RESOLVED FIXED 77614
NULL ptr in WebCore::Range::processAncestorsAndTheirSiblings 
https://bugs.webkit.org/show_bug.cgi?id=77614
Summary NULL ptr in WebCore::Range::processAncestorsAndTheirSiblings
Berend-Jan Wever
Reported 2012-02-02 00:55:59 PST
Chromium: http://code.google.com/p/chromium/issues/detail?id=112427 Detailed report: https://cluster-fuzz.appspot.com/testcase?key=17443217 Fuzzer: Bj_doc_fuzzer Crash Type: UNKNOWN Crash Address: 0x000000000026 Crash State: - crash stack - WebCore::Range::processAncestorsAndTheirSiblings WebCore::Range::processContents WebCore::Range::deleteContents Regressed: https://cluster-fuzz.appspot.com/revisions?range=108839:108881 Minimized Testcase (0.97 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ceK8J7bne4cv4iUyHvS6W5Dm-Lg_ZCryRU2Y42ayuWg6nWS3qKv0A1aj2WSdRHboY3FKGUuNs6YNK6wPyxBjL16K7Ni7ew9n6iM_dyvpEhsjBEWjBJsxY6X5xq2-j2qmgBeDqaRfLk17tLBcPV45QJChXEQ
Attachments
reduction (463 bytes, application/xhtml+xml)
2012-02-02 01:53 PST, Ryosuke Niwa 		no flags
Details
Patch (10.66 KB, patch)
2013-07-03 19:32 PDT, Yuta Kitamura 		no flags
DetailsFormatted DiffDiff
Patch v2 (10.45 KB, patch)
2013-07-08 23:12 PDT, Yuta Kitamura 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2012-02-02 01:53:37 PST
Created attachment 125099 [details] reduction
Yuta Kitamura
Comment 2 2013-07-03 19:32:07 PDT
Created attachment 206046 [details] Patch
Ryosuke Niwa
Comment 3 2013-07-07 18:39:02 PDT
Comment on attachment 206046 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206046&action=review > Source/WebCore/ChangeLog:15 > + of the range since mutation observers can change the state of the range. You mean mutation events? Mutation observes are never called synchronously. > Source/WebCore/dom/Range.cpp:755 > + originalStart.clear(); > + originalEnd.clear(); > + It doesn't seem right/necessary to clear these ranges here. > LayoutTests/fast/dom/Range/resources/detach-range-during-deletecontents-iframe.xhtml:8 > +var f = function () Why don't we just do: function f() instead? Also, please give it a more descriptive name. > LayoutTests/fast/dom/Range/resources/detach-range-during-deletecontents-iframe.xhtml:16 > +var g = function () > +{ Ditto.
Yuta Kitamura
Comment 4 2013-07-08 23:12:37 PDT
Created attachment 206293 [details] Patch v2
Yuta Kitamura
Comment 5 2013-07-08 23:15:34 PDT
Comment on attachment 206046 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206046&action=review >> Source/WebCore/ChangeLog:15 >> + of the range since mutation observers can change the state of the range. > > You mean mutation events? Mutation observes are never called synchronously. You are right. Fixed. >> Source/WebCore/dom/Range.cpp:755 >> + > > It doesn't seem right/necessary to clear these ranges here. Removed. >> LayoutTests/fast/dom/Range/resources/detach-range-during-deletecontents-iframe.xhtml:8 >> +var f = function () > > Why don't we just do: > function f() > instead? > Also, please give it a more descriptive name. Fixed. >> LayoutTests/fast/dom/Range/resources/detach-range-during-deletecontents-iframe.xhtml:16 >> +{ > > Ditto. Fixed.
Ryosuke Niwa
Comment 6 2013-07-15 21:24:11 PDT
Could you land a patch for this?
Ryosuke Niwa
Comment 7 2013-07-15 21:24:35 PDT
The patch got landed in https://chromium.googlesource.com/chromium/blink/+/0c1f35bf0bd7df75db2b862efc883b1ae418c453 for Blink.
Yuta Kitamura
Comment 8 2013-07-15 23:34:18 PDT
Sorry for delay, I just cq+'ed.
WebKit Commit Bot
Comment 9 2013-07-15 23:54:41 PDT
Comment on attachment 206293 [details] Patch v2 Clearing flags on attachment: 206293 Committed r152707: <http://trac.webkit.org/changeset/152707>
WebKit Commit Bot
Comment 10 2013-07-15 23:54:44 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.