Bug 76812 - Crash in previousLinePosition when moving into a root inline box without leaves
Summary: Crash in previousLinePosition when moving into a root inline box without leaves
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Ryosuke Niwa
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-23 00:13 PST by Berend-Jan Wever
Modified: 2012-01-30 16:18 PST (History)
6 users (show)

See Also:


Attachments
fixes the crash (3.91 KB, patch)
2012-01-30 14:45 PST, Ryosuke Niwa
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2012-01-23 00:13:28 PST
Chromium: http://code.google.com/p/chromium/issues/detail?id=111026
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=15314965

Uploader: skylined@chromium.org

Crash Type: UNKNOWN
Crash Address: 0x000000000035
Crash State:
  - crash stack -
  WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition
  WebCore::nextLinePosition
  WebCore::nextParagraphPosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=108839:108881

There are two variations, the first one crashes in nextLinePosition, the second one calls RootInlineBox::closestLeafChildForLogicalLeftPosition from nextLinePosition and crashes in the later. The repro from is almost the same; one turns "design-mode" off before modifying the selection, the other does not. Given the similarity in stack and repro, I assume the root cause is the same, so I'm not filing a separate bug for the variation.
<script>
window.onload=function(){
  document.designMode="on";
  document.write("\x3Clabel style=\"-webkit-mask-attachment: locarit; -webkit-margin-start: inherit;\" class=\"class_2\" ondurationchange/\x3E");
  document.execCommand("selectall", false);
  document.execCommand("inserthorizontalrule", false);
  document.execCommand("selectall");
  document.execCommand("ForwardDelete", false);
  document.designMode="off"; // Remove to get a different crash
  window.getSelection().modify("move","forward","paragraph");
}
</script>

Stack:
id:             chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition ReadAV@NULL (2e192a450f79a729ce10a9a093aa98c7)
description:    Attempt to read from unallocated NULL pointer+0x21 in chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition
application:    Chromium 18.0.1011.0
stack:          chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition
                chrome.dll!WebCore::nextLinePosition
                chrome.dll!WebCore::nextParagraphPosition
                chrome.dll!WebCore::FrameSelection::modifyMovingForward
                chrome.dll!WebCore::FrameSelection::modify
                chrome.dll!WebCore::DOMSelection::modify
                chrome.dll!WebCore::DOMSelectionInternal::modifyCallback
Comment 1 Ryosuke Niwa 2012-01-30 14:45:01 PST
Created attachment 124603 [details]
fixes the crash
Comment 2 Enrica Casucci 2012-01-30 16:10:29 PST
Comment on attachment 124603 [details]
fixes the crash

Looks good to me.
Comment 3 Ryosuke Niwa 2012-01-30 16:15:54 PST
Thanks for review! Landing it now.
Comment 4 Ryosuke Niwa 2012-01-30 16:18:24 PST
Comment on attachment 124603 [details]
fixes the crash

Clearing flags on attachment: 124603

Committed r106298: <http://trac.webkit.org/changeset/106298>
Comment 5 Ryosuke Niwa 2012-01-30 16:18:28 PST
All reviewed patches have been landed.  Closing bug.