[Webkit-unassigned] [Bug 43029] New: <XMP> and execCommand NULL pointer crashes.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 27 02:04:44 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=43029

           Summary: <XMP> and execCommand NULL pointer crashes.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://code.google.com/p/chromium/issues/detail?id=503
                    39
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Created an attachment (id=62656)
 --> (https://bugs.webkit.org/attachment.cgi?id=62656)
Repro - WebCore::CompositeEditCommand::cloneParagraphUnderNewElement ReadAV at NULL (29976a017e66aeb3110b10e42b7fa84a)

Attached is a repros for one of NULL pointer crashes that I've seen when executing certain execCommand calls on a document containing an <xmp> tag. I believe they are all related and can only be used to crash WebKit by causing a NULL pointer.

id:             WebCore::CompositeEditCommand::cloneParagraphUnderNewElement ReadAV at NULL (29976a017e66aeb3110b10e42b7fa84a)
description:    Attempt to read from NULL pointer in WebCore::CompositeEditCommand::cloneParagraphUnderNewElement
stack:          WebCore::CompositeEditCommand::cloneParagraphUnderNewElement
                WebCore::CompositeEditCommand::moveParagraphWithClones
                WebCore::IndentOutdentCommand::indentIntoBlockquote
                WebCore::IndentOutdentCommand::indentRegion
                WebCore::IndentOutdentCommand::doApply
                WebCore::EditCommand::apply
                WebCore::applyCommand
                WebCore::executeIndent
                WebCore::Editor::Command::execute
                WebCore::Document::execCommand
                WebCore::DocumentInternal::execCommandCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                v8::Function::Call
                WebCore::V8Proxy::callFunction
                WebCore::ScheduledAction::execute
                WebCore::ScheduledAction::execute
                WebCore::DOMTimer::fired
                WebCore::ThreadTimers::sharedTimerFiredInternal
                ...

id:             WebCore::maxRangeOffset ReadAV at NULL (5822f7c8678d0606a02b3d8ae4075595)
description:    Attempt to read from NULL pointer in WebCore::maxRangeOffset
stack:          WebCore::maxRangeOffset
                WebCore::ApplyStyleCommand::removeInlineStyle
                WebCore::ApplyStyleCommand::applyInlineStyle
                WebCore::ApplyStyleCommand::doApply
                WebCore::EditCommand::apply
                WebCore::applyCommand
                WebCore::Editor::applyStyle
                WebCore::applyCommandToFrame
                WebCore::executeApplyStyle
                WebCore::executeForeColor
                WebCore::Editor::Command::execute
                WebCore::DocumentInternal::execCommandCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                v8::Script::Run
                WebCore::V8Proxy::runScript
                WebCore::V8Proxy::evaluate
                WebCore::ScriptController::evaluate
                WebCore::ScriptController::executeScript
                WebCore::HTMLScriptRunner::executeScript
                WebCore::HTMLScriptRunner::runScript
                WebCore::HTMLDocumentParser::pumpTokenizer
                WebCore::HTMLDocumentParser::pumpTokenizerIfPossible
                WebCore::HTMLDocumentParser::append
                WebCore::DecodedDataDocumentParser::appendBytes
                WebCore::DocumentWriter::addData
                WebCore::DocumentWriter::endIfNotLoadingMainResource
                WebCore::FrameLoader::finishedLoading
                WebCore::MainResourceLoader::didFinishLoading
                WebCore::ResourceLoader::didFinishLoading
                WebCore::ResourceHandleInternal::didFinishLoading
                webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest
                ...

id:             WebCore::Position::getInlineBoxAndOffset ReadAV at NULL (f1aa5eb73445559fe6a75e6187da0026)
description:    Attempt to read from NULL pointer (+0x19) in WebCore::Position::getInlineBoxAndOffset
signatures:     Function: WebCore::Position::getInlineBoxAndOffset
                Basic signature: WebCore::Position::getInlineBoxAndOffset(...)-35C0AC4
stack:          WebCore::Position::getInlineBoxAndOffset
                WebCore::Position::getInlineBoxAndOffset
                WebCore::Frame::firstRectForRange
                WebKit::WebViewImpl::caretOrSelectionBounds
                RenderWidget::UpdateInputMethod
                RenderWidget::DoDeferredUpdate
                RenderWidget::OnUpdateRectAck
                IPC::Message::Dispatch<...>
                RenderWidget::OnMessageReceived
                RenderView::OnMessageReceived
                MessageRouter::RouteMessage
                MessageRouter::OnMessageReceived
                ChildThread::OnMessageReceived
                RunnableMethod<...>::Run
                ...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list