Bug 49541 - visibility:collapse WebCore::ReplaceSelectionCommand::doApply NULL ptr
Summary: visibility:collapse WebCore::ReplaceSelectionCommand::doApply NULL ptr
Status: RESOLVED CONFIGURATION CHANGED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL: http://code.google.com/p/chromium/iss...
Keywords:
Depends on:
Blocks:
 
Reported: 2010-11-15 07:11 PST by Berend-Jan Wever
Modified: 2022-08-12 10:03 PDT (History)
5 users (show)

See Also:

Attachments
Repro (236 bytes, text/html)
2010-11-15 07:11 PST, Berend-Jan Wever 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-11-15 07:11:51 PST 
Created attachment 73893 [details]
Repro

Repro:
<body><x>
<script type="text/javascript">
  document.designMode="on";
  document.execCommand("selectAll");
  document.writeln('<style>* {visibility:collapse}</style>');
  document.execCommand("InsertHTML", false, 'x');
</script>


id:             chrome.dll!WebCore::ReplaceSelectionCommand::doApply ReadAV@NULL (80567d0c1853fec9161cc17f3eeaa01d)
description:    Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::ReplaceSelectionCommand::doApply
application:    Chromium 9.0.580.0
stack:          chrome.dll!WebCore::ReplaceSelectionCommand::doApply
                chrome.dll!WebCore::EditCommand::apply
                chrome.dll!WebCore::applyCommand
                chrome.dll!WebCore::executeInsertFragment
                chrome.dll!WebCore::executeInsertHTML
                chrome.dll!WebCore::Editor::Command::execute
                chrome.dll!WebCore::Document::execCommand
                chrome.dll!WebCore::DocumentInternal::execCommandCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                chrome.dll!v8::Script::Run
Comment 1 Ahmad Saleem 2022-08-12 04:20:14 PDT 
I am unable to reproduce any crash with this reproduction in Safari 15.6 on macOS 12.5 but I see following FIXME in Webkit when I search for "ReplaceSelectionCommand":

Link - https://github.com/WebKit/WebKit/blob/8afe31a018b11741abdf9b4d5bb973d7c1d9ff05/Source/WebCore/editing/MoveSelectionCommand.cpp#L72

I am not sure on above one whether it is relevant but in below (which seems more relevant):

https://github.com/WebKit/WebKit/blob/b308d25de831f4b7d9c1d643fd166417ef4a5c5e/Source/WebCore/editing/ReplaceSelectionCommand.cpp#L1107

I don't see any null ptr but only RefPtr on Line 1140.

rniwa@webkit.org - is it "RESOLVED LATER" or we can close that since this crash is not reproducible or ignore me if I am totally wrong here. Thanks!
Comment 2 Ryosuke Niwa 2022-08-12 10:03:33 PDT 
No longer reproducing -> Config Changed.