RESOLVED FIXED Bug 76812
Crash in previousLinePosition when moving into a root inline box without leaves 
https://bugs.webkit.org/show_bug.cgi?id=76812
Summary Crash in previousLinePosition when moving into a root inline box without leaves
Berend-Jan Wever
Reported 2012-01-23 00:13:28 PST
Chromium: http://code.google.com/p/chromium/issues/detail?id=111026 Detailed report: https://cluster-fuzz.appspot.com/testcase?key=15314965 Uploader: skylined@chromium.org Crash Type: UNKNOWN Crash Address: 0x000000000035 Crash State: - crash stack - WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition WebCore::nextLinePosition WebCore::nextParagraphPosition Regressed: https://cluster-fuzz.appspot.com/revisions?range=108839:108881 There are two variations, the first one crashes in nextLinePosition, the second one calls RootInlineBox::closestLeafChildForLogicalLeftPosition from nextLinePosition and crashes in the later. The repro from is almost the same; one turns "design-mode" off before modifying the selection, the other does not. Given the similarity in stack and repro, I assume the root cause is the same, so I'm not filing a separate bug for the variation. <script> window.onload=function(){ document.designMode="on"; document.write("\x3Clabel style=\"-webkit-mask-attachment: locarit; -webkit-margin-start: inherit;\" class=\"class_2\" ondurationchange/\x3E"); document.execCommand("selectall", false); document.execCommand("inserthorizontalrule", false); document.execCommand("selectall"); document.execCommand("ForwardDelete", false); document.designMode="off"; // Remove to get a different crash window.getSelection().modify("move","forward","paragraph"); } </script> Stack: id: chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition ReadAV@NULL (2e192a450f79a729ce10a9a093aa98c7) description: Attempt to read from unallocated NULL pointer+0x21 in chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition application: Chromium 18.0.1011.0 stack: chrome.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition chrome.dll!WebCore::nextLinePosition chrome.dll!WebCore::nextParagraphPosition chrome.dll!WebCore::FrameSelection::modifyMovingForward chrome.dll!WebCore::FrameSelection::modify chrome.dll!WebCore::DOMSelection::modify chrome.dll!WebCore::DOMSelectionInternal::modifyCallback
Attachments
fixes the crash (3.91 KB, patch)
2012-01-30 14:45 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2012-01-30 14:45:01 PST
Created attachment 124603 [details] fixes the crash
Enrica Casucci
Comment 2 2012-01-30 16:10:29 PST
Comment on attachment 124603 [details] fixes the crash Looks good to me.
Ryosuke Niwa
Comment 3 2012-01-30 16:15:54 PST
Thanks for review! Landing it now.
Ryosuke Niwa
Comment 4 2012-01-30 16:18:24 PST
Comment on attachment 124603 [details] fixes the crash Clearing flags on attachment: 124603 Committed r106298: <http://trac.webkit.org/changeset/106298>
Ryosuke Niwa
Comment 5 2012-01-30 16:18:28 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.