Bug 32424

Summary: WebCore::ReplaceSelectionCommand::doApply ReadAV@NULL (15d09a1a5a07b619154c5a2a36579bfd)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: enrica, eric
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://skypher.com/SkyLined/Repro/WebKit/Bug%2032424%20-%20WebCore..ReplaceSelectionCommand..doApply%20ReadAV@NULL%20(15d09a1a5a07b619154c5a2a36579bfd)/repro.html
Attachments:
Description Flags
Repro none

Description Berend-Jan Wever 2009-12-11 04:43:34 PST 
Created attachment 44671 [details]
Repro

Id:          WebCore::ReplaceSelectionCommand::doApply ReadAV@NULL (15d09a1a5a07b619154c5a2a36579bfd)
Description: Attempt to read from NULL pointer (+0x25) in WebCore::ReplaceSelectionCommand::doApply
Stack:
  WebCore::ReplaceSelectionCommand::doApply
  WebCore::EditCommand::apply
  WebCore::applyCommand
  WebCore::executeInsertFragment
  WebCore::executeInsertHTML
  WebCore::Editor::Command::execute
  WebCore::Document::execCommand
  WebCore::DocumentInternal::execCommandCallback
  v8::internal::Builtin_HandleApiCall
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  WebCore::V8Proxy::runScript
  WebCore::V8Proxy::evaluate
  WebCore::ScriptController::evaluate
  WebCore::ScriptController::executeScript
  WebCore::ScriptController::executeScript
  WebCore::ScriptController::executeIfJavaScriptURL
  WebCore::FrameLoader::changeLocation
  WebCore::RedirectScheduler::timerFired
  WebCore::Timer<...>::fired
  WebCore::ThreadTimers::sharedTimerFiredInternal
  MessageLoop::RunTask
  MessageLoop::DoWork
  base::MessagePumpDefault::Run
  MessageLoop::RunInternal
  MessageLoop::Run
  RendererMain
  ChromeMain

Repro:
<BODY onload=go()></BODY>
<SCRIPT>
  function go() {
    document.execCommand("selectall",false,6);
    document.designMode="on";
    document.execCommand("Cut",false,2);
    document.execCommand("inserthorizontalrule","");
    document.execCommand("Delete",false, "");
    document.designMode="";
    document.execCommand("Undo","");
    document.designMode="on";
    document.execCommand("InsertHTML",false,"");
  }
</SCRIPT>
Comment 1 Berend-Jan Wever 2009-12-11 04:44:39 PST 
Online repro
Comment 2 Berend-Jan Wever 2009-12-31 02:32:09 PST 
Mike Moretti claims there is a problem with "Undo" after "designmode off".
https://bugs.webkit.org/show_bug.cgi?id=32822
I am assuming this is a variation of that problem.

*** This bug has been marked as a duplicate of bug 32823 ***