[Webkit-unassigned] [Bug 23484] New: calling toString() on the range object crashes the browser
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 22 16:27:39 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=23484
Summary: calling toString() on the range object crashes the
browser
Product: WebKit
Version: 525.x (Safari 3.2)
Platform: PC
OS/Version: All
Status: UNCONFIRMED
Severity: Critical
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: raul at live.com
[See attached code at the bottom of this report]
Repro steps:
Open the attached code in Safari
Click on the editable div
Type two lines of text, such as:
abcd
defg
Select all text in the div (either CTRL-A or with the mouse/keyboard)
Click on the "bold" button
Observe the text gets bold and the text in the selection is shown in an alert
dialog
Close the dialog by clicking OK
Optionally reload the page and repeat steps 1-3
Click on the "justifycenter" button
Observe the browser crashes
Notes:
Repros in Safari 3.1.2 (525.21) for Windows
Repros in Safari 3.1.2 (5525.20.1) for Mac
Repros in Google Chrome 1.0.154.43 for Windows
Does not repro in WebKit r40022 for Windows built on 19 January 2009
Does not repro if in step 2 you type only 1 line of text
It appears that calling toString() on the range object crashes the browser in
the "justifycenter" case but not the "bold" case
------------START REPRO CODE----------------------
<html>
<head>
<title>Safari 3 bug repro case</title>
<script type="text/javascript">
function button_onclick(command)
{
var selection = window.getSelection();
var range = selection.getRangeAt(0);
window.document.execCommand(command, false, 1);
if(range && range.toString)
{
// This is the code that crashes the browser
alert(range.toString());
}
}
</script>
</head>
<body>
<div>
<div id="editor" style="height:15em; width:100%; border:solid 1px
blue" contenteditable="true"></div>
</div>
<input id="center" type="button" value="justifycenter"
onclick="button_onclick('justifycenter')" />
<input id="bold" type="button" value="bold"
onclick="button_onclick('bold')" />
<br />
<br />
<div>Repro steps:
<ol>
<li>Click on the editable div above</li>
<li>Type two lines of text, such as:<br />abcd<br />defg</li>
<li>Select all text in the div (either CTRL-A or with the
mouse/keyboard)</li>
<li>Click on the "bold" button</li>
<li>Observe the text gets bold and the text in the selection is
shown in an alert dialog</li>
<li>Close the dialog by clicking OK</li>
<li>Optionally reload the page and repeat steps 1-3</li>
<li>Click on the "justifycenter" button</li>
<li>Observe the browser crashes</li>
</ol>
</div>
<div>Notes:
<ul>
<li>Repros in Safari 3.1.2 (525.21) for Windows</li>
<li>Repros in Safari 3.1.2 (5525.20.1) for Mac</li>
<li>Repros in Google Chrome 1.0.154.43 for Windows</li>
<li>Does not repro in WebKit r40022 for Windows built on 19
January 2009</li>
<li>Does not repro if in step 2 you type only 1 line of
text</li>
<li>It appears that calling toString() on the range object
crashes the browser in the "justifycenter" case but not the "bold" case</li>
</ul>
</div>
</body>
</html>
------------END REPRO CODE------------------------
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list