76812 2012-01-23 00:13:28 -0800 Crash in previousLinePosition when moving into a root inline box without leaves 2012-01-30 16:18:28 -0800 1 1 1 Unclassified WebKit HTML Editing 528+ (Nightly build) PC Windows Vista RESOLVED FIXED P1 Normal --- 1 skylined rniwa darin enrica hyatt leviw mitz rniwa oldest_to_newest 540407 0 skylined 2012-01-23 00:13:28 -0800 Chromium: http://code.google.com/p/chromium/issues/detail?id=111026 Detailed report: https://cluster-fuzz.appspot.com/testcase?key=15314965 Uploader: skylined@chromium.org Crash Type: UNKNOWN Crash Address: 0x000000000035 Crash State: - crash stack - WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition WebCore::nextLinePosition WebCore::nextParagraphPosition Regressed: https://cluster-fuzz.appspot.com/revisions?range=108839:108881 There are two variations, the first one crashes in nextLinePosition, the second one calls RootInlineBox::closestLeafChildForLogicalLeftPosition from nextLinePosition and crashes in the later. The repro from is almost the same; one turns "design-mode" off before modifying the selection, the other does not. Given the similarity in stack and repro, I assume the root cause is the same, so I'm not filing a separate bug for the variation. <script> window.onload=function(){ document.designMode="on"; document.write("\x3Clabel style=\"-webkit-mask-attachment: locarit; -webkit-margin-start: inherit;\" class=\"class_2\" ondurationchange/\x3E"); document.execCommand("selectall", false); document.execCommand("inserthorizontalrule", false); document.execCommand("selectall"); document.execCommand("ForwardDelete", false); document.designMode="off"; // Remove to get a different crash window.getSelection().modify("move","forward","paragraph"); } </script> Stack: id: chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition ReadAV@NULL (2e192a450f79a729ce10a9a093aa98c7) description: Attempt to read from unallocated NULL pointer+0x21 in chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition application: Chromium 18.0.1011.0 stack: chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition chrome.dll!WebCore::nextLinePosition chrome.dll!WebCore::nextParagraphPosition chrome.dll!WebCore::FrameSelection::modifyMovingForward chrome.dll!WebCore::FrameSelection::modify chrome.dll!WebCore::DOMSelection::modify chrome.dll!WebCore::DOMSelectionInternal::modifyCallback 545430 1 124603 rniwa 2012-01-30 14:45:01 -0800 Created attachment 124603 fixes the crash 545546 2 124603 enrica 2012-01-30 16:10:29 -0800 Comment on attachment 124603 fixes the crash Looks good to me. 545553 3 rniwa 2012-01-30 16:15:54 -0800 Thanks for review! Landing it now. 545560 4 124603 rniwa 