26076 – Custom highlighting (via -webkit-highlight) can crash

Bug 26076 - Custom highlighting (via -webkit-highlight) can crash

Summary: Custom highlighting (via -webkit-highlight) can crash

Status:	RESOLVED CONFIGURATION CHANGED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit API (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.5

Importance:	P2 Major
Assignee:	Nobody

URL:
Keywords:	Regression

Depends on:
Blocks:

Reported:	2009-05-29 03:08 PDT by Kai Brüning
Modified:	2017-06-16 22:32 PDT (History)
CC List:	1 user (show)

See Also:	128456

Attachments
Test case - crashes on loading (475 bytes, application/xhtml+xml) 2009-05-29 03:09 PDT, Kai Brüning	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kai Brüning 2009-05-29 03:08:34 PDT

The functions WebChromeClient::customHighlightRect() and WebChromeClient::paintCustomHighlight() get passed a node. With Changeset 40871 (committed 2009-02-11), the passed node can be 0, which results in a crash.

I include a test case which crashes when opening.

Comment 1 Kai Brüning 2009-05-29 03:09:28 PDT

Created attachment 30771 [details]
Test case - crashes on loading

Comment 2 Kai Brüning 2009-05-29 03:16:37 PDT

I forgot to mention that the problem is triggered by having generated content in the document (via h1:empty:before {content:"some text";} in this case).

I do not know whether this is the only way to trigger the problem, though.

Comment 3 mitz 2017-06-16 22:32:22 PDT

paintCustomHighlight and the SPI that relied on it have been removed via bug 128456.