Bug 44169

Summary: WebCore..VisibleSelection..toNormalizedRange ReadAV@NULL
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: eric, rniwa
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Repro none

Berend-Jan Wever
Reported 2010-08-18 06:09:58 PDT
Created attachment 64695 [details] Repro The following repro causes a NULL ptr crash in latest Chromium: <body onload=" selection = window.getSelection(); range = document.createRange(); document.write('<button><br>'); document.body.contentEditable = true; selection.setPosition(document,7); document.execCommand('JustifyNone', false); document.open(); document.execCommand('undo',false,0); location.reload(); "> id: WebCore::VisibleSelection::toNormalizedRange ReadAV@NULL (a1b9c2e8fbec25147570883307987405) description: Attempt to read from NULL pointer (+0x14) in WebCore::VisibleSelection::toNormalizedRange stack: WebCore::VisibleSelection::toNormalizedRange WebCore::Frame::shouldChangeSelection WebCore::Frame::shouldChangeSelection WebCore::Editor::changeSelectionAfterCommand WebCore::Editor::unappliedEditing WebCore::EditCommand::unapply WebKit::EditorClientImpl::undo WebCore::executeUndo WebCore::Editor::Command::execute WebCore::Document::execCommand WebCore::DocumentInternal::execCommandCallback v8::internal::HandleApiCallHelper<...> v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call ...
Attachments
Repro (326 bytes, text/html)
2010-08-18 06:09 PDT, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2010-08-18 09:09:49 PDT
I suspect we could reduce this further. This is an undo across a document open, which sounds like it could crash. :)
Eric Seidel (no email)
Comment 2 2010-08-18 09:10:07 PDT
This might also be related to bug 43055, but that's less-likely.
Berend-Jan Wever
Comment 3 2010-09-29 12:06:46 PDT
This no longer crashes latest Chromium, marking as fixed.
Note You need to log in before you can comment on or make changes to this bug.