Summary: | REGRESSION(r73886): Frequent crashes in replaceSelectionWithFragment | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Ryosuke Niwa <rniwa> | ||||||
Component: | HTML Editing | Assignee: | Hajime Morrita <morrita> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Major | CC: | adele, ademar, ap, dcheng, enrica, levin, morrita, ojan | ||||||
Priority: | P2 | Keywords: | EasyFix, NeedsReduction | ||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
Attachments: |
|
Description
Ryosuke Niwa
2011-05-03 17:22:24 PDT
Is this reproducible? (In reply to comment #1) > Is this reproducible? I don't have a reduction but we're getting a lot of crash reports for Chrome 12. It seems like this is happening inside Chrome extensions. Maybe we don't have a spell checker inside extensions' renderers? Regardless, this is a very easy fix. We just need to do a null pointer check. Hmm. m_spellChecker should never be null. (It is always instantiated at the constructor.) I'm looking, but simple adding null-check might not be sufficient... Created attachment 92921 [details]
Patch
Comment on attachment 92921 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92921&action=review > Source/WebCore/ChangeLog:9 > + SpellChecker uses TextCheckerClient, which belongs Page object, > + which is possibly destroyed during SpellChecker's lifetime. Wow! That sounds like a serious issue. We have a raw pointer in SpellChecker.h > Source/WebCore/editing/SpellChecker.cpp:119 > if (!initRequest(node)) > return; > - m_client->requestCheckingOfString(this, m_requestSequence, mask, m_requestText); > + client()->requestCheckingOfString(this, m_requestSequence, mask, m_requestText); We should should have an early exit here as well when the page is gone. > Source/WebCore/editing/SpellChecker.h:59 > TextCheckerClient* m_client; I don't think it's safe to store this pointer. Created attachment 92924 [details]
Patch
Hi Ryosuke, thank you for the lightning review! > > Source/WebCore/editing/SpellChecker.cpp:119 > > if (!initRequest(node)) > > return; > > - m_client->requestCheckingOfString(this, m_requestSequence, mask, m_requestText); > > + client()->requestCheckingOfString(this, m_requestSequence, mask, m_requestText); > > We should should have an early exit here as well when the page is gone. The check is done by caller side using canCheckAsynchronously(). This function also asserts it at the beginning. > > > Source/WebCore/editing/SpellChecker.h:59 > > TextCheckerClient* m_client; > > I don't think it's safe to store this pointer. Makes sense. removed. Comment on attachment 92924 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92924&action=review > Source/WebCore/editing/SpellChecker.cpp:116 > if (!initRequest(node)) > return; I see. initRequest asserts that canCheckAsynchronously returns true. Committed r86132: <http://trac.webkit.org/changeset/86132> Revision r86132 cherry-picked into qtwebkit-2.2 with commit f38046d <http://gitorious.org/webkit/qtwebkit/commit/f38046d> (In reply to comment #11) > Revision r86132 cherry-picked into qtwebkit-2.2 with commit f38046d <http://gitorious.org/webkit/qtwebkit/commit/f38046d> Ademar, thanks for caring this. |