Bug 113837

Summary: DOM Range null dereference when detached in a mutation observer
Product: WebKit Reporter: Cyril CATTIAUX <cyril.cattiaux>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: annevk, ap, rniwa, sergejlacz8
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
test case
none
OSX Crash Report
none
test case 2
none
OSX Crash Report 2 none

Cyril CATTIAUX
Reported 2013-04-02 17:09:07 PDT
Registering a DOMSubtreeModified on a node, creating a range selecting its text node, then triggering the event and detaching the Range into it will produce a NULL dereference. (test case attached) Exception (Safari 6.0.2 on OS X 10.8.2) : WebKit nightly is also affected.
Attachments
test case (555 bytes, text/html)
2013-04-02 17:09 PDT, Cyril CATTIAUX 		no flags
Details
OSX Crash Report (57.66 KB, text/plain)
2013-04-02 17:13 PDT, Cyril CATTIAUX 		no flags
Details
test case 2 (506 bytes, text/html)
2013-04-02 17:24 PDT, Cyril CATTIAUX 		no flags
Details
OSX Crash Report 2 (55.49 KB, text/plain)
2013-04-02 17:26 PDT, Cyril CATTIAUX 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Cyril CATTIAUX
Comment 1 2013-04-02 17:09:45 PDT
Created attachment 196256 [details] test case
Cyril CATTIAUX
Comment 2 2013-04-02 17:13:44 PDT
Created attachment 196257 [details] OSX Crash Report
Cyril CATTIAUX
Comment 3 2013-04-02 17:16:11 PDT
Exception (Safari 6.0.2 on OS X 10.8.2) : Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 ... Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010e45cb51 WebCore::checkAcceptChild(WebCore::Node*, WebCore::Node*, int&) + 33 1 com.apple.WebCore 0x000000010e45cb01 WebCore::Node::checkAddChild(WebCore::Node*, int&) + 33 2 com.apple.WebCore 0x000000010e518f23 WebCore::ContainerNode::insertBefore(WTF::PassRefPtr<WebCore::Node>, WebCore::Node*, int&, bool) + 163 3 com.apple.WebCore 0x000000010e697a35 WebCore::Range::insertNode(WTF::PassRefPtr<WebCore::Node>, int&) + 757 4 com.apple.WebCore 0x000000010e6976f2 WebCore::jsRangePrototypeFunctionInsertNode(JSC::ExecState*) + 162 5 ??? 0x000034147c401265 0 + 57262588564069 ...
Cyril CATTIAUX
Comment 4 2013-04-02 17:24:14 PDT
Created attachment 196259 [details] test case 2
Cyril CATTIAUX
Comment 5 2013-04-02 17:26:16 PDT
Created attachment 196260 [details] OSX Crash Report 2
Cyril CATTIAUX
Comment 6 2013-04-02 17:28:25 PDT
Test case 2 will produce another kind of null deref : Exception (Safari 6.0.2 on OS X 10.8.2) : Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000025 ... Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010ecd1a0a WebCore::Range::insertNode(WTF::PassRefPtr<WebCore::Node>, int&) + 714 1 com.apple.WebCore 0x000000010ecd16f2 WebCore::jsRangePrototypeFunctionInsertNode(JSC::ExecState*) + 162 2 ??? 0x000022d2c7201265 0 + 38288679244389 ...
Alexey Proskuryakov
Comment 7 2013-04-05 10:49:20 PDT
> Test case 2 will produce another kind of null deref : Ideally, different issues should be tracked in separate bugs. Keeping them together adds a lot of confusion (such as confusion when discussing issues, or closing a bug when only one of the issues was fixed).
Anne van Kesteren
Comment 8 2024-03-15 05:48:53 PDT
Both tests appear to work fine today.
Note You need to log in before you can comment on or make changes to this bug.