Bug 44175 - WebCore::ReplacementFragment::removeInterchangeNodes ReadAV@NULL
Summary: WebCore::ReplacementFragment::removeInterchangeNodes ReadAV@NULL
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-18 07:22 PDT by Berend-Jan Wever
Modified: 2010-08-18 08:41 PDT (History)
1 user (show)

See Also:


Attachments
Repro (626 bytes, text/html)
2010-08-18 07:22 PDT, Berend-Jan Wever
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-08-18 07:22:20 PDT
Created attachment 64706 [details]
Repro

The following repro triggers a NULL pointer crash in latest Chromium:
<html>
  <head>
    <script>
      function go() {
        selection = getSelection();
        range = document.createRange();
        document.writeln('<x>');
        selection.collapse(document, 1);
        old_body = document.body;
        document.write('<textArea>FindAndReplaceMe LeaveMe');
        document.close();
        document.write('');
        document.designMode = "on";
        range.insertNode(old_body);
        document.execCommand("FindString", false, 'FindAndReplaceMe');
        document.execCommand("InsertHTML", false, 'Anything');
      }
    </script>
  </head>
  <body onload="go()"></body>
</html>

id:             WebCore::ReplacementFragment::removeInterchangeNodes ReadAV@NULL (1cd504e3a7be175da8c6cd72911ea6e0)
description:    Attempt to read from NULL pointer (+0x24) in WebCore::ReplacementFragment::removeInterchangeNodes
stack:          WebCore::ReplacementFragment::removeInterchangeNodes
                WebCore::ReplacementFragment::ReplacementFragment
                WebCore::ReplaceSelectionCommand::doApply
                WebCore::EditCommand::apply
                WebCore::applyCommand
                WebCore::executeInsertFragment
                WebCore::executeInsertHTML
                WebCore::Editor::Command::execute
                WebCore::Document::execCommand
                WebCore::DocumentInternal::execCommandCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                ...
Comment 1 Eric Seidel (no email) 2010-08-18 08:41:29 PDT
This is very similar, if not identical to bug 44176.

I wonder if either of these reproduce with the old parser, or if these are related to the DocumentParser re-rewrite.

Thank you for the reports!