Chromium: http://code.google.com/p/chromium/issues/detail?id=111026 Detailed report: https://cluster-fuzz.appspot.com/testcase?key=15314965 Uploader: skylined@chromium.org Crash Type: UNKNOWN Crash Address: 0x000000000035 Crash State: - crash stack - WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition WebCore::nextLinePosition WebCore::nextParagraphPosition Regressed: https://cluster-fuzz.appspot.com/revisions?range=108839:108881 There are two variations, the first one crashes in nextLinePosition, the second one calls RootInlineBox::closestLeafChildForLogicalLeftPosition from nextLinePosition and crashes in the later. The repro from is almost the same; one turns "design-mode" off before modifying the selection, the other does not. Given the similarity in stack and repro, I assume the root cause is the same, so I'm not filing a separate bug for the variation. <script> window.onload=function(){ document.designMode="on"; document.write("\x3Clabel style=\"-webkit-mask-attachment: locarit; -webkit-margin-start: inherit;\" class=\"class_2\" ondurationchange/\x3E"); document.execCommand("selectall", false); document.execCommand("inserthorizontalrule", false); document.execCommand("selectall"); document.execCommand("ForwardDelete", false); document.designMode="off"; // Remove to get a different crash window.getSelection().modify("move","forward","paragraph"); } </script> Stack: id: chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition ReadAV@NULL (2e192a450f79a729ce10a9a093aa98c7) description: Attempt to read from unallocated NULL pointer+0x21 in chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition application: Chromium 18.0.1011.0 stack: chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition chrome.dll!WebCore::nextLinePosition chrome.dll!WebCore::nextParagraphPosition chrome.dll!WebCore::FrameSelection::modifyMovingForward chrome.dll!WebCore::FrameSelection::modify chrome.dll!WebCore::DOMSelection::modify chrome.dll!WebCore::DOMSelectionInternal::modifyCallback
Created attachment 124603 [details] fixes the crash
Comment on attachment 124603 [details] fixes the crash Looks good to me.
Thanks for review! Landing it now.
Comment on attachment 124603 [details] fixes the crash Clearing flags on attachment: 124603 Committed r106298: <http://trac.webkit.org/changeset/106298>
All reviewed patches have been landed. Closing bug.