Bug 48918

Summary:

Crashes in WebCore::DocumentMarkerController::removeMarkersFromMarkerMapVectorPair() when deleting multiple lines of text.

Product:

WebKit

Reporter:

Jia Pu <jiapu.mail>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

adele

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.6

Attachments:

Description	Flags
Proposed patch (v1)	darin: review+, adele: commit-queue-

Jia Pu

Reported 2010-11-03 09:18:33 PDT

To reproduce: 1. type "adfef adfef" 2. Select all. 3. Try to delete the selection. It crashes with following call stack: > 1 com.apple.WebCore 0x7fff877fea64 WebCore::DocumentMarkerController::removeMarkersFromMarkerMapVectorPair(WebCore::Node*, std::pair<WTF::Vector<WebCore::DocumentMarker, 0ul>, WTF::Vector<WebCore::IntRect, 0ul> >*, WebCore::DocumentMarker::MarkerType) + 0x2a 2 com.apple.WebCore 0x7fff877fed64 WebCore::DocumentMarkerController::removeMarkers(WebCore::Node*, WebCore::DocumentMarker::MarkerType) + 0x48 3 com.apple.WebCore 0x7fff8788566b WebCore::Editor::removeSpellAndCorrectionMarkersFromWordsToBeEdited(bool) + 0xe21 4 com.apple.WebCore 0x7fff875dcdd6 WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity, bool) + 0x36 5 com.apple.WebCore 0x7fff875d3b32 WebCore::EditCommand::apply() + 0x84 6 com.apple.WebCore 0x7fff875dcd43 WebCore::TypingCommand::deleteKeyPressed(WebCore::Document*, bool, WebCore::TextGranularity, bool) + 0x167 7 com.apple.WebCore 0x7fff875dcb78 WebCore::Editor::deleteWithDirection(WebCore::SelectionController::EDirection, WebCore::TextGranularity, bool, bool) + 0x1ec 8 com.apple.WebCore 0x7fff8789011f WebCore::executeDeleteBackward(WebCore::Frame*, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 0x1f 9 com.apple.WebCore 0x7fff8788eb66 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const + 0x94 10 com.apple.WebCore 0x7fff875d9757 WebCore::Editor::Command::execute(WebCore::Event*) const + 0x1f 11 com.apple.WebKit 0x7fff86386fdb -[WebHTMLView(WebNSTextInputSupport) doCommandBySelector:] + 0x25b 12 com.apple.WebKit 0x7fff863869b8 -[WebHTMLView(WebInternal) _interceptEditingKeyEvent:shouldSaveCommand:] + 0x288 13 com.apple.WebKit 0x7fff86386abe WebEditorClient::handleKeyboardEvent(WebCore::KeyboardEvent*) + 0x5c 14 com.apple.WebCore 0x7fff8746fc34 WebCore::EventHandler::defaultKeyboardEventHandler(WebCore::KeyboardEvent*) + 0x42 15 com.apple.WebCore 0x7fff87415f5d WebCore::Node::defaultEventHandler(WebCore::Event*) + 0x9d 16 com.apple.WebCore 0x7fff87415b5b WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>) + 0x3a5 17 com.apple.WebCore 0x7fff874156bb WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 0xe9 18 com.apple.WebCore 0x7fff8746fb62 WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 0x56 19 com.apple.WebCore 0x7fff8746f247 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 0x321 20 com.apple.WebCore 0x7fff8746ff0d WebCore::EventHandler::keyEvent(NSEvent*) + 0x35 ….

Attachments
Proposed patch (v1) (1.80 KB, patch) 2010-11-03 11:21 PDT, Jia Pu	darin: review+ adele: commit-queue-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Jia Pu

Comment 1 2010-11-03 09:21:35 PDT

<rdar://problem/8620602>

Jia Pu

Comment 2 2010-11-03 09:26:08 PDT

Seems a more reliable reproducible case is: "abc abc abc abc"

Jia Pu

Comment 3 2010-11-03 09:29:06 PDT

When use TextIterator to iterate multiple lines of text, the returned pointer by TextIterator::node() can be null. Need to guard against this.

Jia Pu

Comment 4 2010-11-03 11:21:55 PDT

Created attachment 72844 [details] Proposed patch (v1)

Darin Adler

Comment 5 2010-11-03 13:07:32 PDT

Comment on attachment 72844 [details] Proposed patch (v1) It’s extremely inefficient to use TextIterator’s node() function on every node in a range you are iterating. The TextIterator::range() function is far more efficient. We should probably have a comment about that in TextIterator.h and perhaps even rename node() to deprecatedNode(). This code change is OK, but I worry that removeSpellAndCorrectionMarkersFromWordsToBeEdited can be pathologically slow with a large selection because of the use of TextIterator::node().

Jia Pu

Comment 6 2010-11-03 13:42:51 PDT

(In reply to comment #5) > (From update of attachment 72844 [details]) > It’s extremely inefficient to use TextIterator’s node() function on every node in a range you are iterating. The TextIterator::range() function is far more efficient. We should probably have a comment about that in TextIterator.h and perhaps even rename node() to deprecatedNode(). > > This code change is OK, but I worry that removeSpellAndCorrectionMarkersFromWordsToBeEdited can be pathologically slow with a large selection because of the use of TextIterator::node(). Thanks for reviewing, Darin. I have create bug #48949 to track replacing Consider replacing TextIterator::node() with TextIterator::range().

Adele Peterson

Comment 7 2010-11-03 16:53:18 PDT

Comment on attachment 72844 [details] Proposed patch (v1) I'll land this manually since the commit queue is taking forever.

Adele Peterson

Comment 8 2010-11-03 16:55:43 PDT

Committed revision 71284.

Note You need to log in before you can comment on or make changes to this bug.