Bug 6236

Summary:

REGRESSION: Crash in DOMString::replace() in ToT (12/25/05)

Product:

WebKit

Reporter:

Rosyna <webkit-bugs>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mitz

Priority:

Version:

420+

Hardware:

Mac

OS:

OS X 10.4

URL:

http://ishi.blog2.fc2.com/blog-entry-158.html

Attachments:

Description	Flags
Add missing null check	eric: review+

Rosyna

Reported 2005-12-24 14:08:28 PST

Crashes when connecting to the aforementioned URL. Special because said URL was on fark.com today. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000004 Thread 0 Crashed: 0 com.apple.WebCore 0x018b710c DOM::DOMStringImpl::replace(QChar, QChar) + 156 (dom_stringimpl.cpp:456) 1 com.apple.WebCore 0x01a95408 DOM::DOMString::replace(QChar, QChar) + 76 (dom_string.h:76) 2 com.apple.WebCore 0x0184ddc4 khtml::RenderLineEdit::updateFromElement() + 296 (render_form.cpp:298) 3 com.apple.WebCore 0x017d9c04 DOM::HTMLGenericFormElementImpl::attach() + 160 (html_formimpl.cpp:798) 4 com.apple.WebCore 0x017eb340 DOM::HTMLInputElementImpl::attach() + 796 (html_formimpl.cpp:1753) 5 com.apple.WebCore 0x01814240 HTMLParser::insertNode(DOM::NodeImpl*, bool) + 636 (htmlparser.cpp:286) 6 com.apple.WebCore 0x01814c5c HTMLParser::parseToken(khtml::Token*) + 1216 (htmlparser.cpp:231) 7 com.apple.WebCore 0x018178e0 khtml::HTMLTokenizer::processToken() + 564 (htmltokenizer.cpp:1724) 8 com.apple.WebCore 0x0181b698 khtml::HTMLTokenizer::parseTag (khtml::TokenizerString&, khtml::HTMLTokenizer::State) + 7424 (htmltokenizer.cpp:1282) 9 com.apple.WebCore 0x0181c158 khtml::HTMLTokenizer::write(khtml::TokenizerString const&, bool) + 1784 (htmltokenizer.cpp:1497) 10 com.apple.WebCore 0x01737da8 KHTMLPart::write(char const*, int) + 860 (khtml_part.cpp:966) 11 com.apple.WebCore 0x016b4984 KWQKHTMLPart::addData(char const*, int) + 320 (KWQKHTMLPart.mm:683) 12 com.apple.WebCore 0x01724554 -[WebCoreBridge addData:] + 220 (WebCoreBridge.mm:389) 13 com.apple.WebKit 0x00333e7c -[WebBridge receivedData:textEncodingName:] + 236 (WebBridge.m:494) 14 com.apple.WebKit 0x0036eb08 -[WebHTMLRepresentation receivedData:withDataSource:] + 248 (WebHTMLRepresentation.m:122) 15 com.apple.WebKit 0x0035812c -[WebDataSource(WebPrivate) _commitLoadWithData:] + 164 (WebDataSource.m:1033) 16 com.apple.WebKit 0x00356780 -[WebDataSource(WebPrivate) _receivedData:] + 196 (WebDataSource.m:773) 17 com.apple.WebKit 0x00393450 -[WebMainResourceLoader addData:] + 136 (WebMainResourceLoader.m:163) 18 com.apple.WebKit 0x003502b8 -[WebLoader didReceiveData:lengthReceived:] + 108 (WebLoader.m:535) 19 com.apple.WebKit 0x00394a54 -[WebMainResourceLoader didReceiveData:lengthReceived:] + 724 (WebMainResourceLoader.m:378) 20 com.apple.WebKit 0x00350e1c -[WebLoader connection:didReceiveData:lengthReceived:] + 188 (WebLoader.m:645) 21 com.apple.Foundation 0x92918a64 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 22 com.apple.Foundation 0x92916f04 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 23 com.apple.Foundation 0x92916ca0 _sendCallbacks + 156 24 com.apple.CoreFoundation 0x9075da68 __CFRunLoopDoSources0 + 384 25 com.apple.CoreFoundation 0x9075cf98 __CFRunLoopRun + 452 26 com.apple.CoreFoundation 0x9075ca18 CFRunLoopRunSpecific + 268 27 com.apple.HIToolbox 0x9318e1e0 RunCurrentEventLoopInMode + 264 28 com.apple.HIToolbox 0x9318d874 ReceiveNextEventCommon + 380 29 com.apple.HIToolbox 0x9318d6e0 BlockUntilNextEventMatchingListInMode + 96 30 com.apple.AppKit 0x9368c104 _DPSNextEvent + 384 31 com.apple.AppKit 0x9368bdc8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 32 com.apple.Safari 0x000072f4 0x1000 + 25332 33 com.apple.AppKit 0x9368830c -[NSApplication run] + 472 34 com.apple.AppKit 0x93778e60 NSApplicationMain + 452 35 com.apple.Safari 0x0005d028 0x1000 + 376872 36 com.apple.Safari 0x0005cecc 0x1000 + 376524

Attachments
Add missing null check (4.43 KB, patch) 2005-12-24 15:27 PST, mitz	eric: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

mitz

Comment 1 2005-12-24 14:28:22 PST

The new method DOMString::replace() is missing a null check for m_impl.

mitz

Comment 2 2005-12-24 15:27:43 PST

Created attachment 5275 [details] Add missing null check

Eric Seidel (no email)

Comment 3 2005-12-24 16:07:13 PST

Comment on attachment 5275 [details] Add missing null check Once again, mitz cleaning up my mess. Thanks mitz. r=me.

mitz

Comment 4 2005-12-24 22:38:58 PST

Eric committed the fix.

Joost de Valk (AlthA)

Comment 5 2006-01-22 04:56:14 PST

Removing keyword(s) since bug is fixed.

Joost de Valk (AlthA)

Comment 6 2006-01-22 05:00:28 PST

Removing keyword(s) since bug is fixed.

Eric Seidel (no email)

Comment 7 2006-01-31 21:20:39 PST

Removing Regression keyword from bugs already fixed.

Note You need to log in before you can comment on or make changes to this bug.