSAgPHJuaXdhQHdlYmtpdC5v cmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgY2hy b21lLmRsbCFXZWJDb3JlOjpOb2RlOjpzaGFkb3dBbmNlc3Rvck5vZGUgUmVhZEFWQE5VTEwgKDk4 NjQzMTkwODUxYjU2NjIzNjM0NDljYzczMDNkOGE1KQorICAgICAgICBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NDc4ODgKKworICAgICAgICBUaGUgY3Jhc2ggd2FzIGNh dXNlZCBieSB0aGUgd2hpbGUgbG9vcCBpbiBBcHBseVN0eWxlQ29tbWFuZDo6Zml4UmFuZ2VBbmRB cHBseUlubGluZVN0eWxlCisgICAgICAgIG5vdCBjb25zaWRlcmluZyB0aGUgY2FzZSB3aGVyZSBz dGFydE5vZGUgaXMgdGhlIHJvb3QgZWRpdGFibGUgZWxlbWVudC4KKyAgICAgICAgRml4ZWQgdGhl IGJ1ZyBieSBub3QgZW50ZXJpbmcgdGhlIGxvb3Agd2hlbiBzdGFydE5vZGUgaXMgdGhlIGVkaXRh YmxlIHJvb3QuCisKKyAgICAgICAgVGVzdDogZWRpdGluZy9zdHlsZS9maXgtcmFuZ2UtZnJvbS1y b290LWVkaXRhYmxlLWNyYXNoLmh0bWwKKworICAgICAgICAqIGVkaXRpbmcvQXBwbHlTdHlsZUNv bW1hbmQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6QXBwbHlTdHlsZUNvbW1hbmQ6OmZpeFJhbmdl QW5kQXBwbHlJbmxpbmVTdHlsZSk6CisKIDIwMTAtMTAtMjggIEVyaWMgQ2FybHNvbiAgPGVyaWMu Y2FybHNvbkBhcHBsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgQWRhbSBSb2Jlbi4KSW5k ZXg6IFdlYkNvcmUvZWRpdGluZy9BcHBseVN0eWxlQ29tbWFuZC5jcHAKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0g V2ViQ29yZS9lZGl0aW5nL0FwcGx5U3R5bGVDb21tYW5kLmNwcAkocmV2aXNpb24gNzA3ODgpCisr KyBXZWJDb3JlL2VkaXRpbmcvQXBwbHlTdHlsZUNvbW1hbmQuY3BwCSh3b3JraW5nIGNvcHkpCkBA IC0xMTIzLDggKzExMjMsMTAgQEAgdm9pZCBBcHBseVN0eWxlQ29tbWFuZDo6Zml4UmFuZ2VBbmRB cHBseQogICAgIC8vIHRvIGdlbmVyYXRlIDxmb250IGNvbG9yPSJibHVlIiBzaXplPSI0Ij5oZWxs bzwvZm9udD4gaW5zdGVhZCBvZiA8Zm9udCBjb2xvcj0iYmx1ZSI+PGZvbnQgc2l6ZT0iNCI+aGVs bG88L2ZvbnQ+PC9mb250PgogICAgIFJlZlB0cjxSYW5nZT4gcmFuZ2UgPSBSYW5nZTo6Y3JlYXRl KHN0YXJ0Tm9kZS0+ZG9jdW1lbnQoKSwgc3RhcnQsIGVuZCk7CiAgICAgRWxlbWVudCogZWRpdGFi bGVSb290ID0gc3RhcnROb2RlLT5yb290RWRpdGFibGVFbGVtZW50KCk7Ci0gICAgd2hpbGUgKGVk aXRhYmxlUm9vdCAmJiBzdGFydE5vZGUtPnBhcmVudE5vZGUoKSAhPSBlZGl0YWJsZVJvb3QgJiYg aXNOb2RlVmlzaWJseUNvbnRhaW5lZFdpdGhpbihzdGFydE5vZGUtPnBhcmVudE5vZGUoKSwgcmFu Z2UuZ2V0KCkpKQotICAgICAgICBzdGFydE5vZGUgPSBzdGFydE5vZGUtPnBhcmVudE5vZGUoKTsK KyAgICBpZiAoc3RhcnROb2RlICE9IGVkaXRhYmxlUm9vdCkgeworICAgICAgICB3aGlsZSAoZWRp dGFibGVSb290ICYmIHN0YXJ0Tm9kZS0+cGFyZW50Tm9kZSgpICE9IGVkaXRhYmxlUm9vdCAmJiBp c05vZGVWaXNpYmx5Q29udGFpbmVkV2l0aGluKHN0YXJ0Tm9kZS0+cGFyZW50Tm9kZSgpLCByYW5n ZS5nZXQoKSkpCisgICAgICAgICAgICBzdGFydE5vZGUgPSBzdGFydE5vZGUtPnBhcmVudE5vZGUo KTsKKyAgICB9CiAKICAgICBhcHBseUlubGluZVN0eWxlVG9Ob2RlUmFuZ2Uoc3R5bGUsIHN0YXJ0 Tm9kZSwgcGFzdEVuZE5vZGUpOwogfQpJbmRleDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwkocmV2aXNpb24gNzA4MTUpCisrKyBMYXlv dXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAgLTEsMyArMSwxOCBAQAorMjAxMC0x MC0yOCAgUnlvc3VrZSBOaXdhICA8cm5pd2FAd2Via2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdl ZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBjaHJvbWUuZGxsIVdlYkNvcmU6Ok5vZGU6 OnNoYWRvd0FuY2VzdG9yTm9kZSBSZWFkQVZATlVMTCAoOTg2NDMxOTA4NTFiNTY2MjM2MzQ0OWNj