[Webkit-unassigned] [Bug 44175] New: WebCore::ReplacementFragment::removeInterchangeNodes ReadAV at NULL

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 18 07:22:20 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=44175

           Summary: WebCore::ReplacementFragment::removeInterchangeNodes
                    ReadAV at NULL
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Created an attachment (id=64706)
 --> (https://bugs.webkit.org/attachment.cgi?id=64706)
Repro

The following repro triggers a NULL pointer crash in latest Chromium:
<html>
  <head>
    <script>
      function go() {
        selection = getSelection();
        range = document.createRange();
        document.writeln('<x>');
        selection.collapse(document, 1);
        old_body = document.body;
        document.write('<textArea>FindAndReplaceMe LeaveMe');
        document.close();
        document.write('');
        document.designMode = "on";
        range.insertNode(old_body);
        document.execCommand("FindString", false, 'FindAndReplaceMe');
        document.execCommand("InsertHTML", false, 'Anything');
      }
    </script>
  </head>
  <body onload="go()"></body>
</html>

id:             WebCore::ReplacementFragment::removeInterchangeNodes ReadAV at NULL (1cd504e3a7be175da8c6cd72911ea6e0)
description:    Attempt to read from NULL pointer (+0x24) in WebCore::ReplacementFragment::removeInterchangeNodes
stack:          WebCore::ReplacementFragment::removeInterchangeNodes
                WebCore::ReplacementFragment::ReplacementFragment
                WebCore::ReplaceSelectionCommand::doApply
                WebCore::EditCommand::apply
                WebCore::applyCommand
                WebCore::executeInsertFragment
                WebCore::executeInsertHTML
                WebCore::Editor::Command::execute
                WebCore::Document::execCommand
                WebCore::DocumentInternal::execCommandCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                ...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list