[Webkit-unassigned] [Bug 57743] REGRESSION(r81518): Crash in SplitElement

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 4 04:54:44 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=57743





--- Comment #1 from Berend-Jan Wever <skylined at chromium.org>  2011-04-04 04:54:44 PST ---
Created an attachment (id=88051)
 --> (https://bugs.webkit.org/attachment.cgi?id=88051&action=review)
Repro

I think I hit this during fuzzing, repro:
<pre id="x"><x style="white-space: pre-wrap;"><br></x></pre>
<script>
  var x = document.getElementById("x");
  document.execCommand("selectall",false);
  document.designMode="on";
  console.log(x.innerHTML);             // <x style="white-space: pre-wrap;"><br></x>
  document.execCommand("InsertImage");  // replace <br> with <img> and set some state: simply changing the original
                                        // html does not reproduce the issue.
  console.log(x.innerHTML);             // <x style="white-space: pre-wrap;"><img></x>
  document.execCommand("InsertImage");
  console.log(x.innerHTML);             // <span class="Apple-style-span" style="font-family: 'Times New Roman'; white-space: normal; "><img></span><x style="white-space: pre-wrap;"><img></x>
  document.execCommand("InsertImage");  // crash
  console.log(x.innerHTML);
</script>

id:             chrome.dll!WebCore::SplitElementCommand::executeApply ReadAV at NULL (3a063a704d2ab72ff3cb23ae09a074fa)
description:    Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::SplitElementCommand::executeApply
stack:          chrome.dll!WebCore::SplitElementCommand::executeApply
                chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite
                chrome.dll!WebCore::CompositeEditCommand::splitElement
                chrome.dll!WebCore::ReplaceSelectionCommand::doApply
                chrome.dll!WebCore::EditCommand::apply
                chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite
                chrome.dll!WebCore::CompositeEditCommand::moveParagraphs
                chrome.dll!WebCore::ReplaceSelectionCommand::doApply
                chrome.dll!WebCore::EditCommand::apply
                chrome.dll!WebCore::applyCommand
                chrome.dll!WebCore::executeInsertFragment
                chrome.dll!WebCore::executeInsertNode
                chrome.dll!WebCore::executeInsertImage
                chrome.dll!WebCore::Editor::Command::execute
                chrome.dll!WebCore::Document::execCommand
                chrome.dll!WebCore::DocumentInternal::execCommandCallback
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                ...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list