Bug 32424 - WebCore::ReplaceSelectionCommand::doApply ReadAV@NULL (15d09a1a5a07b619154c5a2a36579bfd)
Summary: WebCore::ReplaceSelectionCommand::doApply ReadAV@NULL (15d09a1a5a07b619154c5a...
Status: RESOLVED DUPLICATE of bug 32823
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL: http://skypher.com/SkyLined/Repro/Web...
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-11 04:43 PST by Berend-Jan Wever
Modified: 2009-12-31 02:32 PST (History)
2 users (show)

See Also:

Attachments
Repro (427 bytes, text/html)
2009-12-11 04:43 PST, Berend-Jan Wever 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2009-12-11 04:43:34 PST 
Created attachment 44671 [details]
Repro

Id:          WebCore::ReplaceSelectionCommand::doApply ReadAV@NULL (15d09a1a5a07b619154c5a2a36579bfd)
Description: Attempt to read from NULL pointer (+0x25) in WebCore::ReplaceSelectionCommand::doApply
Stack:
  WebCore::ReplaceSelectionCommand::doApply
  WebCore::EditCommand::apply
  WebCore::applyCommand
  WebCore::executeInsertFragment
  WebCore::executeInsertHTML
  WebCore::Editor::Command::execute
  WebCore::Document::execCommand
  WebCore::DocumentInternal::execCommandCallback
  v8::internal::Builtin_HandleApiCall
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  WebCore::V8Proxy::runScript
  WebCore::V8Proxy::evaluate
  WebCore::ScriptController::evaluate
  WebCore::ScriptController::executeScript
  WebCore::ScriptController::executeScript
  WebCore::ScriptController::executeIfJavaScriptURL
  WebCore::FrameLoader::changeLocation
  WebCore::RedirectScheduler::timerFired
  WebCore::Timer<...>::fired
  WebCore::ThreadTimers::sharedTimerFiredInternal
  MessageLoop::RunTask
  MessageLoop::DoWork
  base::MessagePumpDefault::Run
  MessageLoop::RunInternal
  MessageLoop::Run
  RendererMain
  ChromeMain

Repro:
<BODY onload=go()></BODY>
<SCRIPT>
  function go() {
    document.execCommand("selectall",false,6);
    document.designMode="on";
    document.execCommand("Cut",false,2);
    document.execCommand("inserthorizontalrule","");
    document.execCommand("Delete",false, "");
    document.designMode="";
    document.execCommand("Undo","");
    document.designMode="on";
    document.execCommand("InsertHTML",false,"");
  }
</SCRIPT>
Comment 1 Berend-Jan Wever 2009-12-11 04:44:39 PST 
Online repro
Comment 2 Berend-Jan Wever 2009-12-31 02:32:09 PST 
Mike Moretti claims there is a problem with "Undo" after "designmode off".
https://bugs.webkit.org/show_bug.cgi?id=32822
I am assuming this is a variation of that problem.

*** This bug has been marked as a duplicate of bug 32823 ***