53267 2011-01-27 16:39:43 -0800 NULL pointer crash in TextIterator::handleTextBox() 2011-01-28 14:17:40 -0800 1 1 1 Unclassified WebKit CSS 528+ (Nightly build) All OS X 10.6 RESOLVED FIXED P2 Normal --- 0 tsepez webkit-unassigned commit-queue eric mitz oldest_to_newest 341127 0 tsepez 2011-01-27 16:39:43 -0800 The following test case triggers a crash (or an assert in the debug version): } <style> *:nth-child(2):first-letter {float: left;direction: rtl; </style> Error is:ASSERTION FAILED: i < size() (../../JavaScriptCore/wtf/Vector.h:534 T& WTF::Vector<T, inlineCapacity>::at(size_t) [with T = WebCore::InlineTextBox*, long unsigned int inlineCapacity = 0ul]) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef [Switching to process 19707] 0x026790c7 in WTF::Vector<WebCore::InlineTextBox*, 0ul>::at (this=0xb49b7b44, i=0) at Vector.h:534 534 ASSERT(i < size()); (gdb) where #0 0x026790c7 in WTF::Vector<WebCore::InlineTextBox*, 0ul>::at (this=0xb49b7b44, i=0) at Vector.h:534 #1 0x0267910c in WTF::Vector<WebCore::InlineTextBox*, 0ul>::operator[] (this=0xb49b7b44, i=0) at Vector.h:543 #2 0x0267514d in WebCore::TextIterator::handleTextBox (this=0xb49b7ad8) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:545 #3 0x02675a97 in WebCore::TextIterator::handleTextNode (this=0xb49b7ad8) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:526 #4 0x02675c72 in WebCore::TextIterator::advance (this=0xb49b7ad8) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:403 #5 0x02676c37 in WebCore::TextIterator::TextIterator (this=0xb49b7ad8, r=0x2ed1cb30, behavior=WebCore::TextIteratorDefaultBehavior) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:344 #6 0x01f34394 in WebKit::frameContentAsPlainText (maxChars=65535, frame=0xb863600, output=0xb49b7bb0) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebKit/chromium/src/WebFrameImpl.cpp:204 #7 0x01f346a7 in WebKit::WebFrameImpl::contentAsText (this=0xc0489f0, maxChars=65535) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebKit/chromium/src/WebFrameImpl.cpp:1701 Appears similar to http://trac.webkit.org/changeset/58153 ; the same fix also needs to be applied a few lines lower where that logic is repeated. 341131 1 80378 tsepez 2011-01-27 16:55:57 -0800 Created attachment 80378 Proposed patch to check for empty vector as above. 341633 2 80378 eric 2011-01-28 12:22:30 -0800 Comment on attachment 80378 Proposed patch to check for empty vector as above. View in context: https://bugs.webkit.org/attachment.cgi?id=80378&action=review Looks sane. > Source/WebCore/editing/TextIterator.cpp:546 > + InlineTextBox* firstTextBox = renderer->containsReversedText() ? (m_sortedTextBoxes.isEmpty() ? 