RESOLVED FIXED 53267
NULL pointer crash in TextIterator::handleTextBox() 
https://bugs.webkit.org/show_bug.cgi?id=53267
Summary NULL pointer crash in TextIterator::handleTextBox()
Thomas Sepez
Reported 2011-01-27 16:39:43 PST
The following test case triggers a crash (or an assert in the debug version): } <style> *:nth-child(2):first-letter {float: left;direction: rtl; </style> Error is:ASSERTION FAILED: i < size() (../../JavaScriptCore/wtf/Vector.h:534 T& WTF::Vector<T, inlineCapacity>::at(size_t) [with T = WebCore::InlineTextBox*, long unsigned int inlineCapacity = 0ul]) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef [Switching to process 19707] 0x026790c7 in WTF::Vector<WebCore::InlineTextBox*, 0ul>::at (this=0xb49b7b44, i=0) at Vector.h:534 534 ASSERT(i < size()); (gdb) where #0 0x026790c7 in WTF::Vector<WebCore::InlineTextBox*, 0ul>::at (this=0xb49b7b44, i=0) at Vector.h:534 #1 0x0267910c in WTF::Vector<WebCore::InlineTextBox*, 0ul>::operator[] (this=0xb49b7b44, i=0) at Vector.h:543 #2 0x0267514d in WebCore::TextIterator::handleTextBox (this=0xb49b7ad8) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:545 #3 0x02675a97 in WebCore::TextIterator::handleTextNode (this=0xb49b7ad8) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:526 #4 0x02675c72 in WebCore::TextIterator::advance (this=0xb49b7ad8) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:403 #5 0x02676c37 in WebCore::TextIterator::TextIterator (this=0xb49b7ad8, r=0x2ed1cb30, behavior=WebCore::TextIteratorDefaultBehavior) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:344 #6 0x01f34394 in WebKit::frameContentAsPlainText (maxChars=65535, frame=0xb863600, output=0xb49b7bb0) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebKit/chromium/src/WebFrameImpl.cpp:204 #7 0x01f346a7 in WebKit::WebFrameImpl::contentAsText (this=0xc0489f0, maxChars=65535) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebKit/chromium/src/WebFrameImpl.cpp:1701 Appears similar to http://trac.webkit.org/changeset/58153 ; the same fix also needs to be applied a few lines lower where that logic is repeated.
Attachments
Proposed patch to check for empty vector as above. (3.30 KB, patch)
2011-01-27 16:55 PST, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2011-01-27 16:55:57 PST
Created attachment 80378 [details] Proposed patch to check for empty vector as above.
Eric Seidel (no email)
Comment 2 2011-01-28 12:22:30 PST
Comment on attachment 80378 [details] Proposed patch to check for empty vector as above. View in context: https://bugs.webkit.org/attachment.cgi?id=80378&action=review Looks sane. > Source/WebCore/editing/TextIterator.cpp:546 > + InlineTextBox* firstTextBox = renderer->containsReversedText() ? (m_sortedTextBoxes.isEmpty() ? 0 : m_sortedTextBoxes[0]) : renderer->firstTextBox(); vector really wants a version of it's .at() call which can handle oversized indicies and return a defautl value.
Eric Seidel (no email)
Comment 3 2011-01-28 12:22:48 PST
Being our rtl guy, mitz might want to see this go by.
WebKit Commit Bot
Comment 4 2011-01-28 14:17:35 PST
Comment on attachment 80378 [details] Proposed patch to check for empty vector as above. Clearing flags on attachment: 80378 Committed r76987: <http://trac.webkit.org/changeset/76987>
WebKit Commit Bot
Comment 5 2011-01-28 14:17:40 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.