Bug 55290 - REGRESSION(r79398): Webkit crash on dojo theme tester page
Summary: REGRESSION(r79398): Webkit crash on dojo theme tester page
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Normal
Assignee: Ryosuke Niwa
URL: http://archive.dojotoolkit.org/nightl...
Keywords: InRadar, Regression
: 55359 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-02-25 20:37 PST by Darth
Modified: 2011-02-28 02:41 PST (History)
9 users (show)

See Also:

Attachments
fixes the bug (3.42 KB, patch)
2011-02-26 06:28 PST, Ryosuke Niwa 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Darth 2011-02-25 20:37:42 PST 
Browser crashes while looking at dojo theme tester.
Doesn't happen in nightly release r79303. Happens in all nightly beyond that.
Chromium 11.0.683.0 is also getting a renderer crash, might be due to the same.
Comment 1 Alexey Proskuryakov 2011-02-26 00:44:28 PST 
Confirmed with nightly r79488. Suspecting <http://trac.webkit.org/r79398>.

0   com.apple.WebCore             	0x0000000100ef1e1d WebCore::Editor::selectionStartCSSPropertyValue(int) + 45
1   com.apple.WebCore             	0x0000000100efdc18 WebCore::valueStyle(WebCore::Frame*, int) + 24
2   com.apple.WebCore             	0x0000000100efdca6 WebCore::valueFontName(WebCore::Frame*, WebCore::Event*) + 22
3   com.apple.WebCore             	0x0000000100eff1df WebCore::Editor::Command::value(WebCore::Event*) const + 111
4   com.apple.WebCore             	0x0000000100e060c9 WebCore::Document::queryCommandValue(WTF::String const&) + 41
5   com.apple.WebCore             	0x00000001011d8c36 WebCore::jsDocumentPrototypeFunctionQueryCommandValue(JSC::ExecState*) + 278
Comment 2 Alexey Proskuryakov 2011-02-26 00:44:57 PST 
<rdar://problem/9058070>
Comment 3 Ryosuke Niwa 2011-02-26 03:18:26 PST 
(In reply to comment #1)
> Confirmed with nightly r79488. Suspecting <http://trac.webkit.org/r79398>.
> 
> 0   com.apple.WebCore                 0x0000000100ef1e1d WebCore::Editor::selectionStartCSSPropertyValue(int) + 45
> 1   com.apple.WebCore                 0x0000000100efdc18 WebCore::valueStyle(WebCore::Frame*, int) + 24
> 2   com.apple.WebCore                 0x0000000100efdca6 WebCore::valueFontName(WebCore::Frame*, WebCore::Event*) + 22
> 3   com.apple.WebCore                 0x0000000100eff1df WebCore::Editor::Command::value(WebCore::Event*) const + 111
> 4   com.apple.WebCore                 0x0000000100e060c9 WebCore::Document::queryCommandValue(WTF::String const&) + 41
> 5   com.apple.WebCore                 0x00000001011d8c36 WebCore::jsDocumentPrototypeFunctionQueryCommandValue(JSC::ExecState*) + 278

Oops!  Yes, it's missing a null check. http://trac.webkit.org/browser/trunk/Source/WebCore/editing/Editor.cpp#L1043

    RefPtr<EditingStyle> selectionStyle = selectionStartStyle();
	    if (!selectionStyle->style())
	        return String();

should be

    RefPtr<EditingStyle> selectionStyle = selectionStartStyle();
	    if (!selectionStyle || !selectionStyle->style())
	        return String();

instead.
Comment 4 Ryosuke Niwa 2011-02-26 06:28:12 PST 
Created attachment 83937 [details]
fixes the bug
Comment 5 Ryosuke Niwa 2011-02-26 06:28:51 PST 
This was an embarrassing bug :(
Comment 6 WebKit Commit Bot 2011-02-26 09:03:36 PST 
Comment on attachment 83937 [details]
fixes the bug

Clearing flags on attachment: 83937

Committed r79794: <http://trac.webkit.org/changeset/79794>
Comment 7 WebKit Commit Bot 2011-02-26 09:03:40 PST 
All reviewed patches have been landed.  Closing bug.
Comment 8 Ryosuke Niwa 2011-02-28 02:41:07 PST 
*** Bug 55359 has been marked as a duplicate of this bug. ***