42020 – Crash beneath setSelection() during detach()

Bug 42020 - Crash beneath setSelection() during detach()

Summary: Crash beneath setSelection() during detach()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2010-07-09 22:06 PDT by mitz
Modified:	2010-07-16 14:02 PDT (History)
CC List:	0 users

See Also:

Attachments
Avoid calls to localToAbsolute() from clearSelection() (2.78 KB, patch) 2010-07-09 22:16 PDT, mitz	simon.fraser: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mitz 2010-07-09 22:06:53 PDT

<rdar://problem/7527532>

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000

0   com.apple.WebCore             	0x00007fff82fc4e1b WebCore::RenderBox::availableHeightUsing(WebCore::Length const&) const + 507
1   com.apple.WebCore             	0x00007fff82fc4c0f WebCore::RenderBox::availableHeight() const + 31
2   com.apple.WebCore             	0x00007fff82fc4c0f WebCore::RenderBox::availableHeight() const + 31
3   com.apple.WebCore             	0x00007fff82fc4b41 WebCore::RenderBoxModelObject::relativePositionOffsetY() const + 129
4   com.apple.WebCore             	0x00007fff82f47b05 WebCore::RenderBox::offsetFromContainer(WebCore::RenderObject*, WebCore::IntPoint const&) const + 261
5   com.apple.WebCore             	0x00007fff82fc6643 WebCore::RenderBox::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const + 275
6   com.apple.WebCore             	0x00007fff82fc67c8 WebCore::RenderBox::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const + 664
7   com.apple.WebCore             	0x00007fff82fc67c8 WebCore::RenderBox::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const + 664
8   com.apple.WebCore             	0x00007fff82fc67c8 WebCore::RenderBox::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const + 664
9   com.apple.WebCore             	0x00007fff83108873 WebCore::RenderBlock::selectionGapRectsForRepaint(WebCore::RenderBoxModelObject*) + 259
10  com.apple.WebCore             	0x00007fff82ed9eb2 WebCore::RenderView::setSelection(WebCore::RenderObject*, int, WebCore::RenderObject*, int, WebCore::RenderView::SelectionRepaintMode) + 1298
11  com.apple.WebCore             	0x00007fff82efc470 WebCore::RenderObjectChildList::removeChildNode(WebCore::RenderObject*, WebCore::RenderObject*, bool) + 592
12  com.apple.WebCore             	0x00007fff830d4224 WebCore::RenderBlock::moveAllChildrenTo(WebCore::RenderObject*, WebCore::RenderObjectChildList*) + 68
13  com.apple.WebCore             	0x00007fff82efbe2a WebCore::RenderBlock::removeChild(WebCore::RenderObject*) + 650
14  com.apple.WebCore             	0x00007fff82efba79 WebCore::RenderObject::destroy() + 137
15  com.apple.WebCore             	0x00007fff82efb947 WebCore::RenderBox::destroy() + 71
16  com.apple.WebCore             	0x00007fff82efb6c3 WebCore::Node::detach() + 35
17  com.apple.WebCore             	0x00007fff82efb57b WebCore::Element::detach() + 107
18  com.apple.WebCore             	0x00007fff82fcf1d7 WebCore::ContainerNode::removeChild(WebCore::Node*, int&) + 263
…

Patch forthcoming.

Comment 1 mitz 2010-07-09 22:16:19 PDT

Created attachment 61142 [details]
Avoid calls to localToAbsolute() from clearSelection()

Comment 2 mitz 2010-07-16 14:02:19 PDT

Fixed in <http://trac.webkit.org/projects/webkit/changeset/63579>.