[Webkit-unassigned] [Bug 42844] New: WebCore::Range::checkDeleteExtract ReadAV at NULL (6b8e49858d67765d88bae6e8abff48dd)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 22 13:21:51 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=42844

           Summary: WebCore::Range::checkDeleteExtract ReadAV at NULL
                    (6b8e49858d67765d88bae6e8abff48dd)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://code.google.com/p/chromium/issues/detail?id=499
                    71
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Created an attachment (id=62330)
 --> (https://bugs.webkit.org/attachment.cgi?id=62330)
Patch to fix the issue

Repro and details:

<html>
  <head>
    <script>
      function go() {
        prompt('Time to set breakpoint in renderer at:', 
            'bm chrome_*!WebCore::DOMSelection::deleteFromDocument');
        selection = window.getSelection();
        range = document.createRange();
        selection.addRange(range);

        document.designMode = "on";
        document.execCommand("InsertText", false, 'x');
        document.open();
        document.execCommand("Undo");

        selection.deleteFromDocument();
        // "selectedRange" is NULL in WebKit\WebCore\page\DOMSelection.cpp:
        // void DOMSelection::deleteFromDocument()
        // {
        //     if (!m_frame)
        //         return;
        // 
        //     SelectionController* selection = m_frame->selection();
        // 
        //     if (selection->isNone())
        //         return;
        // 
        //     if (isCollapsed())
        //         selection->modify(SelectionController::AlterationExtend, SelectionController::DirectionBackward, CharacterGranularity);
        // 
        //     RefPtr<Range> selectedRange = selection->selection().toNormalizedRange();

            // PassRefPtr<Range> VisibleSelection::toNormalizedRange() const
            // {
            //     if (isNone())
            //         return 0;

        // 
        //     ExceptionCode ec = 0;
        //     selectedRange->deleteContents(ec);
        // selectedRange == 0 --> KaB00m!!!
      }
    </script>
  </head>
  <body onload="go()">
  </body>
</html>

Suggested fix: add the check below.
    if (selectedRange == 0)
      return;

The above has been tested to resolve the issue, I've attached a .patch file that applies it. I'll create a test shortly.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list