0 : m_sortedTextBoxes[0]) : renderer->firstTextBox(); vector really wants a version of it's .at() call which can handle oversized indicies and return a defautl value. 341636 3 eric 2011-01-28 12:22:48 -0800 Being our rtl guy, mitz might want to see this go by. 341730 4 80378 commit-queue 2011-01-28 14:17:35 -0800 Comment on attachment 80378 Proposed patch to check for empty vector as above. Clearing flags on attachment: 80378 Committed r76987: <http://trac.webkit.org/changeset/76987> 341731 5 commit-queue 2011-01-28 14:17:40 -0800 All reviewed patches have been landed. Closing bug. 80378 2011-01-27 16:55:57 -0800 2011-01-28 14:17:35 -0800 Proposed patch to check for empty vector as above. patch-53267.txt text/plain 3379 tsepez SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDc2ODY0KQorKysgU291cmNlL1dlYkNvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTUgQEAKKzIwMTEtMDEtMjcgIFRvbSBTZXBl eiAgPHRzZXBlekBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChP T1BTISkuCisKKyAgICAgICAgTlVMTCBwb2ludGVyIGNyYXNoIGluIFRleHRJdGVyYXRvcjo6aGFu ZGxlVGV4dEJveCgpCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNn aT9pZD01MzI2NworCisgICAgICAgIFRlc3Q6IGZhc3QvY3NzL3J0bC1udGgtY2hpbGQtZmlyc3Qt bGV0dGVyLWNyYXNoLmh0bWwKKworICAgICAgICAqIGVkaXRpbmcvVGV4dEl0ZXJhdG9yLmNwcDoK KyAgICAgICAgKFdlYkNvcmU6OlRleHRJdGVyYXRvcjo6aGFuZGxlVGV4dEJveCk6CisKIDIwMTEt MDEtMjcgIEFkcmllbm5lIFdhbGtlciAgPGVubmVAZ29vZ2xlLmNvbT4KIAogICAgICAgICBSZXZp ZXdlZCBieSBKYW1lcyBSb2JpbnNvbi4KSW5kZXg6IFNvdXJjZS9XZWJDb3JlL2VkaXRpbmcvVGV4 dEl0ZXJhdG9yLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9lZGl0aW5nL1RleHRJ dGVyYXRvci5jcHAJKHJldmlzaW9uIDc2ODU1KQorKysgU291cmNlL1dlYkNvcmUvZWRpdGluZy9U ZXh0SXRlcmF0b3IuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC01NDMsNyArNTQzLDcgQEAgdm9pZCBU ZXh0SXRlcmF0b3I6OmhhbmRsZVRleHRCb3goKQogICAgICAgICB1bnNpZ25lZCBydW5TdGFydCA9 IG1heCh0ZXh0Qm94U3RhcnQsIHN0YXJ0KTsKIAogICAgICAgICAvLyBDaGVjayBmb3IgY29sbGFw c2VkIHNwYWNlIGF0IHRoZSBzdGFydCBvZiB0aGlzIHJ1bi4KLSAgICAgICAgSW5saW5lVGV4dEJv eCogZmlyc3RUZXh0Qm94ID0gcmVuZGVyZXItPmNvbnRhaW5zUmV2ZXJzZWRUZXh0KCkgPyBtX3Nv cnRlZFRleHRCb3hlc1swXSA6IHJlbmRlcmVyLT5maXJzdFRleHRCb3goKTsKKyAgICAgICAgSW5s aW5lVGV4dEJveCogZmlyc3RUZXh0Qm94ID0gcmVuZGVyZXItPmNvbnRhaW5zUmV2ZXJzZWRUZXh0 KCkgPyAobV9zb3J0ZWRUZXh0Qm94ZXMuaXNFbXB0eSgpID8gMCA6IG1fc29ydGVkVGV4dEJveGVz WzBdKSA6IHJlbmRlcmVyLT5maXJzdFRleHRCb3goKTsKICAgICAgICAgYm9vbCBuZWVkU3BhY2Ug