[Webkit-unassigned] [Bug 22168] New: Chromium is seeing crashes using TextIterator

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 10 17:26:06 PST 2008 

https://bugs.webkit.org/show_bug.cgi?id=22168

           Summary: Chromium is seeing crashes using TextIterator
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: eric at webkit.org
                CC: mitz at webkit.org, justin.garcia at apple.com


http://code.google.com/p/chromium/issues/detail?id=4122

I'm not sure why the bug is hidden, and I don't understand chromium's bug
system enough to change it.  So I'm just filing this here.

We're seeing a crash when using TextIterator, after an advance() call,
sometimes the resulting characters() is 0x02, the only way I can see that
happening is if emitText is called with a node with a null string.

The only way I see emitText ever being called where the string wasn't null
checked is here:

            // Handle either a single newline character (which becomes a
space),
            // or a run of characters that does not include a newline.
            // This effectively translates newlines to spaces without copying
the text.
            if (str[runStart] == '\n') {
                emitCharacter(' ', m_node, 0, runStart, runStart + 1);
                m_offset = runStart + 1;
            } else {
                int subrunEnd = str.find('\n', runStart);
                if (subrunEnd == -1 || subrunEnd > runEnd)
                    subrunEnd = runEnd;

                m_offset = subrunEnd;
                emitText(m_node, runStart, subrunEnd);
            }

I'm not fully confident in my mental debugging, so I'd like to try and catch
this in the wild with more stack information.  Hence, I'm suggesting adding
this ASSERT.  There are various ways to fix this, including making it more
explicit what strings we're checking.  In the one call site which might be
wrong, we check "str" length before calling emitText, but m_node does not
necessarily still have an renderer() which returns that string, since m_node
can be changed independently of "str".

I'll post a patch with the ASSERT shortly.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list