[Webkit-unassigned] [Bug 66288] New: Selecting all and inserting text into a page with a frameset leads to a NULL ptr

Tue Aug 16 03:34:52 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=66288

           Summary: Selecting all and inserting text into a page with a
                    frameset leads to a NULL ptr
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: rniwa at webkit.org

Created an attachment (id=104020)
 --> (https://bugs.webkit.org/attachment.cgi?id=104020&action=review)
Repro

Repro:
<html>
  <script>
    setTimeout(function() {
      document.designMode="on";
      document.execCommand("selectall");
      document.execCommand("InsertText",false);
    }, 100);
  </script>
  <frameset><frame></frame></frameset>
</html>

id:             chrome.dll!WebCore::Node::nodeIndex ReadAV at NULL (2478f9a3629a4d08efa42d9180043895)
description:    Attempt to read from unallocated NULL pointer+0x18 in chrome.dll!WebCore::Node::nodeIndex
stack:          chrome.dll!WebCore::Node::nodeIndex
                chrome.dll!WebCore::positionInParentBeforeNode
                chrome.dll!WebCore::InsertTextCommand::doApply
                chrome.dll!WebCore::EditCommand::apply
                chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite
                chrome.dll!WebCore::TypingCommand::insertTextRunWithoutNewlines
                chrome.dll!WebCore::TypingCommand::insertText
                chrome.dll!WebCore::TypingCommand::doApply
                chrome.dll!WebCore::EditCommand::apply
                chrome.dll!WebCore::applyCommand
                chrome.dll!WebCore::TypingCommand::insertText
                chrome.dll!WebCore::TypingCommand::insertText
                chrome.dll!WebCore::executeInsertText
                chrome.dll!WebCore::Editor::Command::execute
                chrome.dll!WebCore::Document::execCommand
                chrome.dll!WebCore::DocumentInternal::execCommandCallback
                ...

This causes a selection which has no anchor node, something the code does not handle:

void InsertTextCommand::doApply()
{
<<<snip>>>
    // It is possible for the node that contains startPosition to contain only unrendered whitespace,
    // and so deleteInsignificantText could remove it.  Save the position before the node in case that happens.
    Position positionBeforeStartNode(positionInParentBeforeNode(startPosition.containerNode()));
<<<snip>>>
"startPosition.containerNode()" return NULL, which causes a NULL pointer in "positionInParentBeforeNode":

inline Position positionInParentBeforeNode(const Node* node)
{
    // FIXME: This should ASSERT(node->parentNode())
    // At least one caller currently hits this ASSERT though, which indicates
    // that the caller is trying to make a position relative to a disconnected node (which is likely an error)
    // Specifically, editing/deleting/delete-ligature-001.html crashes with ASSERT(node->parentNode())
    return Position(node->nonShadowBoundaryParentNode(), node->nodeIndex(), Position::PositionIsOffsetInAnchor);
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.