Bug 77615 - NULL ptr in WebCore::CompositeEditCommand::splitTreeToNode
Summary: NULL ptr in WebCore::CompositeEditCommand::splitTreeToNode
Status: RESOLVED LATER
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-02 00:59 PST by Berend-Jan Wever
Modified: 2012-04-30 17:58 PDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2012-02-02 00:59:35 PST 
Chromium: http://code.google.com/p/chromium/issues/detail?id=112429
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=17437362

Fuzzer: Bj_doc_fuzzer

Crash Type: UNKNOWN
Crash Address: 0x000000000024
Crash State:
  - crash stack -
  WebCore::CompositeEditCommand::splitTreeToNode
  WebCore::InsertParagraphSeparatorCommand::doApply
  WebCore::CompositeEditCommand::applyCommandToComposite
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114944:114952

Minimized Testcase (1.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv975pgjac1kPy_yBFunVYtgDLHRLi2HG814EDcvAiPB-_3pZvb606d4Fd1HfymuDNVoNq4kVPdEzIaKBlXR0-R0rj-7FvspNTORr5aNxH4T1W5wio3A6IV3bJ9o3n_sSJxnB3ikGdOayNWBV6izygUhvQExFSw
Comment 1 Ryosuke Niwa 2012-04-30 17:58:08 PDT 
I can no longer reproduce a null pointer crash. We fall into an infinite loop because mutation events trigger more editing commands to execute but that's expected behavior in accordance to the script.