Bug 113837 - DOM Range null dereference when detached in a mutation observer
Summary: DOM Range null dereference when detached in a mutation observer
Status: RESOLVED CONFIGURATION CHANGED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-02 17:09 PDT by Cyril CATTIAUX
Modified: 2024-03-15 05:48 PDT (History)
4 users (show)

See Also:

Attachments
test case (555 bytes, text/html)
2013-04-02 17:09 PDT, Cyril CATTIAUX 		no flags Details
OSX Crash Report (57.66 KB, text/plain)
2013-04-02 17:13 PDT, Cyril CATTIAUX 		no flags Details
test case 2 (506 bytes, text/html)
2013-04-02 17:24 PDT, Cyril CATTIAUX 		no flags Details
OSX Crash Report 2 (55.49 KB, text/plain)
2013-04-02 17:26 PDT, Cyril CATTIAUX 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cyril CATTIAUX 2013-04-02 17:09:07 PDT 
Registering a DOMSubtreeModified on a node, creating a range selecting its text node, then triggering the event and detaching the Range into it will produce a NULL dereference.

(test case attached)

Exception (Safari 6.0.2 on OS X 10.8.2) :










WebKit nightly is also affected.
Comment 1 Cyril CATTIAUX 2013-04-02 17:09:45 PDT 
Created attachment 196256 [details]
test case
Comment 2 Cyril CATTIAUX 2013-04-02 17:13:44 PDT 
Created attachment 196257 [details]
OSX Crash Report
Comment 3 Cyril CATTIAUX 2013-04-02 17:16:11 PDT 
Exception (Safari 6.0.2 on OS X 10.8.2) :

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
...
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x000000010e45cb51 WebCore::checkAcceptChild(WebCore::Node*, WebCore::Node*, int&) + 33
1   com.apple.WebCore                   0x000000010e45cb01 WebCore::Node::checkAddChild(WebCore::Node*, int&) + 33
2   com.apple.WebCore                   0x000000010e518f23 WebCore::ContainerNode::insertBefore(WTF::PassRefPtr<WebCore::Node>, WebCore::Node*, int&, bool) + 163
3   com.apple.WebCore                   0x000000010e697a35 WebCore::Range::insertNode(WTF::PassRefPtr<WebCore::Node>, int&) + 757
4   com.apple.WebCore                   0x000000010e6976f2 WebCore::jsRangePrototypeFunctionInsertNode(JSC::ExecState*) + 162
5   ???                                 0x000034147c401265 0 + 57262588564069
...
Comment 4 Cyril CATTIAUX 2013-04-02 17:24:14 PDT 
Created attachment 196259 [details]
test case 2
Comment 5 Cyril CATTIAUX 2013-04-02 17:26:16 PDT 
Created attachment 196260 [details]
OSX Crash Report 2
Comment 6 Cyril CATTIAUX 2013-04-02 17:28:25 PDT 
Test case 2 will produce another kind of null deref :

Exception (Safari 6.0.2 on OS X 10.8.2) :

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000025
...
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x000000010ecd1a0a WebCore::Range::insertNode(WTF::PassRefPtr<WebCore::Node>, int&) + 714
1   com.apple.WebCore                   0x000000010ecd16f2 WebCore::jsRangePrototypeFunctionInsertNode(JSC::ExecState*) + 162
2   ???                                 0x000022d2c7201265 0 + 38288679244389
...
Comment 7 Alexey Proskuryakov 2013-04-05 10:49:20 PDT 
> Test case 2 will produce another kind of null deref :

Ideally, different issues should be tracked in separate bugs. Keeping them together adds a lot of confusion (such as confusion when discussing issues, or closing a bug when only one of the issues was fixed).
Comment 8 Anne van Kesteren 2024-03-15 05:48:53 PDT 
Both tests appear to work fine today.