Bug 42449 - [Chromium] Crash in Position::getInlineBoxAndOffset (node()->renderer() == NULL)
Summary: [Chromium] Crash in Position::getInlineBoxAndOffset (node()->renderer() == NULL)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-16 06:17 PDT by Andrey Kosyakov
Modified: 2010-07-16 07:07 PDT (History)
3 users (show)

See Also:

Attachments
patch (1.41 KB, patch)
2010-07-16 06:34 PDT, Andrey Kosyakov 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Kosyakov 2010-07-16 06:17:02 PDT 
1) Open DevTools (Ctrl+Shift+I)
2) Open Console (Esc)
3) Type "window" and hit enter.
4) Start expanding and collapsing 'DOMWindow' node rapidly

Observe crash:

       chrome.dll!WebCore::RenderObject::isText()  Line 375 + 0x11 bytes       C++
       chrome.dll!WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity affinity=UPSTREAM, WebCore::TextDirection primaryDirection=LTR, WebCore::InlineBox * & inlineBox=0xcccccccc, int & caretOffset=0)  Line 1014 + 0x8 bytes C++
       chrome.dll!WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity affinity=UPSTREAM, WebCore::InlineBox * & inlineBox=0xcccccccc, int & caretOffset=0)  Line 950   C++
       chrome.dll!WebCore::Frame::firstRectForRange(WebCore::Range * range=0x0c20d540)  Line 312 + 0x20 bytes  C++
       chrome.dll!WebKit::WebViewImpl::caretOrSelectionBounds()  Line 1249 + 0x15 bytes        C++
       chrome.dll!RenderWidget::UpdateInputMethod()  Line 876 + 0x19 bytes     C++
       chrome.dll!RenderWidget::DoDeferredUpdate()  Line 527   C++
       chrome.dll!RenderWidget::CallDoDeferredUpdate()  Line 427       C++
       chrome.dll!RenderWidget::OnUpdateRectAck()  Line 283    C++
       chrome.dll!IPC::Message::Dispatch<RenderWidget>(const IPC::Message * msg=0x0caade28, RenderWidget * obj=0x07254400, void (void)* func=0x5fde3f50)  Line 134 + 0x1b bytes        C++
       chrome.dll!RenderWidget::OnMessageReceived(const IPC::Message & msg={...})  Line 143 + 0x38 bytes       C++
       chrome.dll!RenderView::OnMessageReceived(const IPC::Message & message={...})  Line 737 + 0xc bytes      C++
       chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...})  Line 40 + 0x13 bytes    C++
       chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg={...})  Line 31 + 0x13 bytes       C++
       chrome.dll!ChildThread::OnMessageReceived(const IPC::Message & msg={...})  Line 146 + 0x17 bytes        C++
       chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message={...})  Line 206 + 0x19 bytes     C++
       chrome.dll!DispatchToMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &),IPC::Message>(IPC::ChannelProxy::Context * obj=0x04236c00, void (const IPC::Message &)* method=0x5fa65cb0, const Tuple1<IPC::Message> & arg={...})  Line 422 + 0xf bytes   C++
       chrome.dll!RunnableMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &),Tuple1<IPC::Message> 
::Run()  Line 326 + 0x1e bytes  C++
       chrome.dll!MessageLoop::RunTask(Task * task=0x0caade00)  Line 409 + 0xf bytes   C++
       chrome.dll!MessageLoop::DeferOrRunPendingTask(const MessageLoop::PendingTask & pending_task={...})  Line 421    C++

See https://bugs.webkit.org/show_bug.cgi?id=41334 for a similar bug.
Related Chromium bug: http://code.google.com/p/chromium/issues/detail?id=49294
Comment 1 Andrey Kosyakov 2010-07-16 06:34:16 PDT 
Created attachment 61799 [details]
patch
Comment 2 WebKit Commit Bot 2010-07-16 07:07:45 PDT 
Comment on attachment 61799 [details]
patch

Clearing flags on attachment: 61799

Committed r63545: <http://trac.webkit.org/changeset/63545>
Comment 3 WebKit Commit Bot 2010-07-16 07:07:50 PDT 
All reviewed patches have been landed.  Closing bug.