Bug 113837

Summary:

DOM Range null dereference when detached in a mutation observer

Product:

WebKit

Reporter:

Cyril CATTIAUX <cyril.cattiaux>

Component:

DOM

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED CONFIGURATION CHANGED

Severity:

Normal

CC:

annevk, ap, rniwa, sergejlacz8

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
test case	none
OSX Crash Report	none
test case 2	none
OSX Crash Report 2	none

Description Cyril CATTIAUX 2013-04-02 17:09:07 PDT

Registering a DOMSubtreeModified on a node, creating a range selecting its text node, then triggering the event and detaching the Range into it will produce a NULL dereference.

(test case attached)

Exception (Safari 6.0.2 on OS X 10.8.2) :










WebKit nightly is also affected.

Comment 1 Cyril CATTIAUX 2013-04-02 17:09:45 PDT

Created attachment 196256 [details]
test case

Comment 2 Cyril CATTIAUX 2013-04-02 17:13:44 PDT

Created attachment 196257 [details]
OSX Crash Report

Comment 3 Cyril CATTIAUX 2013-04-02 17:16:11 PDT

Exception (Safari 6.0.2 on OS X 10.8.2) :

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
...
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x000000010e45cb51 WebCore::checkAcceptChild(WebCore::Node*, WebCore::Node*, int&) + 33
1   com.apple.WebCore                   0x000000010e45cb01 WebCore::Node::checkAddChild(WebCore::Node*, int&) + 33
2   com.apple.WebCore                   0x000000010e518f23 WebCore::ContainerNode::insertBefore(WTF::PassRefPtr<WebCore::Node>, WebCore::Node*, int&, bool) + 163
3   com.apple.WebCore                   0x000000010e697a35 WebCore::Range::insertNode(WTF::PassRefPtr<WebCore::Node>, int&) + 757
4   com.apple.WebCore                   0x000000010e6976f2 WebCore::jsRangePrototypeFunctionInsertNode(JSC::ExecState*) + 162
5   ???                                 0x000034147c401265 0 + 57262588564069
...

Comment 4 Cyril CATTIAUX 2013-04-02 17:24:14 PDT

Created attachment 196259 [details]
test case 2

Comment 5 Cyril CATTIAUX 2013-04-02 17:26:16 PDT

Created attachment 196260 [details]
OSX Crash Report 2

Comment 6 Cyril CATTIAUX 2013-04-02 17:28:25 PDT

Test case 2 will produce another kind of null deref :

Exception (Safari 6.0.2 on OS X 10.8.2) :

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000025
...
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x000000010ecd1a0a WebCore::Range::insertNode(WTF::PassRefPtr<WebCore::Node>, int&) + 714
1   com.apple.WebCore                   0x000000010ecd16f2 WebCore::jsRangePrototypeFunctionInsertNode(JSC::ExecState*) + 162
2   ???                                 0x000022d2c7201265 0 + 38288679244389
...

Comment 7 Alexey Proskuryakov 2013-04-05 10:49:20 PDT

> Test case 2 will produce another kind of null deref :

Ideally, different issues should be tracked in separate bugs. Keeping them together adds a lot of confusion (such as confusion when discussing issues, or closing a bug when only one of the issues was fixed).

Comment 8 Anne van Kesteren 2024-03-15 05:48:53 PDT

Both tests appear to work fine today.