NzMwM2Q4YTUpCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9p ZD00Nzg4OAorCisgICAgICAgIEFkZGVkIGEgdGVzdCB0byBlbnN1cmUgQXBwbHlTdHlsZUNvbW1h bmQ6OmZpeFJhbmdlQW5kQXBwbHlJbmxpbmVTdHlsZSBkb2Vzbid0IGNyYXNoCisgICAgICAgIHdo ZW4gc3RhcnROb2RlIGlzIGJvZHkgYW5kIGl0IGlzLCB0aGVyZWZvcmUsIHRoZSBlZGl0YWJsZSBy b290LgorCisgICAgICAgIE5vdGUgdGhhdCB0aGUgdGVzdCBkb2VzIG5vdCByZXByb2R1Y2UgdGhl IGNyYXNoIHdoZW4gRE9DVFlQRSBpcyBhZGRlZC4KKworICAgICAgICAqIGVkaXRpbmcvc3R5bGUv Zml4LXJhbmdlLWZyb20tcm9vdC1lZGl0YWJsZS1jcmFzaC1leHBlY3RlZC50eHQ6IEFkZGVkLgor ICAgICAgICAqIGVkaXRpbmcvc3R5bGUvZml4LXJhbmdlLWZyb20tcm9vdC1lZGl0YWJsZS1jcmFz aC5odG1sOiBBZGRlZC4KKwogMjAxMC0xMC0yOCAgRXJpYyBDYXJsc29uICA8ZXJpYy5jYXJsc29u QGFwcGxlLmNvbT4KIAogICAgICAgICBSZXZpZXdlZCBieSBBZGFtIFJvYmVuLgpJbmRleDogTGF5 b3V0VGVzdHMvZWRpdGluZy9zdHlsZS9maXgtcmFuZ2UtZnJvbS1yb290LWVkaXRhYmxlLWNyYXNo LWV4cGVjdGVkLnR4dAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9lZGl0aW5nL3N0eWxlL2Zp eC1yYW5nZS1mcm9tLXJvb3QtZWRpdGFibGUtY3Jhc2gtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAw KQorKysgTGF5b3V0VGVzdHMvZWRpdGluZy9zdHlsZS9maXgtcmFuZ2UtZnJvbS1yb290LWVkaXRh YmxlLWNyYXNoLWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKQEAgLTAsMCArMSwyIEBACitUaGlz IHRlc3RzIEFwcGx5U3R5bGVDb21tYW5kOjpmaXhSYW5nZUFuZEFwcGx5SW5saW5lU3R5bGUgZG9l cyBub3QgY3Jhc2ggd2hlbiBzdGFydE5vZGUgaXMgYm9keS4KK1BBU1MKSW5kZXg6IExheW91dFRl c3RzL2VkaXRpbmcvc3R5bGUvZml4LXJhbmdlLWZyb20tcm9vdC1lZGl0YWJsZS1jcmFzaC5odG1s Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2VkaXRpbmcvc3R5bGUvZml4LXJhbmdlLWZyb20t cm9vdC1lZGl0YWJsZS1jcmFzaC5odG1sCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZWRp dGluZy9zdHlsZS9maXgtcmFuZ2UtZnJvbS1yb290LWVkaXRhYmxlLWNyYXNoLmh0bWwJKHJldmlz aW9uIDApCkBAIC0wLDAgKzEsMjQgQEAKKzxodG1sPgorPGhlYWQ+Cis8c2NyaXB0PgorCitpZiAo d2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKSB7CisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIu ZHVtcEFzVGV4dCgpOworICAgIGxheW91dFRlc3RDb250cm9sbGVyLndhaXRVbnRpbERvbmUoKTsK K30KKworZnVuY3Rpb24gZ28oKSB7CisgICAgZG9jdW1lbnQuZXhlY0NvbW1hbmQoIlNlbGVjdEFs bCIsICAgICAgICAgZmFsc2UsICJ1ciIpOworICAgIGRvY3VtZW50LmRlc2lnbk1vZGUgPSAib24i OworICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJJbnNlcnRPcmRlcmVkTGlzdCIsIGZhbHNlLCAi LS44Iik7CisgICAgZG9jdW1lbnQuZXhlY0NvbW1hbmQoImluc2VydHBhcmFncmFwaCIsICAgZmFs c2UsICIwNCIpOworICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJJbnNlcnRJbWFnZSIsICAgICAg IGZhbHNlLCAiLy8vKCIpOworICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJTZWxlY3RBbGwiLCAg ICAgICAgIGZhbHNlLCAidXIiKTsKKyAgICBkb2N1bWVudC5leGVjQ29tbWFuZCgic3RyaWtldGhy b3VnaCIsICAgICBmYWxzZSwgbnVsbCk7CisgICAgZG9jdW1lbnQuYm9keS5pbm5lckhUTUwgPSAn VGhpcyB0ZXN0cyBBcHBseVN0eWxlQ29tbWFuZDo6Zml4UmFuZ2VBbmRBcHBseUlubGluZVN0eWxl IGRvZXMgbm90IGNyYXNoIHdoZW4gc3RhcnROb2RlIGlzIGJvZHkuPGJyPlBBU1MnOworICAgIGxh eW91dFRlc3RDb250cm9sbGVyLm5vdGlmeURvbmUoKTsKK30KKzwvc2NyaXB0PgorPC9oZWFkPgor PGJvZHkgb25sb2FkPSJnbygpIj48L2JvZHk+Cis8L2h0bWw+Cg==