Bug 55290

Summary: REGRESSION(r79398): Webkit crash on dojo theme tester page
Product: WebKit Reporter: Darth <priyajeet.hora>
Component: HTML EditingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, darin, eric, ojan, priyajeet.hora, rniwa, skylined, tony
Priority: P1 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://archive.dojotoolkit.org/nightly/dojotoolkit/dijit/themes/themeTester.html
Attachments:
Description Flags
fixes the bug none

Description Darth 2011-02-25 20:37:42 PST 
Browser crashes while looking at dojo theme tester.
Doesn't happen in nightly release r79303. Happens in all nightly beyond that.
Chromium 11.0.683.0 is also getting a renderer crash, might be due to the same.
Comment 1 Alexey Proskuryakov 2011-02-26 00:44:28 PST 
Confirmed with nightly r79488. Suspecting <http://trac.webkit.org/r79398>.

0   com.apple.WebCore             	0x0000000100ef1e1d WebCore::Editor::selectionStartCSSPropertyValue(int) + 45
1   com.apple.WebCore             	0x0000000100efdc18 WebCore::valueStyle(WebCore::Frame*, int) + 24
2   com.apple.WebCore             	0x0000000100efdca6 WebCore::valueFontName(WebCore::Frame*, WebCore::Event*) + 22
3   com.apple.WebCore             	0x0000000100eff1df WebCore::Editor::Command::value(WebCore::Event*) const + 111
4   com.apple.WebCore             	0x0000000100e060c9 WebCore::Document::queryCommandValue(WTF::String const&) + 41
5   com.apple.WebCore             	0x00000001011d8c36 WebCore::jsDocumentPrototypeFunctionQueryCommandValue(JSC::ExecState*) + 278
Comment 2 Alexey Proskuryakov 2011-02-26 00:44:57 PST 
<rdar://problem/9058070>
Comment 3 Ryosuke Niwa 2011-02-26 03:18:26 PST 
(In reply to comment #1)
> Confirmed with nightly r79488. Suspecting <http://trac.webkit.org/r79398>.
> 
> 0   com.apple.WebCore                 0x0000000100ef1e1d WebCore::Editor::selectionStartCSSPropertyValue(int) + 45
> 1   com.apple.WebCore                 0x0000000100efdc18 WebCore::valueStyle(WebCore::Frame*, int) + 24
> 2   com.apple.WebCore                 0x0000000100efdca6 WebCore::valueFontName(WebCore::Frame*, WebCore::Event*) + 22
> 3   com.apple.WebCore                 0x0000000100eff1df WebCore::Editor::Command::value(WebCore::Event*) const + 111
> 4   com.apple.WebCore                 0x0000000100e060c9 WebCore::Document::queryCommandValue(WTF::String const&) + 41
> 5   com.apple.WebCore                 0x00000001011d8c36 WebCore::jsDocumentPrototypeFunctionQueryCommandValue(JSC::ExecState*) + 278

Oops!  Yes, it's missing a null check. http://trac.webkit.org/browser/trunk/Source/WebCore/editing/Editor.cpp#L1043

    RefPtr<EditingStyle> selectionStyle = selectionStartStyle();
	    if (!selectionStyle->style())
	        return String();

should be

    RefPtr<EditingStyle> selectionStyle = selectionStartStyle();
	    if (!selectionStyle || !selectionStyle->style())
	        return String();

instead.
Comment 4 Ryosuke Niwa 2011-02-26 06:28:12 PST 
Created attachment 83937 [details]
fixes the bug
Comment 5 Ryosuke Niwa 2011-02-26 06:28:51 PST 
This was an embarrassing bug :(
Comment 6 WebKit Commit Bot 2011-02-26 09:03:36 PST 
Comment on attachment 83937 [details]
fixes the bug

Clearing flags on attachment: 83937

Committed r79794: <http://trac.webkit.org/changeset/79794>
Comment 7 WebKit Commit Bot 2011-02-26 09:03:40 PST 
All reviewed patches have been landed.  Closing bug.
Comment 8 Ryosuke Niwa 2011-02-28 02:41:07 PST 
*** Bug 55359 has been marked as a duplicate of this bug. ***