RESOLVED FIXED 77076
NULL ptr in WebCore::firstPositionInNode 
https://bugs.webkit.org/show_bug.cgi?id=77076
Summary NULL ptr in WebCore::firstPositionInNode
Berend-Jan Wever
Reported 2012-01-26 01:01:07 PST
Created attachment 124073 [details] Repro Detailed report: https://cluster-fuzz.appspot.com/testcase?key=15610811 Uploader: skylined@chromium.org Crash Type: UNKNOWN Crash Address: 0x000000000024 Crash State: - crash stack - WebCore::firstPositionInNode WebCore::CompositeEditCommand::moveParagraphs WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary Regressed: https://cluster-fuzz.appspot.com/revisions?range=108839:108881 Minimized Testcase (1.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv976OjoT6ps69jrMB2vbO99x3mZt1e4CryNTt9GticHO3OHDsVs-W0NFwNbZO-Ck4hfn_oC4ASIq4YedCfZTO63e_mhyUcELKDhWfiAZTqgHdzT90Q1oebl0hv-pQSNcfZtKdM7VppVcW0GUAJbngOUoCvXQ_w Repro: <script> function main(){ document.designMode="on"; document.execCommand("SelectAll"); } document.execCommand("JustifyLeft", false); } try{window._NodeList_E7D=document.open("name_18446744073709551613")}catch(e){console.log(e)}; } } document.addEventListener("DOMCharacterDataModified",main,true); setInterval(main, 100); </script> *j2LCS'
Attachments
Repro (22.01 KB, text/html)
2012-01-26 01:01 PST, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2012-01-26 01:05:23 PST
A similar repro triggers a crash in lastPositionInNode, so I believe it to be a variation: <script> function main(){ document.designMode="on";/*exec*/ document.execCommand("ForwardDelete");/*exec*/ document.execCommand("Indent", false);/*js_om*/ } </script> <script type="text/javascript"> document.addEventListener("DOMCharacterDataModified",main,true); setInterval(main, 100); </script> <plaintext class="class1"</plaintext> <input class="class3" id="id_684" type="button"
yosin
Comment 2 2013-06-13 20:57:59 PDT
Could not reproduce on Win7 27.0.1453.110 (Official Build 202711) m Some patches so far fixed this.
Note You need to log in before you can comment on or make changes to this bug.