Bug 44175

Summary: WebCore::ReplacementFragment::removeInterchangeNodes ReadAV@NULL
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: annevk, eric
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Repro none

Berend-Jan Wever
Reported 2010-08-18 07:22:20 PDT
Created attachment 64706 [details] Repro The following repro triggers a NULL pointer crash in latest Chromium: <html> <head> <script> function go() { selection = getSelection(); range = document.createRange(); document.writeln('<x>'); selection.collapse(document, 1); old_body = document.body; document.write('<textArea>FindAndReplaceMe LeaveMe'); document.close(); document.write(''); document.designMode = "on"; range.insertNode(old_body); document.execCommand("FindString", false, 'FindAndReplaceMe'); document.execCommand("InsertHTML", false, 'Anything'); } </script> </head> <body onload="go()"></body> </html> id: WebCore::ReplacementFragment::removeInterchangeNodes ReadAV@NULL (1cd504e3a7be175da8c6cd72911ea6e0) description: Attempt to read from NULL pointer (+0x24) in WebCore::ReplacementFragment::removeInterchangeNodes stack: WebCore::ReplacementFragment::removeInterchangeNodes WebCore::ReplacementFragment::ReplacementFragment WebCore::ReplaceSelectionCommand::doApply WebCore::EditCommand::apply WebCore::applyCommand WebCore::executeInsertFragment WebCore::executeInsertHTML WebCore::Editor::Command::execute WebCore::Document::execCommand WebCore::DocumentInternal::execCommandCallback v8::internal::HandleApiCallHelper<...> v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call ...
Attachments
Repro (626 bytes, text/html)
2010-08-18 07:22 PDT, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2010-08-18 08:41:29 PDT
This is very similar, if not identical to bug 44176. I wonder if either of these reproduce with the old parser, or if these are related to the DocumentParser re-rewrite. Thank you for the reports!
Anne van Kesteren
Comment 2 2023-12-30 02:12:32 PST
No crash in WebKit and it's a very old report.
Note You need to log in before you can comment on or make changes to this bug.