[Webkit-unassigned] [Bug 43029] New: <XMP> and execCommand NULL pointer crashes.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 27 02:04:44 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=43029
Summary: <XMP> and execCommand NULL pointer crashes.
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
URL: http://code.google.com/p/chromium/issues/detail?id=503
39
OS/Version: Windows Vista
Status: NEW
Severity: Normal
Priority: P1
Component: HTML Editing
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: eric at webkit.org
Created an attachment (id=62656)
--> (https://bugs.webkit.org/attachment.cgi?id=62656)
Repro - WebCore::CompositeEditCommand::cloneParagraphUnderNewElement ReadAV at NULL (29976a017e66aeb3110b10e42b7fa84a)
Attached is a repros for one of NULL pointer crashes that I've seen when executing certain execCommand calls on a document containing an <xmp> tag. I believe they are all related and can only be used to crash WebKit by causing a NULL pointer.
id: WebCore::CompositeEditCommand::cloneParagraphUnderNewElement ReadAV at NULL (29976a017e66aeb3110b10e42b7fa84a)
description: Attempt to read from NULL pointer in WebCore::CompositeEditCommand::cloneParagraphUnderNewElement
stack: WebCore::CompositeEditCommand::cloneParagraphUnderNewElement
WebCore::CompositeEditCommand::moveParagraphWithClones
WebCore::IndentOutdentCommand::indentIntoBlockquote
WebCore::IndentOutdentCommand::indentRegion
WebCore::IndentOutdentCommand::doApply
WebCore::EditCommand::apply
WebCore::applyCommand
WebCore::executeIndent
WebCore::Editor::Command::execute
WebCore::Document::execCommand
WebCore::DocumentInternal::execCommandCallback
v8::internal::HandleApiCallHelper<...>
v8::internal::Builtin_HandleApiCall
v8::internal::Invoke
v8::internal::Execution::Call
v8::Function::Call
WebCore::V8Proxy::callFunction
WebCore::ScheduledAction::execute
WebCore::ScheduledAction::execute
WebCore::DOMTimer::fired
WebCore::ThreadTimers::sharedTimerFiredInternal
...
id: WebCore::maxRangeOffset ReadAV at NULL (5822f7c8678d0606a02b3d8ae4075595)
description: Attempt to read from NULL pointer in WebCore::maxRangeOffset
stack: WebCore::maxRangeOffset
WebCore::ApplyStyleCommand::removeInlineStyle
WebCore::ApplyStyleCommand::applyInlineStyle
WebCore::ApplyStyleCommand::doApply
WebCore::EditCommand::apply
WebCore::applyCommand
WebCore::Editor::applyStyle
WebCore::applyCommandToFrame
WebCore::executeApplyStyle
WebCore::executeForeColor
WebCore::Editor::Command::execute
WebCore::DocumentInternal::execCommandCallback
v8::internal::HandleApiCallHelper<...>
v8::internal::Builtin_HandleApiCall
v8::internal::Invoke
v8::internal::Execution::Call
v8::Script::Run
WebCore::V8Proxy::runScript
WebCore::V8Proxy::evaluate
WebCore::ScriptController::evaluate
WebCore::ScriptController::executeScript
WebCore::HTMLScriptRunner::executeScript
WebCore::HTMLScriptRunner::runScript
WebCore::HTMLDocumentParser::pumpTokenizer
WebCore::HTMLDocumentParser::pumpTokenizerIfPossible
WebCore::HTMLDocumentParser::append
WebCore::DecodedDataDocumentParser::appendBytes
WebCore::DocumentWriter::addData
WebCore::DocumentWriter::endIfNotLoadingMainResource
WebCore::FrameLoader::finishedLoading
WebCore::MainResourceLoader::didFinishLoading
WebCore::ResourceLoader::didFinishLoading
WebCore::ResourceHandleInternal::didFinishLoading
webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest
...
id: WebCore::Position::getInlineBoxAndOffset ReadAV at NULL (f1aa5eb73445559fe6a75e6187da0026)
description: Attempt to read from NULL pointer (+0x19) in WebCore::Position::getInlineBoxAndOffset
signatures: Function: WebCore::Position::getInlineBoxAndOffset
Basic signature: WebCore::Position::getInlineBoxAndOffset(...)-35C0AC4
stack: WebCore::Position::getInlineBoxAndOffset
WebCore::Position::getInlineBoxAndOffset
WebCore::Frame::firstRectForRange
WebKit::WebViewImpl::caretOrSelectionBounds
RenderWidget::UpdateInputMethod
RenderWidget::DoDeferredUpdate
RenderWidget::OnUpdateRectAck
IPC::Message::Dispatch<...>
RenderWidget::OnMessageReceived
RenderView::OnMessageReceived
MessageRouter::RouteMessage
MessageRouter::OnMessageReceived
ChildThread::OnMessageReceived
RunnableMethod<...>::Run
...
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list