Bug 44175 - WebCore::ReplacementFragment::removeInterchangeNodes ReadAV@NULL
Summary: WebCore::ReplacementFragment::removeInterchangeNodes ReadAV@NULL
Status: RESOLVED CONFIGURATION CHANGED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-18 07:22 PDT by Berend-Jan Wever
Modified: 2023-12-30 02:12 PST (History)
2 users (show)

See Also:

Attachments
Repro (626 bytes, text/html)
2010-08-18 07:22 PDT, Berend-Jan Wever 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-08-18 07:22:20 PDT 
Created attachment 64706 [details]
Repro

The following repro triggers a NULL pointer crash in latest Chromium:
<html>
  <head>
    <script>
      function go() {
        selection = getSelection();
        range = document.createRange();
        document.writeln('<x>');
        selection.collapse(document, 1);
        old_body = document.body;
        document.write('<textArea>FindAndReplaceMe LeaveMe');
        document.close();
        document.write('');
        document.designMode = "on";
        range.insertNode(old_body);
        document.execCommand("FindString", false, 'FindAndReplaceMe');
        document.execCommand("InsertHTML", false, 'Anything');
      }
    </script>
  </head>
  <body onload="go()"></body>
</html>

id:             WebCore::ReplacementFragment::removeInterchangeNodes ReadAV@NULL (1cd504e3a7be175da8c6cd72911ea6e0)
description:    Attempt to read from NULL pointer (+0x24) in WebCore::ReplacementFragment::removeInterchangeNodes
stack:          WebCore::ReplacementFragment::removeInterchangeNodes
                WebCore::ReplacementFragment::ReplacementFragment
                WebCore::ReplaceSelectionCommand::doApply
                WebCore::EditCommand::apply
                WebCore::applyCommand
                WebCore::executeInsertFragment
                WebCore::executeInsertHTML
                WebCore::Editor::Command::execute
                WebCore::Document::execCommand
                WebCore::DocumentInternal::execCommandCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                ...
Comment 1 Eric Seidel (no email) 2010-08-18 08:41:29 PDT 
This is very similar, if not identical to bug 44176.

I wonder if either of these reproduce with the old parser, or if these are related to the DocumentParser re-rewrite.

Thank you for the reports!
Comment 2 Anne van Kesteren 2023-12-30 02:12:32 PST 
No crash in WebKit and it's a very old report.