Bug 25335

Summary: crash in VisibleSelection::appendTrailingWhitespace()
Product: WebKit Reporter: Eric Roman <eroman>
Component: WebCore Misc.Assignee: Eric Roman <eroman>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Check that it.atEnd() in addition to it.length() > 0
none
Check that it.atEnd() in addition to it.length() > 0
darin: review-
Check that it.atEnd() in addition to it.length() > 0
darin: review-
Initialize TextIterator::m_textLength to 0, to avoid accessing un-initialized memory when construction fails.
none
Initialize TextIterator::m_textLength to 0, to avoid accessing un-initialized memory when construction fails. darin: review+

Eric Roman
Reported 2009-04-22 16:03:24 PDT
This crash comes from <http://code.google.com/p/chromium/issues/detail?id=10645> To hit it, must have EditorClient::isSelectTrailingWhitespaceEnabled() set to return true (therefore this affects chromium, but not safari). To reproduce, load an image url, and double click in the whitespace around the image -- CRASH.
Attachments
Check that it.atEnd() in addition to it.length() > 0 (2.54 KB, patch)
2009-04-23 17:25 PDT, Eric Roman 		no flags
DetailsFormatted DiffDiff
Check that it.atEnd() in addition to it.length() > 0 (3.11 KB, patch)
2009-04-23 17:28 PDT, Eric Roman 		darin: review-
DetailsFormatted DiffDiff
Check that it.atEnd() in addition to it.length() > 0 (3.71 KB, patch)
2009-04-23 17:34 PDT, Eric Roman 		darin: review-
DetailsFormatted DiffDiff
Initialize TextIterator::m_textLength to 0, to avoid accessing un-initialized memory when construction fails. (4.52 KB, patch)
2009-04-23 18:02 PDT, Eric Roman 		no flags
DetailsFormatted DiffDiff
Initialize TextIterator::m_textLength to 0, to avoid accessing un-initialized memory when construction fails. (4.21 KB, patch)
2009-04-23 18:07 PDT, Eric Roman 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Eric Roman
Comment 1 2009-04-22 16:46:32 PDT
The crash happens in VisibleSelection::appendTrailingWhitespace(): CharacterIterator charIt(searchRange.get(), true); for (; charIt.length(); charIt.advance(1)) { UChar c = charIt.characters()[0]; // <====== CRASH HERE ... } The problem is that charIt.length() is not a sufficient guard -- if CharacterIterator is constructed with a particular empty Range, then TextIterator::m_textLength remains uninitialized after CharacterIterator is constructed. My proposed fix is to add a check for charIt.atEnd() in the loop: - for (; charIt.length(); charIt.advance(1)) { + for (; !charIt.atEnd() && charIt.length(); charIt.advance(1)) { However, it might be better to instead change TextIterator to initialize m_textLength to 0 to avoid this happening elsewhere. This approach might be more consistent with the comment in <https://bugs.webkit.org/show_bug.cgi?id=23232#c2>: > There's no need to check atEnd() here. Once you're at the end, length is > guaranteed to return 0.
Eric Roman
Comment 2 2009-04-23 17:25:33 PDT
Created attachment 29720 [details] Check that it.atEnd() in addition to it.length() > 0
Eric Roman
Comment 3 2009-04-23 17:28:03 PDT
Created attachment 29721 [details] Check that it.atEnd() in addition to it.length() > 0 actually add the file to patch this time :)
Darin Adler
Comment 4 2009-04-23 17:33:32 PDT
Comment on attachment 29721 [details] Check that it.atEnd() in addition to it.length() > 0 This is the wrong fix. The CharacterIterator::length is guaranteed to return 0 when it's at the end, and the fact that it's not is a bug. The correct fix, as suggested earlier in this report, is to make sure the TextIterator constructors initialize m_textLength to 0 in all code paths.
Eric Roman
Comment 5 2009-04-23 17:34:48 PDT
Created attachment 29722 [details] Check that it.atEnd() in addition to it.length() > 0 Correct the changelog.
Eric Roman
Comment 6 2009-04-23 17:35:49 PDT
Ok. Please disregard the v3 patch I just uploaded (it was before I saw your comment).
Darin Adler
Comment 7 2009-04-23 17:35:52 PDT
Comment on attachment 29722 [details] Check that it.atEnd() in addition to it.length() > 0 review- for same reason as previous. The bug here is in TextIterator, not VisibleSelection.
Eric Roman
Comment 8 2009-04-23 18:02:14 PDT
Created attachment 29723 [details] Initialize TextIterator::m_textLength to 0, to avoid accessing un-initialized memory when construction fails. I threw in initialization of m_textCharacters(0) for good measure, but it isn't strictly needed for this fix.
Eric Roman
Comment 9 2009-04-23 18:07:20 PDT
Created attachment 29724 [details] Initialize TextIterator::m_textLength to 0, to avoid accessing un-initialized memory when construction fails. difference from previous version (v4), is fixed LayoutTests/ChangeLog (still getting the hang of it).
Dimitri Glazkov (Google)
Comment 10 2009-04-24 11:40:51 PDT
Landed as http://trac.webkit.org/changeset/42831.
Note You need to log in before you can comment on or make changes to this bug.