[Webkit-unassigned] [Bug 19151] prepareForTextInsertion assumes Position is not null (even though it can be)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 23 13:20:08 PDT 2008


http://bugs.webkit.org/show_bug.cgi?id=19151





------- Comment #4 from eric at webkit.org  2008-05-23 13:19 PDT -------
I saw this crash while dealing with editing fuzzer, I think this was the input:

<BODY><SCRIPT>
document.execCommand('selectall', false, '<iframe src=about:blank>');
document.designMode = 'on';
document.execCommand('insertunorderedlist', false, '<script
src=https://webkit.org>');
document.execCommand('delete', false, 'courier');
document.execCommand('justifyleft', false, 'courier');
document.execCommand('undo', false, 'red');
document.execCommand('justifyright', false, '</table>');
document.execCommand('inserthorizontalrule', false, false);
document.execCommand('InsertParagraph', false, '<script
src=https://webkit.org>');
document.execCommand('selectall', false, 'red');
document.execCommand('justifyleft', false, '<pre>');
document.execCommand('InsertParagraph', false, '<td>');
document.execCommand('selectall', false, true);
document.execCommand('removeformat', false, '<table>');
</SCRIPT>

But I can't get it to reproduce given that input in Safari again.  I need to
come up with a more reliable debugging setup.

Whatever input I was debugging, the Selection was a CARET with DOWNSTREAM
affinity, the selected node was a <br> which wasn't actually in any document. 
I'm not sure how such a selection ever came to be.  Thus selection was valid,
but when we turned the selection into a visible position it was a bogus
position which caused a crash.

I'll see if I can find a reproducible case.  Or maybe the above input was
actually the fuzzed input I was using, and it just only reproduces sometimes!?


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list