Bug 54294

Summary: crashes in WebProcess at WebCore::Range::startPosition const + 16
Product: WebKit Reporter: Enrica Casucci <enrica>
Component: WebKit2Assignee: Enrica Casucci <enrica>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar, PlatformOnly
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
patch darin: review+

Enrica Casucci
Reported 2011-02-11 10:47:06 PST
see below the stack trace. Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 com.apple.WebCore 0x00007fff91721410 WebCore::Range::startPosition() const + 16 1 com.apple.WebCore 0x00007fff91834cdd WebCore::Editor::firstRectForRange(WebCore::Range*) const + 49 2 com.apple.WebKit2 0x00007fff8c6779e8 WebKit::WebPage::firstRectForCharacterRange(unsigned long long, unsigned long long, WebCore::IntRect&) + 212 3 com.apple.WebKit2 0x00007fff8c6b4b7b void CoreIPC::handleMessage<Messages::WebPage::FirstRectForCharacterRange, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::IntRect&)>(CoreIPC::ArgumentDecoder*, CoreIPC::ArgumentEncoder*, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, unsigned long long, WebCore::IntRect&)) + 73 4 com.apple.WebKit2 0x00007fff8c6b3bec WebKit::WebPage::didReceiveSyncWebPageMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*, CoreIPC::ArgumentEncoder*) + 136 5 com.apple.WebKit2 0x00007fff8c691a59 WebKit::WebProcess::didReceiveSyncMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*, CoreIPC::ArgumentEncoder*) + 61 6 com.apple.WebKit2 0x00007fff8c64315f CoreIPC::Connection::dispatchSyncMessage(CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) + 117 7 com.apple.WebKit2 0x00007fff8c64327e CoreIPC::Connection::waitForSyncReply(unsigned long long, double) + 204 8 com.apple.WebKit2 0x00007fff8c6436f7 CoreIPC::Connection::sendSyncMessage(CoreIPC::MessageID, unsigned long long, WTF::PassOwnPtr<CoreIPC::ArgumentEncoder>, double) + 349 9 com.apple.WebKit2 0x00007fff8c678c53 bool CoreIPC::Connection::sendSync<Messages::WebPageProxy::InterpretKeyEvent>(Messages::WebPageProxy::InterpretKeyEvent const&, Messages::WebPageProxy::InterpretKeyEvent::Reply const&, unsigned long long, double) + 141 10 com.apple.WebKit2 0x00007fff8c677f8e WebKit::WebPage::interceptEditingKeyboardEvent(WebCore::KeyboardEvent*, bool) + 274 11 com.apple.WebKit2 0x00007fff8c6b2361 WebKit::WebEditorClient::handleInputMethodKeydown(WebCore::KeyboardEvent*) + 29 12 com.apple.WebCore 0x00007fff914340d8 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 578 13 com.apple.WebKit2 0x00007fff8c672d6c WebKit::WebPage::keyEvent(WebKit::WebKeyboardEvent const&) + 110 14 com.apple.WebKit2 0x00007fff8c6b4f1d void CoreIPC::handleMessage<Messages::WebPage::KeyEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebKeyboardEvent const&)>(CoreIPC::ArgumentDecoder*, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebKeyboardEvent const&)) + 77 15 com.apple.WebKit2 0x00007fff8c642cd6 CoreIPC::Connection::dispatchMessages() + 230 16 com.apple.WebKit2 0x00007fff8c659d5b RunLoop::performWork() + 83 17 com.apple.CoreFoundation 0x00007fff958fd11d __CFRunLoopDoSources0 + 253 18 com.apple.CoreFoundation 0x00007fff958fcae9 __CFRunLoopRun + 905 19 com.apple.CoreFoundation 0x00007fff958fc526 CFRunLoopRunSpecific + 230 20 com.apple.HIToolbox 0x00007fff8e494a07 RunCurrentEventLoopInMode + 277 21 com.apple.HIToolbox 0x00007fff8e494801 ReceiveNextEventCommon + 355 22 com.apple.HIToolbox 0x00007fff8e49468e BlockUntilNextEventMatchingListInMode + 62 23 com.apple.AppKit 0x00007fff93a57715 _DPSNextEvent + 659 24 com.apple.AppKit 0x00007fff93a5701a -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 135 25 com.apple.AppKit 0x00007fff93a1c095 -[NSApplication run] + 456 26 com.apple.WebKit2 0x00007fff8c693c13 WebKit::WebProcessMain(WebKit::CommandLine const&) + 400 27 com.apple.WebKit2 0x00007fff8c66fc3c WebKitMain + 268 28 com.apple.WebProcess 0x10b7add58 start + 52
Attachments
patch (1.69 KB, patch)
2011-02-11 10:53 PST, Enrica Casucci 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Enrica Casucci
Comment 1 2011-02-11 10:53:47 PST
Created attachment 82143 [details] patch
Darin Adler
Comment 2 2011-02-11 10:56:45 PST
Comment on attachment 82143 [details] patch We would be so much better off if we had a test case for this. When can convertToRange return 0? Maybe that will give us an idea how to reproduce.
Enrica Casucci
Comment 3 2011-02-11 13:36:28 PST
(In reply to comment #2) > (From update of attachment 82143 [details]) > We would be so much better off if we had a test case for this. When can convertToRange return 0? Maybe that will give us an idea how to reproduce. I verified that we have regression tests for WebKit to test this scenario, but they are not enabled for WebKit2. platform/mac/editing/input/firstrectforcharacterrange-plain.html platform/mac/editing/input/firstrectforcharacterrange-styled.html produce the exact same crash signature when I run them with a version of WebKit with the null check removed.
Enrica Casucci
Comment 4 2011-02-11 13:40:11 PST
http://trac.webkit.org/changeset/78363
Note You need to log in before you can comment on or make changes to this bug.