PSBtX2xhc3RUZXh0Tm9kZUVuZGVkV2l0aENvbGxhcHNlZFNwYWNlCiAgICAgICAgICAgICB8fCAo bV90ZXh0Qm94ID09IGZpcnN0VGV4dEJveCAmJiB0ZXh0Qm94U3RhcnQgPT0gcnVuU3RhcnQgJiYg cnVuU3RhcnQgPiAwKTsKICAgICAgICAgaWYgKG5lZWRTcGFjZSAmJiAhaXNDb2xsYXBzaWJsZVdo aXRlc3BhY2UobV9sYXN0Q2hhcmFjdGVyKSAmJiBtX2xhc3RDaGFyYWN0ZXIpIHsKSW5kZXg6IExh eW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJ KHJldmlzaW9uIDc2ODY0KQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkp CkBAIC0xLDMgKzEsMTMgQEAKKzIwMTEtMDEtMjcgIFRvbSBTZXBleiAgPHRzZXBlekBjaHJvbWl1 bS5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg TlVMTCBwb2ludGVyIGNyYXNoIGluIFRleHRJdGVyYXRvcjo6aGFuZGxlVGV4dEJveCgpCisgICAg ICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD01MzI2NworCisgICAg ICAgICogZmFzdC9jc3MvcnRsLW50aC1jaGlsZC1maXJzdC1sZXR0ZXItY3Jhc2gtZXhwZWN0ZWQu dHh0OiBBZGRlZC4KKyAgICAgICAgKiBmYXN0L2Nzcy9ydGwtbnRoLWNoaWxkLWZpcnN0LWxldHRl ci1jcmFzaC5odG1sOiBBZGRlZC4KKwogMjAxMS0wMS0yNyAgRGlyayBTY2h1bHplICA8a3JpdEB3 ZWJraXQub3JnPgogCiAgICAgICAgIFVucmV2aWV3ZWQgcmViYXNlbGluZS4KSW5kZXg6IExheW91 dFRlc3RzL2Zhc3QvY3NzL3J0bC1udGgtY2hpbGQtZmlyc3QtbGV0dGVyLWNyYXNoLWV4cGVjdGVk LnR4dAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9mYXN0L2Nzcy9ydGwtbnRoLWNoaWxkLWZp cnN0LWxldHRlci1jcmFzaC1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0 cy9mYXN0L2Nzcy9ydGwtbnRoLWNoaWxkLWZpcnN0LWxldHRlci1jcmFzaC1leHBlY3RlZC50eHQJ KHJldmlzaW9uIDApCkBAIC0wLDAgKzEsNCBAQAorfQorTlVMTCBwb2ludGVyIGNyYXNoIGluIFRl eHRJdGVyYXRvcjo6aGFuZGxlVGV4dEJveCgpIHdoZW4gdXNpbmcgUlRMIHRleHQuIElmIHRoZXJl IGlzIG5vIGNyYXNoLCB0aGVuIHRoZSB0ZXN0IHBhc3Nlcy4KKworSWYgeW91IGNhbiBzZWUgdGhp cywgdGhlbiB0aGUgdGVzdCBwYXNzZXMuCkluZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2Nzcy9ydGwt bnRoLWNoaWxkLWZpcnN0LWxldHRlci1jcmFzaC5odG1sCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRl c3RzL2Zhc3QvY3NzL3J0bC1udGgtY2hpbGQtZmlyc3QtbGV0dGVyLWNyYXNoLmh0bWwJKHJldmlz aW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L2Nzcy9ydGwtbnRoLWNoaWxkLWZpcnN0LWxldHRl ci1jcmFzaC5odG1sCShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDExIEBACit9DQorPHN0eWxlPg0K KyAqOm50aC1jaGlsZCgyKTpmaXJzdC1sZXR0ZXIge2Zsb2F0OiBsZWZ0O2RpcmVjdGlvbjogcnRs Ow0KKzwvc3R5bGU+DQorPHA+TlVMTCBwb2ludGVyIGNyYXNoIGluIFRleHRJdGVyYXRvcjo6aGFu ZGxlVGV4dEJveCgpIHdoZW4gdXNpbmcgUlRMIHRleHQuDQorSWYgdGhlcmUgaXMgbm8gY3Jhc2gs IHRoZW4gdGhlIHRlc3QgcGFzc2VzLjwvcD4NCis8c2NyaXB0Pg0KKyAgICBpZiAod2luZG93Lmxh eW91dFRlc3RDb250cm9sbGVyKQ0KKyAgICAgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIuZHVtcEFz VGV4dCgpOw0KKzwvc2NyaXB0Pg0KKzxwPklmIHlvdSBjYW4gc2VlIHRoaXMsIHRoZW4gdGhlIHRl c3QgcGFzc2VzLjwvcD4NCg==