RESOLVED FIXED 118847
Crash in WebCore::createMarkup() 
https://bugs.webkit.org/show_bug.cgi?id=118847
Summary Crash in WebCore::createMarkup()
Antoine Quint
Reported 2013-07-18 06:07:51 PDT
We're getting reports of a crash in WebCore::createMarkup(). This is due to code introduced in http://trac.webkit.org/changeset/144995 Index: Source/WebCore/editing/markup.cpp =================================================================== --- Source/WebCore/editing/markup.cpp (revision 144994) +++ Source/WebCore/editing/markup.cpp (revision 144995) ... @@ -522,7 +523,7 @@ Node* checkAncestor = specialCommonAncestor ? specialCommonAncestor : commonAncestor; if (checkAncestor->renderer()) { - Node* newSpecialCommonAncestor = highestEnclosingNodeOfType(firstPositionInNode(checkAncestor), &isElementPresentational); + Node* newSpecialCommonAncestor = highestEnclosingNodeOfType(firstPositionInNode(checkAncestor), &isElementPresentational, CanCrossEditingBoundary, checkAncestor->renderer()->containingBlock()->node()); if (newSpecialCommonAncestor) specialCommonAncestor = newSpecialCommonAncestor; } The containingBlock() call in the last argument of the new method signature can potentially be null and thus calling node() on it may result in a crash.
Attachments
Patch (1.59 KB, patch)
2013-07-18 06:10 PDT, Antoine Quint 		no flags
DetailsFormatted DiffDiff
Patch (1.63 KB, patch)
2013-07-18 06:21 PDT, Antoine Quint 		rniwa: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from webkit-ews-01 for mac-mountainlion (965.02 KB, application/zip)
2013-07-18 08:11 PDT, Build Bot 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2013-07-18 06:08:06 PDT
<rdar://problem/14480588>
Antoine Quint
Comment 2 2013-07-18 06:10:14 PDT
Created attachment 206985 [details] Patch
Antoine Quint
Comment 3 2013-07-18 06:21:23 PDT
Created attachment 206986 [details] Patch
Build Bot
Comment 4 2013-07-18 08:11:34 PDT
Comment on attachment 206986 [details] Patch Attachment 206986 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/1106584 New failing tests: media/video-zoom.html
Build Bot
Comment 5 2013-07-18 08:11:36 PDT
Created attachment 206991 [details] Archive of layout-test-results from webkit-ews-01 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-01 Port: mac-mountainlion Platform: Mac OS X 10.8.3
Antoine Quint
Comment 6 2013-07-18 09:14:16 PDT
I don't think the crash failure in this media test is related to this patch.
Sam Weinig
Comment 7 2013-07-18 10:39:53 PDT
Can we add a new test case for this?
Ryosuke Niwa
Comment 8 2013-07-18 11:19:35 PDT
Comment on attachment 206986 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206986&action=review I can't come up with a test case for this. > Source/WebCore/ChangeLog:9 > + Reviewed by NOBODY (OOPS!). This line should appear before the long description but after the bug URL.
Antoine Quint
Comment 9 2013-07-18 11:53:31 PDT
(In reply to comment #8) > (From update of attachment 206986 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=206986&action=review > > I can't come up with a test case for this. Yeah, me neither (should have put that upfront in the comments). > > Source/WebCore/ChangeLog:9 > > + Reviewed by NOBODY (OOPS!). > > This line should appear before the long description but after the bug URL. Will clean up as I land.
Antoine Quint
Comment 10 2013-07-18 11:57:59 PDT
http://trac.webkit.org/changeset/152858
Note You need to log in before you can comment on or make changes to this bug.