Bug 23484

Summary: calling toString() on the range object crashes the browser
Product: WebKit Reporter: Raul D <raul>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: mrowe
Priority: P1 Keywords: HasReduction, InRadar
Version: 525.x (Safari 3.2)   
Hardware: PC   
OS: All   
Attachments:
Description Flags
Repro script crashing browser on text editor application
none
Side by side Safari, Firefox, IE raul: review-

Description Raul D 2009-01-22 16:27:39 PST 
[See attached code at the bottom of this report]
Repro steps: 
Open the attached code in Safari
Click on the editable div
Type two lines of text, such as:
abcd
defg 
Select all text in the div (either CTRL-A or with the mouse/keyboard) 
Click on the "bold" button 
Observe the text gets bold and the text in the selection is shown in an alert dialog 
Close the dialog by clicking OK 
Optionally reload the page and repeat steps 1-3 
Click on the "justifycenter" button 
Observe the browser crashes 

Notes: 
Repros in Safari 3.1.2 (525.21) for Windows 
Repros in Safari 3.1.2 (5525.20.1) for Mac 
Repros in Google Chrome 1.0.154.43 for Windows 
Does not repro in WebKit r40022 for Windows built on 19 January 2009 
Does not repro if in step 2 you type only 1 line of text 
It appears that calling toString() on the range object crashes the browser in the "justifycenter" case but not the "bold" case 

------------START REPRO CODE----------------------
<html>
 
    <head>
        <title>Safari 3 bug repro case</title>
        <script type="text/javascript">
 
            function button_onclick(command)
            {
                var selection = window.getSelection();
                var range = selection.getRangeAt(0);
                window.document.execCommand(command, false, 1);
                
                if(range && range.toString)
                {
                    // This is the code that crashes the browser
                    alert(range.toString());
                }
            }
        
        </script>
    </head>
 
    <body>
        <div>
            <div id="editor" style="height:15em; width:100%; border:solid 1px blue"  contenteditable="true"></div>
        </div>
        <input id="center" type="button" value="justifycenter" onclick="button_onclick('justifycenter')" />
        <input id="bold" type="button" value="bold" onclick="button_onclick('bold')" />
        
        <br />
        <br />
        <div>Repro steps:
            <ol>
                <li>Click on the editable div above</li>
                <li>Type two lines of text, such as:<br />abcd<br />defg</li>
                <li>Select all text in the div (either CTRL-A or with the mouse/keyboard)</li>
                <li>Click on the "bold" button</li>
                <li>Observe the text gets bold and the text in the selection is shown in an alert dialog</li>
                <li>Close the dialog by clicking OK</li>
                <li>Optionally reload the page and repeat steps 1-3</li>
                <li>Click on the "justifycenter" button</li>
                <li>Observe the browser crashes</li>
            </ol>
        </div>
        <div>Notes:
            <ul>
                <li>Repros in Safari 3.1.2 (525.21) for Windows</li>
                <li>Repros in Safari 3.1.2 (5525.20.1) for Mac</li>
                <li>Repros in Google Chrome 1.0.154.43 for Windows</li>
                <li>Does not repro in WebKit r40022 for Windows built on 19 January 2009</li>
                <li>Does not repro if in step 2 you type only 1 line of text</li>
                <li>It appears that calling toString() on the range object crashes the browser in the "justifycenter" case but not the "bold" case</li>
            </ul>
        </div>
    </body>
 
</html>
------------END REPRO CODE------------------------
Comment 1 Raul D 2009-01-22 16:28:53 PST 
Created attachment 26944 [details]
Repro script crashing browser on text editor application
Comment 2 Mark Rowe (bdash) 2009-01-22 16:33:00 PST 
Can you please attach a crash log from Safari on Mac OS X? <http://webkit.org/quality/crashlogs.html>.
Comment 3 Mark Rowe (bdash) 2009-01-22 16:36:35 PST 
I found a copy of Safari 3.x lying around and retrieved a crash log myself.  Closing as FIXED given that the report states that the crash does not occur with TOT WebKit.

<rdar://problem/6356519>
Comment 4 Raul D 2009-01-23 10:12:31 PST 
Created attachment 26974 [details]
Side by side Safari, Firefox, IE

Screenshot of Safari 3.2, Firefox 3, IE8
Notice up/down arrows on vertical scroll only missing in Safari preventing user from scrolling their content
Comment 5 Mark Rowe (bdash) 2009-01-23 11:48:07 PST 
I think you meant that for a different bug report.
Comment 6 Raul D 2009-01-23 19:25:17 PST 
Comment on attachment 26974 [details]
Side by side Safari, Firefox, IE

Please disregard - screenshot meant for bug 23485