2012-01-30 16:18:24 -0800 Comment on attachment 124603 fixes the crash Clearing flags on attachment: 124603 Committed r106298: <http://trac.webkit.org/changeset/106298> 545561 5 rniwa 2012-01-30 16:18:28 -0800 All reviewed patches have been landed. Closing bug. 124603 2012-01-30 14:45:01 -0800 2012-01-30 16:18:24 -0800 fixes the crash bug-76812-20120130144500.patch text/plain 3999 rniwa SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDEwNjI4OSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE5IEBACisyMDEyLTAxLTMwICBSeW9zdWtl IE5pd2EgIDxybml3YUB3ZWJraXQub3JnPgorCisgICAgICAgIENyYXNoIGluIHByZXZpb3VzTGlu ZVBvc2l0aW9uIHdoZW4gbW92aW5nIGludG8gYSByb290IGlubGluZSBib3ggd2l0aG91dCBsZWF2 ZXMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTc2ODEy CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhlIGNy YXNoIHdhcyBjYXVzZWQgYnkgdXMgYXNzdW1pbmcgdGhhdCBldmVyeSByb290IGlubGluZSBib3gg aGFzIGF0IGxlYXN0IG9uZSBsZWFmLAorICAgICAgICB3aGljaCBpc24ndCB0cnVlIHdoZW4gd2Ug Y3JlYXRlIGlubGluZSBib3hlcyBmb3IgYW4gZW1wdHkgdGV4dCBydW4gd2l0aCBtYXJnaW4sIGJv cmRlciwgZXRjLi4uCisKKyAgICAgICAgVGVzdDogZWRpdGluZy9zZWxlY3Rpb24vbW92ZS1pbnRv LWVtcHR5LXJvb3QtaW5saW5lLWJveC5odG1sCisKKyAgICAgICAgKiBlZGl0aW5nL3Zpc2libGVf dW5pdHMuY3BwOgorICAgICAgICAoV2ViQ29yZTo6cHJldmlvdXNMaW5lUG9zaXRpb24pOgorICAg ICAgICAoV2ViQ29yZTo6bmV4dExpbmVQb3NpdGlvbik6CisKIDIwMTItMDEtMzAgIEFkcmllbm5l IFdhbGtlciAgPGVubmVAZ29vZ2xlLmNvbT4KIAogICAgICAgICBbY2hyb21pdW1dIEFsd2F5cyBw cmUtcmVzZXJ2ZSBzY3JvbGxiYXIgYW5kIHNjcm9sbCBjb3JuZXIgdGV4dHVyZXMKSW5kZXg6IFNv dXJjZS9XZWJDb3JlL2VkaXRpbmcvdmlzaWJsZV91bml0cy5jcHAKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL1dlYkNvcmUvZWRpdGluZy92aXNpYmxlX3VuaXRzLmNwcAkocmV2aXNpb24gMTA2MjcwKQor KysgU291cmNlL1dlYkNvcmUvZWRpdGluZy92aXNpYmxlX3VuaXRzLmNwcAkod29ya2luZyBjb3B5 KQpAQCAtNTc2LDcgKzU3Niw3IEBAIFZpc2libGVQb3NpdGlvbiBwcmV2aW91c0xpbmVQb3NpdGlv bihjb24KICAgICAgICAgcm9vdCA9IGJveC0+cm9vdCgpLT5wcmV2Um9vdEJveCgpOwogICAgICAg ICAvLyBXZSB3YW50IHRvIHNraXAgemVybyBoZWlnaHQgYm94ZXMuCiAgICAgICAgIC8vIFRoaXMg Y291bGQgaGFwcGVuIGluIGNhc2UgaXQgaXMgYSBUcmFpbGluZ0Zsb2F0c1Jvb3RJbmxpbmVCb3gu Ci0gICAgICAgIGlmICghcm9vdCB8fCAhcm9vdC0+bG9naWNhbEhlaWdodCgpKQorICAgICAgICBp ZiAoIXJvb3QgfHwgIXJvb3QtPmxvZ2ljYWxIZWlnaHQoKSB8fCAhcm9vdC0+Zmlyc3RMZWFmQ2hp bGQoKSkKICAgICAgICAgICAgIHJvb3QgPSAwOwogICAgIH0KIApAQCAtNjc3LDcgKzY3Nyw3IEBA IFZpc2libGVQb3NpdGlvbiBuZXh0TGluZVBvc2l0aW9uKGNvbnN0IFYKICAgICAgICAgcm9vdCA9 IGJveC0+cm9vdCgpLT5uZXh0Um9vdEJveCgpOwogICAgICAgICAvLyBXZSB3YW50IHRvIHNraXAg emVybyBoZWlnaHQgYm94ZXMuCiAgICAgICAgIC8vIFRoaXMgY291bGQgaGFwcGVuIGluIGNhc2Ug aXQgaXMgYSBUcmFpbGluZ0Zsb2F0c1Jvb3RJbmxpbmVCb3guCi0gICAgICAgIGlmICghcm9vdCB8 fCAhcm9vdC0+bG9naWNhbEhlaWdodCgpKQorICAgICAgICBpZiAoIXJvb3QgfHwgIXJvb3QtPmxv