Bug 77218

Summary: NULL ptr in WebCore::Range::getBorderAndTextQuads
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: adamk, darin, eric, kling, koivisto, rniwa, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Fixes the crash none

Berend-Jan Wever
Reported 2012-01-27 07:18:11 PST
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=15992978 Uploader: skylined@chromium.org Crash Type: UNKNOWN Crash Address: 0x000000000024 Crash State: - crash stack - WebCore::Range::getBorderAndTextQuads WebCore::Range::boundingRect WebCore::Range::getBoundingClientRect Regressed: https://cluster-fuzz.appspot.com/revisions?range=108839:108881 Minimized Testcase (1.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94sYtyY7GIxx6IaywhcjimvW1hTKDKblRUvsoU_E-sx8mxItU3CF_jlHEjEXOcSHtmTFe8pDGTsyjWWbllly3tEyYJmA9eIInB-90Z3cIcfU8oY935-hLScNr7EbUCRsFBWHrp6QmbtpR9NJgNeo1SvnfJnXw
Attachments
Fixes the crash (4.17 KB, patch)
2012-04-30 14:33 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2012-04-30 14:01:39 PDT
Simplified reduction: <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <style></style> <script> <![CDATA[ window.onload = function () { document.execCommand("SelectAll", false); var range = null; document.addEventListener("DOMNodeRemovedFromDocument", function () { range = getSelection().getRangeAt(0); },true); getSelection().getRangeAt(0).extractContents(); range.getBoundingClientRect(); } ]]> </script> <input/> </html>
Ryosuke Niwa
Comment 2 2012-04-30 14:33:21 PDT
Created attachment 139520 [details] Fixes the crash
Eric Seidel (no email)
Comment 3 2012-04-30 15:11:37 PDT
Comment on attachment 139520 [details] Fixes the crash Seems totally reasonable.
WebKit Review Bot
Comment 4 2012-04-30 15:51:00 PDT
Comment on attachment 139520 [details] Fixes the crash Clearing flags on attachment: 139520 Committed r115686: <http://trac.webkit.org/changeset/115686>
WebKit Review Bot
Comment 5 2012-04-30 15:51:05 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.