| Summary: | WebCore::Range::surroundContents NULL pointer crash | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Berend-Jan Wever <skylined> | ||||||
| Component: | DOM | Assignee: | Nobody <webkit-unassigned> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | CC: | ap, cdumez, commit-queue, eric, morrita, webkit.review.bot | ||||||
| Priority: | P1 | ||||||||
| Version: | 528+ (Nightly build) | ||||||||
| Hardware: | All | ||||||||
| OS: | All | ||||||||
| URL: | http://skypher.com/SkyLined/Repro/WebKit/Bug%2031684%20-%20WebCore..Range..surroundContents%20NULL%20pointer/repro.html | ||||||||
| Attachments: |
|
||||||||
Added online repro URL Created attachment 45226 [details]
patch v1
Added NULL guard null throws exception. Note that Firefox also throws an exception (NS_ERROR_UNEXPECTED) in the case. style-queue ran check-webkit-style on attachment 45226 [details] without any errors.
Comment on attachment 45226 [details] patch v1 Clearing flags on attachment: 45226 Committed r52388: <http://trac.webkit.org/changeset/52388> All reviewed patches have been landed. Closing bug. Mass moving XML DOM bugs to the "DOM" Component. |
Created attachment 43520 [details] Repro The following HTML triggers a NULL pointer in "WebCore::Range::surroundContents": <SCRIPT> range=document.createRange(); text=document.createTextNode(''); range.selectNodeContents(text); element=document.createElement("l"); range.surroundContents(element); </SCRIPT> Relevant call stack (in Chromium): WebCore::Range::surroundContents(class WTF::PassRefPtr<WebCore::Node> passNewParent = class WTF::PassRefPtr<WebCore::Node>, int * ec = 0x0012f220)+0x113 WebCore::RangeInternal::surroundContentsCallback(class v8::Arguments * args = 0x00000000)+0xac