[Webkit-unassigned] [Bug 44815] crash: 0x101dad3ae in WebCore::RenderBox::positionForPoint at RenderBox.cpp:2817

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Aug 28 13:24:28 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=44815


Ryosuke Niwa <rniwa at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |adele at apple.com,
                   |                            |darin at apple.com,
                   |                            |justin.garcia at apple.com,
                   |                            |sam at webkit.org




--- Comment #3 from Ryosuke Niwa <rniwa at webkit.org>  2010-08-28 13:24:27 PST ---
Thanks for the info, Eric.

(In reply to comment #2)
> RenderBlocks are often anonymous. <div><span></span><div></div></div>
> the span gets wrapped in an anonymous block.  RenderBlock is a subclass of RenderBox.
> 
> Does that answer your question?

Yes, in that case, we shouldn't be calling node() in this function without first checking that RenderBox is not anonymous.  It seems like there are many such dungeons calls to node() right now.

+darin & adele since http://trac.webkit.org/changeset/41928 is the most recent changeset which touched this code.

The problem seems to date back to http://trac.webkit.org/changeset/40871, which replaced call to element() by node().  The changeset claims that caller of node() handles the cases where it doesn't expect node() to be 0.  It wasn't a problem here because it just instantiates VisiblePosition and VisiblePosition can be null.  But http://trac.webkit.org/changeset/41863 did:
- return VisiblePosition(node(), 0, DOWNSTREAM); 
+ return firstDeepEditingPositionForNode(node()); 
And some later changeset added an assertion that node isn't 0 in firstDeepEditingPositionForNode.

We can either check nullness of node() in RenderBox, call element() or some other function that always returns non-zero value in RenderBox, or allow firstDeepEditingPositionForNode to handle node being 0.

Any thoughts or opinions on this?

+justin for 41863, and +weinig for 40871.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list