Bug 26076

Summary:

Custom highlighting (via -webkit-highlight) can crash

Product:

WebKit

Reporter:

Kai Brüning <kai>

Component:

WebKit API

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED CONFIGURATION CHANGED

Severity:

Major

CC:

mitz

Priority:

Keywords:

Regression

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.5

See Also:

https://bugs.webkit.org/show_bug.cgi?id=128456

Attachments:

Description	Flags
Test case - crashes on loading	none

Description Kai Brüning 2009-05-29 03:08:34 PDT

The functions WebChromeClient::customHighlightRect() and WebChromeClient::paintCustomHighlight() get passed a node. With Changeset 40871 (committed 2009-02-11), the passed node can be 0, which results in a crash.

I include a test case which crashes when opening.

Comment 1 Kai Brüning 2009-05-29 03:09:28 PDT

Created attachment 30771 [details]
Test case - crashes on loading

Comment 2 Kai Brüning 2009-05-29 03:16:37 PDT

I forgot to mention that the problem is triggered by having generated content in the document (via h1:empty:before {content:"some text";} in this case).

I do not know whether this is the only way to trigger the problem, though.

Comment 3 mitz 2017-06-16 22:32:22 PDT

paintCustomHighlight and the SPI that relied on it have been removed via bug 128456.