Z2ljYWxIZWlnaHQoKSB8fCAhcm9vdC0+Zmlyc3RMZWFmQ2hpbGQoKSkKICAgICAgICAgICAgIHJv b3QgPSAwOwogICAgIH0KIApJbmRleDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwkocmV2aXNpb24gMTA2Mjg5KQorKysgTGF5b3V0VGVz dHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTUgQEAKKzIwMTItMDEtMzAg IFJ5b3N1a2UgTml3YSAgPHJuaXdhQHdlYmtpdC5vcmc+CisKKyAgICAgICAgQ3Jhc2ggaW4gcHJl dmlvdXNMaW5lUG9zaXRpb24gd2hlbiBtb3ZpbmcgaW50byBhIHJvb3QgaW5saW5lIGJveCB3aXRo b3V0IGxlYXZlcworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/ aWQ9NzY4MTIKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICBBZGQgYSByZWdyZXNzaW9uIHRlc3QgZm9yIHRoZSBjcmFzaC4gVW5mb3J0dW5hdGVseSwgd2Ug Y2FuIG9ubHkgdGVzdCBwcmV2aW91c0xpbmVQb3NpdGlvbi4KKworICAgICAgICAqIGVkaXRpbmcv c2VsZWN0aW9uL21vdmUtaW50by1lbXB0eS1yb290LWlubGluZS1ib3gtZXhwZWN0ZWQudHh0OiBB ZGRlZC4KKyAgICAgICAgKiBlZGl0aW5nL3NlbGVjdGlvbi9tb3ZlLWludG8tZW1wdHktcm9vdC1p bmxpbmUtYm94Lmh0bWw6IEFkZGVkLgorCiAyMDEyLTAxLTMwICBMZXZpIFdlaW50cmF1YiAgPGxl dml3QGNocm9taXVtLm9yZz4KIAogICAgICAgICBVbnJldmlld2VkIGdhcmRlbmluZy4gTWFya2lu ZyBmYXN0L2pzL2RmZy1pbnQzMmFycmF5LW92ZXJmbG93LXZhbHVlcy5odG1sIGFzIHNsb3cKSW5k ZXg6IExheW91dFRlc3RzL2VkaXRpbmcvc2VsZWN0aW9uL21vdmUtaW50by1lbXB0eS1yb290LWlu bGluZS1ib3gtZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2VkaXRpbmcv c2VsZWN0aW9uL21vdmUtaW50by1lbXB0eS1yb290LWlubGluZS1ib3gtZXhwZWN0ZWQudHh0CShy ZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZWRpdGluZy9zZWxlY3Rpb24vbW92ZS1pbnRvLWVt cHR5LXJvb3QtaW5saW5lLWJveC1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEs MiBAQAorCitUaGlzIHRlc3RzIG1vdmluZyBpbnRvIGFuIGVtcHR5IHJvb3QgaW5saW5lIGJveGVz LiBUaGUgdGVzdCBwYXNzZXMgYXMgbG9uZyBhcyBXZWJLaXQgZG9lc24ndCBjcmFzaC4KSW5kZXg6 IExheW91dFRlc3RzL2VkaXRpbmcvc2VsZWN0aW9uL21vdmUtaW50by1lbXB0eS1yb290LWlubGlu ZS1ib3guaHRtbAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9lZGl0aW5nL3NlbGVjdGlvbi9t b3ZlLWludG8tZW1wdHktcm9vdC1pbmxpbmUtYm94Lmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlv dXRUZXN0cy9lZGl0aW5nL3NlbGVjdGlvbi9tb3ZlLWludG8tZW1wdHktcm9vdC1pbmxpbmUtYm94 Lmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTAgQEAKKzwhRE9DVFlQRSBodG1sPjxodG1s Pjxib2R5Pjxicj48bGFiZWwgc3R5bGU9Im1hcmdpbi1sZWZ0OiBpbmhlcml0OyI+PC9sYWJlbD48 c2NyaXB0PgorCitpZiAod2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgIGxheW91dFRl c3RDb250cm9sbGVyLmR1bXBBc1RleHQoKTsKKworZ2V0U2VsZWN0aW9uKCkuc2V0UG9zaXRpb24o ZG9jdW1lbnQucXVlcnlTZWxlY3RvcignYnInKSwgMCk7CitnZXRTZWxlY3Rpb24oKS5tb2RpZnko Im1vdmUiLCJmb3J3YXJkIiwicGFyYWdyYXBoIik7Citkb2N1bWVudC53cml0ZWxuKCJUaGlzIHRl c3RzIG1vdmluZyBpbnRvIGFuIGVtcHR5IHJvb3QgaW5saW5lIGJveGVzLiBUaGUgdGVzdCBwYXNz ZXMgYXMgbG9uZyBhcyBXZWJLaXQgZG9lc24ndCBjcmFzaC4iKTsKKworPC9zY3JpcHQ+PC9ib2R5 PjwvaHRtbD4K