Bug 6236 - REGRESSION: Crash in DOMString::replace() in ToT (12/25/05)
Summary: REGRESSION: Crash in DOMString::replace() in ToT (12/25/05)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
URL: http://ishi.blog2.fc2.com/blog-entry-...
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-24 14:08 PST by Rosyna
Modified: 2006-01-31 21:20 PST (History)
1 user (show)

See Also:

Attachments
Add missing null check (4.43 KB, patch)
2005-12-24 15:27 PST, mitz 		eric: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rosyna 2005-12-24 14:08:28 PST 
Crashes when connecting to the aforementioned URL. Special because said URL was on fark.com today.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000004

Thread 0 Crashed:
0   com.apple.WebCore              	0x018b710c DOM::DOMStringImpl::replace(QChar, QChar) + 156 
(dom_stringimpl.cpp:456)
1   com.apple.WebCore              	0x01a95408 DOM::DOMString::replace(QChar, QChar) + 76 
(dom_string.h:76)
2   com.apple.WebCore              	0x0184ddc4 khtml::RenderLineEdit::updateFromElement() + 296 
(render_form.cpp:298)
3   com.apple.WebCore              	0x017d9c04 DOM::HTMLGenericFormElementImpl::attach() + 160 
(html_formimpl.cpp:798)
4   com.apple.WebCore              	0x017eb340 DOM::HTMLInputElementImpl::attach() + 796 
(html_formimpl.cpp:1753)
5   com.apple.WebCore              	0x01814240 HTMLParser::insertNode(DOM::NodeImpl*, bool) + 
636 (htmlparser.cpp:286)
6   com.apple.WebCore              	0x01814c5c HTMLParser::parseToken(khtml::Token*) + 1216 
(htmlparser.cpp:231)
7   com.apple.WebCore              	0x018178e0 khtml::HTMLTokenizer::processToken() + 564 
(htmltokenizer.cpp:1724)
8   com.apple.WebCore              	0x0181b698 khtml::HTMLTokenizer::parseTag
(khtml::TokenizerString&, khtml::HTMLTokenizer::State) + 7424 (htmltokenizer.cpp:1282)
9   com.apple.WebCore              	0x0181c158 khtml::HTMLTokenizer::write(khtml::TokenizerString 
const&, bool) + 1784 (htmltokenizer.cpp:1497)
10  com.apple.WebCore              	0x01737da8 KHTMLPart::write(char const*, int) + 860 
(khtml_part.cpp:966)
11  com.apple.WebCore              	0x016b4984 KWQKHTMLPart::addData(char const*, int) + 320 
(KWQKHTMLPart.mm:683)
12  com.apple.WebCore              	0x01724554 -[WebCoreBridge addData:] + 220 
(WebCoreBridge.mm:389)
13  com.apple.WebKit               	0x00333e7c -[WebBridge receivedData:textEncodingName:] + 236 
(WebBridge.m:494)
14  com.apple.WebKit               	0x0036eb08 -[WebHTMLRepresentation 
receivedData:withDataSource:] + 248 (WebHTMLRepresentation.m:122)
15  com.apple.WebKit               	0x0035812c -[WebDataSource(WebPrivate) _commitLoadWithData:] 
+ 164 (WebDataSource.m:1033)
16  com.apple.WebKit               	0x00356780 -[WebDataSource(WebPrivate) _receivedData:] + 196 
(WebDataSource.m:773)
17  com.apple.WebKit               	0x00393450 -[WebMainResourceLoader addData:] + 136 
(WebMainResourceLoader.m:163)
18  com.apple.WebKit               	0x003502b8 -[WebLoader didReceiveData:lengthReceived:] + 108 
(WebLoader.m:535)
19  com.apple.WebKit               	0x00394a54 -[WebMainResourceLoader 
didReceiveData:lengthReceived:] + 724 (WebMainResourceLoader.m:378)
20  com.apple.WebKit               	0x00350e1c -[WebLoader 
connection:didReceiveData:lengthReceived:] + 188 (WebLoader.m:645)
21  com.apple.Foundation           	0x92918a64 -[NSURLConnection(NSURLConnectionInternal) 
_sendDidReceiveDataCallback] + 564
22  com.apple.Foundation           	0x92916f04 -[NSURLConnection(NSURLConnectionInternal) 
_sendCallbacks] + 488
23  com.apple.Foundation           	0x92916ca0 _sendCallbacks + 156
24  com.apple.CoreFoundation       	0x9075da68 __CFRunLoopDoSources0 + 384
25  com.apple.CoreFoundation       	0x9075cf98 __CFRunLoopRun + 452
26  com.apple.CoreFoundation       	0x9075ca18 CFRunLoopRunSpecific + 268
27  com.apple.HIToolbox            	0x9318e1e0 RunCurrentEventLoopInMode + 264
28  com.apple.HIToolbox            	0x9318d874 ReceiveNextEventCommon + 380
29  com.apple.HIToolbox            	0x9318d6e0 BlockUntilNextEventMatchingListInMode + 96
30  com.apple.AppKit               	0x9368c104 _DPSNextEvent + 384
31  com.apple.AppKit               	0x9368bdc8 -[NSApplication 
nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
32  com.apple.Safari               	0x000072f4 0x1000 + 25332
33  com.apple.AppKit               	0x9368830c -[NSApplication run] + 472
34  com.apple.AppKit               	0x93778e60 NSApplicationMain + 452
35  com.apple.Safari               	0x0005d028 0x1000 + 376872
36  com.apple.Safari               	0x0005cecc 0x1000 + 376524
Comment 1 mitz 2005-12-24 14:28:22 PST 
The new method DOMString::replace() is missing a null check for m_impl.
Comment 2 mitz 2005-12-24 15:27:43 PST 
Created attachment 5275 [details]
Add missing null check
Comment 3 Eric Seidel (no email) 2005-12-24 16:07:13 PST 
Comment on attachment 5275 [details]
Add missing null check

Once again, mitz cleaning up my mess.  Thanks mitz.  r=me.
Comment 4 mitz 2005-12-24 22:38:58 PST 
Eric committed the fix.
Comment 5 Joost de Valk (AlthA) 2006-01-22 04:56:14 PST 
Removing keyword(s) since bug is fixed.
Comment 6 Joost de Valk (AlthA) 2006-01-22 05:00:28 PST 
Removing keyword(s) since bug is fixed.
Comment 7 Eric Seidel (no email) 2006-01-31 21:20:39 PST 
Removing Regression keyword from bugs already fixed.