RESOLVED FIXED 42449
[Chromium] Crash in Position::getInlineBoxAndOffset (node()->renderer() == NULL) 
https://bugs.webkit.org/show_bug.cgi?id=42449
Summary [Chromium] Crash in Position::getInlineBoxAndOffset (node()->renderer() == NULL)
Andrey Kosyakov
Reported 2010-07-16 06:17:02 PDT
1) Open DevTools (Ctrl+Shift+I) 2) Open Console (Esc) 3) Type "window" and hit enter. 4) Start expanding and collapsing 'DOMWindow' node rapidly Observe crash: chrome.dll!WebCore::RenderObject::isText() Line 375 + 0x11 bytes C++ chrome.dll!WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity affinity=UPSTREAM, WebCore::TextDirection primaryDirection=LTR, WebCore::InlineBox * & inlineBox=0xcccccccc, int & caretOffset=0) Line 1014 + 0x8 bytes C++ chrome.dll!WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity affinity=UPSTREAM, WebCore::InlineBox * & inlineBox=0xcccccccc, int & caretOffset=0) Line 950 C++ chrome.dll!WebCore::Frame::firstRectForRange(WebCore::Range * range=0x0c20d540) Line 312 + 0x20 bytes C++ chrome.dll!WebKit::WebViewImpl::caretOrSelectionBounds() Line 1249 + 0x15 bytes C++ chrome.dll!RenderWidget::UpdateInputMethod() Line 876 + 0x19 bytes C++ chrome.dll!RenderWidget::DoDeferredUpdate() Line 527 C++ chrome.dll!RenderWidget::CallDoDeferredUpdate() Line 427 C++ chrome.dll!RenderWidget::OnUpdateRectAck() Line 283 C++ chrome.dll!IPC::Message::Dispatch<RenderWidget>(const IPC::Message * msg=0x0caade28, RenderWidget * obj=0x07254400, void (void)* func=0x5fde3f50) Line 134 + 0x1b bytes C++ chrome.dll!RenderWidget::OnMessageReceived(const IPC::Message & msg={...}) Line 143 + 0x38 bytes C++ chrome.dll!RenderView::OnMessageReceived(const IPC::Message & message={...}) Line 737 + 0xc bytes C++ chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...}) Line 40 + 0x13 bytes C++ chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg={...}) Line 31 + 0x13 bytes C++ chrome.dll!ChildThread::OnMessageReceived(const IPC::Message & msg={...}) Line 146 + 0x17 bytes C++ chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message={...}) Line 206 + 0x19 bytes C++ chrome.dll!DispatchToMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &),IPC::Message>(IPC::ChannelProxy::Context * obj=0x04236c00, void (const IPC::Message &)* method=0x5fa65cb0, const Tuple1<IPC::Message> & arg={...}) Line 422 + 0xf bytes C++ chrome.dll!RunnableMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &),Tuple1<IPC::Message> ::Run() Line 326 + 0x1e bytes C++ chrome.dll!MessageLoop::RunTask(Task * task=0x0caade00) Line 409 + 0xf bytes C++ chrome.dll!MessageLoop::DeferOrRunPendingTask(const MessageLoop::PendingTask & pending_task={...}) Line 421 C++ See https://bugs.webkit.org/show_bug.cgi?id=41334 for a similar bug. Related Chromium bug: http://code.google.com/p/chromium/issues/detail?id=49294
Attachments
patch (1.41 KB, patch)
2010-07-16 06:34 PDT, Andrey Kosyakov 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Andrey Kosyakov
Comment 1 2010-07-16 06:34:16 PDT
Created attachment 61799 [details] patch
WebKit Commit Bot
Comment 2 2010-07-16 07:07:45 PDT
Comment on attachment 61799 [details] patch Clearing flags on attachment: 61799 Committed r63545: <http://trac.webkit.org/changeset/63545>
WebKit Commit Bot
Comment 3 2010-07-16 07:07:50 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.