49315 – chrome.dll!WebCore::ApplyStyleCommand::surroundNodeRangeWithElement ReadAV@NULL (d21e8ab8aa42253ec7e46b595e4cf4fd)

RESOLVED WONTFIX 49315

chrome.dll!WebCore::ApplyStyleCommand::surroundNodeRangeWithElement ReadAV@NULL (d21e8ab8aa42253ec7e46b595e4cf4fd)

https://bugs.webkit.org/show_bug.cgi?id=49315

Summary chrome.dll!WebCore::ApplyStyleCommand::surroundNodeRangeWithElement ReadAV@NU...

Berend-Jan Wever

Reported 2010-11-10 03:49:35 PST

Created attachment 73482 [details] Repro for crash 1 Repro: <html> <head> <script> function go() { document.designMode= "on"; document.execCommand("selectall", false, "eory"); document.execCommand("italic", false); document.execCommand("InsertOrderedList", false, "Tue"); document.execCommand("inserthorizontalrule", false, "966BF0"); document.execCommand("InsertOrderedList", false, true); document.execCommand("insertimage", false, NaN); document.execCommand("insertorderedlist", false, Infinity); document.execCommand("outdent", false, "chroextEEExxWWWWWWWWWWWWWRRRR444444444"); document.execCommand("createlink", false, true); document.execCommand("indent", false, "ht//examWWWWWWWWWWWWWWWWWWWWWWWWWW3333333333"); document.execCommand("InsertNewlineInQuotedContent", false); document.execCommand("delete", false, "-0x00003"); document.execCommand("InsertParagraph", false); document.execCommand("outdent", false, "ps:xample.com"); document.execCommand("outdent", false, "ps:xample.com"); location.reload(); } </script> </head> <body onload="go()"> <pre style="white-space: pre-wrap;">x</pre> </body> </html> id: chrome.dll!WebCore::ApplyStyleCommand::surroundNodeRangeWithElement ReadAV@NULL (d21e8ab8aa42253ec7e46b595e4cf4fd) description: Attempt to read from unallocated NULL pointer+0x1C in chrome.dll!WebCore::ApplyStyleCommand::surroundNodeRangeWithElement application: Chromium 9.0.571.0 stack: chrome.dll!WebCore::ApplyStyleCommand::surroundNodeRangeWithElement chrome.dll!WebCore::ApplyStyleCommand::addInlineStyleIfNeeded chrome.dll!WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange chrome.dll!WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle chrome.dll!WebCore::ApplyStyleCommand::applyInlineStyle chrome.dll!WebCore::ApplyStyleCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite chrome.dll!WebCore::CompositeEditCommand::applyStyle chrome.dll!WebCore::CompositeEditCommand::moveParagraphs chrome.dll!WebCore::InsertListCommand::unlistifyParagraph chrome.dll!WebCore::InsertListCommand::doApplyForSingleParagraph chrome.dll!WebCore::InsertListCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite chrome.dll!WebCore::IndentOutdentCommand::outdentParagraph chrome.dll!WebCore::IndentOutdentCommand::outdentRegion chrome.dll!WebCore::ApplyBlockElementCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::executeOutdent chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ... A variation of this can be triggered by changing the <body> in the repro to: <body onload="go()" style="white-space: pre-wrap;"> x </body> That crash is: id: chrome.dll!WebCore::RangeBoundaryPoint::toPosition ReadAV@NULL (cf0d0f28bc56f2591cc74f71b46036ea) description: Attempt to read from unallocated NULL pointer+0xC in chrome.dll!WebCore::RangeBoundaryPoint::toPosition application: Chromium 9.0.571.0 stack: chrome.dll!WebCore::RangeBoundaryPoint::toPosition chrome.dll!WebCore::InsertListCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::executeInsertOrderedList chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...

Attachments
Repro for crash 1 (1.19 KB, text/html) 2010-11-10 03:49 PST, Berend-Jan Wever	no flags	Details
Repro for crash 2 (infinite loop) (1.18 KB, text/html) 2010-11-10 03:52 PST, Berend-Jan Wever	no flags	Details
reduction (1.71 KB, text/html) 2010-11-10 11:01 PST, Ryosuke Niwa	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Berend-Jan Wever

Comment 1 2010-11-10 03:52:52 PST

Created attachment 73483 [details] Repro for crash 2 (infinite loop)

Eric Seidel (no email)

Comment 2 2010-11-10 09:28:09 PST

Thanks SkyLined.

Ryosuke Niwa

Comment 3 2010-11-10 11:01:27 PST

Created attachment 73511 [details] reduction

Ryosuke Niwa

Comment 4 2010-11-10 13:42:49 PST

This bug is really hard to fix.

Ryosuke Niwa

Comment 5 2010-11-10 13:51:08 PST

Making the following change in unlistifyParagraph will fix my reduction: - VisiblePosition insertionPoint = VisiblePosition(Position(placeholder.get(), 0)); + VisiblePosition insertionPoint = VisiblePosition(positionAfterNode(placeholder.get())); + + // insertPoint has collapsed; i.e. it's the end of line perhaps because li & ol had display: inline + if (endOfParagraph(insertionPoint) == endOfParagraph(end)) { + placeholder = createBreakElement(document()); + insertNodeAfter(placeholder, nodeToInsert); + insertionPoint = VisiblePosition(Position(placeholder.get(), 0)); + ASSERT(endOfParagraph(insertionPoint) != endOfParagraph(end)); + } + However, reproduction 2 (infinite loop case) still crashes and fixing this second crash requires overhaul of many editing functions.

Berend-Jan Wever

Comment 6 2011-05-30 05:42:11 PDT

Ryosuke, does this mean it'll cost too much time to fix at the moment?

Ryosuke Niwa

Comment 7 2011-06-02 16:38:04 PDT

(In reply to comment #6) > Ryosuke, does this mean it'll cost too much time to fix at the moment? Yeah, I really appreciate your help for filing these bugs but I don't think fixing these crashes is helpful at the moment because the design is inherently fragile. We have to re-design IndentOutdentCommand and InsertListCommand rather than cherry-picking these crashes.

Berend-Jan Wever

Comment 8 2011-06-03 05:30:49 PDT

In that case, should we merge these into a meta bug?

Anne van Kesteren

Comment 9 2023-12-30 02:46:33 PST

Chromium-specific.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WONTFIX

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS Windows Vista

Product WebKit

Component DOM

Assignee

Nobody

Reported

2010-11-10 03:49 PST

Modified

2023-12-30 02:46 PST History

CC List

3 users Show

URL

http://code.google.com/p/chromium/issues/detail?id=62654

Keywords

Depends on

42436

Blocks

Dependencies

tree graph