Bug 23484

Summary: calling toString() on the range object crashes the browser
Product: WebKit Reporter: Raul D <raul>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: mrowe
Priority: P1 Keywords: HasReduction, InRadar
Version: 525.x (Safari 3.2)   
Hardware: PC   
OS: All   
Attachments:
Description Flags
Repro script crashing browser on text editor application
none
Side by side Safari, Firefox, IE raul: review-

Raul D
Reported 2009-01-22 16:27:39 PST
[See attached code at the bottom of this report] Repro steps: Open the attached code in Safari Click on the editable div Type two lines of text, such as: abcd defg Select all text in the div (either CTRL-A or with the mouse/keyboard) Click on the "bold" button Observe the text gets bold and the text in the selection is shown in an alert dialog Close the dialog by clicking OK Optionally reload the page and repeat steps 1-3 Click on the "justifycenter" button Observe the browser crashes Notes: Repros in Safari 3.1.2 (525.21) for Windows Repros in Safari 3.1.2 (5525.20.1) for Mac Repros in Google Chrome 1.0.154.43 for Windows Does not repro in WebKit r40022 for Windows built on 19 January 2009 Does not repro if in step 2 you type only 1 line of text It appears that calling toString() on the range object crashes the browser in the "justifycenter" case but not the "bold" case ------------START REPRO CODE---------------------- <html> <head> <title>Safari 3 bug repro case</title> <script type="text/javascript"> function button_onclick(command) { var selection = window.getSelection(); var range = selection.getRangeAt(0); window.document.execCommand(command, false, 1); if(range && range.toString) { // This is the code that crashes the browser alert(range.toString()); } } </script> </head> <body> <div> <div id="editor" style="height:15em; width:100%; border:solid 1px blue" contenteditable="true"></div> </div> <input id="center" type="button" value="justifycenter" onclick="button_onclick('justifycenter')" /> <input id="bold" type="button" value="bold" onclick="button_onclick('bold')" /> <br /> <br /> <div>Repro steps: <ol> <li>Click on the editable div above</li> <li>Type two lines of text, such as:<br />abcd<br />defg</li> <li>Select all text in the div (either CTRL-A or with the mouse/keyboard)</li> <li>Click on the "bold" button</li> <li>Observe the text gets bold and the text in the selection is shown in an alert dialog</li> <li>Close the dialog by clicking OK</li> <li>Optionally reload the page and repeat steps 1-3</li> <li>Click on the "justifycenter" button</li> <li>Observe the browser crashes</li> </ol> </div> <div>Notes: <ul> <li>Repros in Safari 3.1.2 (525.21) for Windows</li> <li>Repros in Safari 3.1.2 (5525.20.1) for Mac</li> <li>Repros in Google Chrome 1.0.154.43 for Windows</li> <li>Does not repro in WebKit r40022 for Windows built on 19 January 2009</li> <li>Does not repro if in step 2 you type only 1 line of text</li> <li>It appears that calling toString() on the range object crashes the browser in the "justifycenter" case but not the "bold" case</li> </ul> </div> </body> </html> ------------END REPRO CODE------------------------
Attachments
Repro script crashing browser on text editor application (2.33 KB, text/html)
2009-01-22 16:28 PST, Raul D 		no flags
Details
Side by side Safari, Firefox, IE (257.40 KB, image/x-png)
2009-01-23 10:12 PST, Raul D 		raul: review-
Details
View All Add attachment proposed patch, testcase, etc.
Raul D
Comment 1 2009-01-22 16:28:53 PST
Created attachment 26944 [details] Repro script crashing browser on text editor application
Mark Rowe (bdash)
Comment 2 2009-01-22 16:33:00 PST
Can you please attach a crash log from Safari on Mac OS X? <http://webkit.org/quality/crashlogs.html>.
Mark Rowe (bdash)
Comment 3 2009-01-22 16:36:35 PST
I found a copy of Safari 3.x lying around and retrieved a crash log myself. Closing as FIXED given that the report states that the crash does not occur with TOT WebKit. <rdar://problem/6356519>
Raul D
Comment 4 2009-01-23 10:12:31 PST
Created attachment 26974 [details] Side by side Safari, Firefox, IE Screenshot of Safari 3.2, Firefox 3, IE8 Notice up/down arrows on vertical scroll only missing in Safari preventing user from scrolling their content
Mark Rowe (bdash)
Comment 5 2009-01-23 11:48:07 PST
I think you meant that for a different bug report.
Raul D
Comment 6 2009-01-23 19:25:17 PST
Comment on attachment 26974 [details] Side by side Safari, Firefox, IE Please disregard - screenshot meant for bug 23485
Note You need to log in before you can comment on or make changes to this bug.