RESOLVED FIXED47888
chrome.dll!WebCore::Node::shadowAncestorNode ReadAV@NULL (98643190851b5662363449cc7303d8a5) 
https://bugs.webkit.org/show_bug.cgi?id=47888
Summary chrome.dll!WebCore::Node::shadowAncestorNode ReadAV@NULL (98643190851b5662363...
Berend-Jan Wever
Reported 2010-10-19 01:00:27 PDT
Repro: <html><head><script> function go() { document.execCommand("SelectAll", false, "ur"); document.designMode = "on"; document.execCommand("InsertOrderedList", false, "-.8"); document.execCommand("insertparagraph", false, "04"); document.execCommand("InsertImage", false, "///("); document.execCommand("SelectAll", false, "ur"); document.execCommand("strikethrough", false, null); } </script></head><body onload="go()"></body></html> stack: chrome.dll!WebCore::Node::shadowAncestorNode chrome.dll!WebCore::comparePositions chrome.dll!WebCore::isNodeVisiblyContainedWithin chrome.dll!WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle chrome.dll!(unknown) chrome.dll!WebCore::ApplyStyleCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::Editor::applyStyle chrome.dll!WebCore::executeToggleStyleInList chrome.dll!WebCore::executeStrikethrough chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback ...
Attachments
fixes the bug (4.43 KB, patch)
2010-10-28 15:17 PDT, Ryosuke Niwa 		tony: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2010-10-28 15:17:11 PDT
Created attachment 72242 [details] fixes the bug
Tony Chang
Comment 2 2010-10-28 15:33:07 PDT
Comment on attachment 72242 [details] fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=72242&action=review > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:7 > + layoutTestController.waitUntilDone(); Does the crash trigger if you don't have the waitUntilDone? I think DRT makes sure that onload runs. > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:18 > + document.execCommand("SelectAll", false, "ur"); > + document.designMode = "on"; > + document.execCommand("InsertOrderedList", false, "-.8"); > + document.execCommand("insertparagraph", false, "04"); > + document.execCommand("InsertImage", false, "///("); > + document.execCommand("SelectAll", false, "ur"); > + document.execCommand("strikethrough", false, null); > + document.body.innerHTML = 'This tests ApplyStyleCommand::fixRangeAndApplyInlineStyle does not crash when startNode is body.<br>PASS'; Are all these calls necessary?
Ryosuke Niwa
Comment 3 2010-10-28 16:02:05 PDT
(In reply to comment #2) > (From update of attachment 72242 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=72242&action=review > > > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:7 > > + layoutTestController.waitUntilDone(); > > Does the crash trigger if you don't have the waitUntilDone? I think DRT makes sure that onload runs. The test becomes flaky last time I tried. > > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:18 > > + document.execCommand("SelectAll", false, "ur"); > > + document.designMode = "on"; > > + document.execCommand("InsertOrderedList", false, "-.8"); > > + document.execCommand("insertparagraph", false, "04"); > > + document.execCommand("InsertImage", false, "///("); > > + document.execCommand("SelectAll", false, "ur"); > > + document.execCommand("strikethrough", false, null); > > + document.body.innerHTML = 'This tests ApplyStyleCommand::fixRangeAndApplyInlineStyle does not crash when startNode is body.<br>PASS'; > > Are all these calls necessary? Yes. But everything before the second SelectAll doesn't need to be done in script. So it'll simplify it to: function go() { document.designMode = "on"; document.execCommand("SelectAll", false, "ur"); document.execCommand("strikethrough", false, null); document.body.innerHTML = 'This tests ApplyStyleCommand::fixRangeAndApplyInlineStyle does not crash when startNode is body.<br>PASS'; layoutTestController.notifyDone(); } </script> </head> <body onload="go()"><div><img></div></body>
Ryosuke Niwa
Comment 4 2010-10-28 16:08:03 PDT
Committed r70821: <http://trac.webkit.org/changeset/70821>
Note You need to log in before you can comment on or make changes to this bug.