[Webkit-unassigned] [Bug 74924] New: editing: NULL ptr in line-break handling when text node is removed from document

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 20 05:24:00 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=74924

           Summary: editing: NULL ptr in line-break handling when text
                    node is removed from document
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: rniwa at webkit.org


Created an attachment (id=120012)
 --> (https://bugs.webkit.org/attachment.cgi?id=120012&action=review)
Repro

Chromium: http://code.google.com/p/chromium/issues/detail?id=108163
<style>
  /* These values are needed to cause line breaks, but are otherwise not
     involved in the crash AFAIK */
  * {
    padding-left: 100px;
  }
  body {
    width: 100px;
  }
</style><script>
window.onload = function () {
  document.execCommand('SelectAll');
  var oA1 = document.getElementById("1");
  oA1.removeChild(oA1.firstChild);
  var oSelection = window.getSelection();
  oSelection.modify("move","backward","paragraph");
};
</script>
<body contenteditable="true">
  <a id="1">
    Some text is needed here
    <a id="2">There can be no white-space before this text
    </a>
  </a>
</body>

Not sure what is going on here - I'm not familiar with the "leafChild" code and how line-breaks are handled. However, it is a clean NULL ptr because the "firstLeafChild" of the document is NULL and gets used regardless.

id:             webkit.dll!WebCore::InlineBox::isHorizontal ReadAV at NULL (5446f106152a0ccff998d095bc4ad267)
description:    Attempt to read from unallocated NULL pointer+0x21 in webkit.dll!WebCore::InlineBox::isHorizontal
application:    Chrome 18.0.976.0
stack:          webkit.dll!WebCore::InlineBox::isHorizontal
                webkit.dll!WebCore::InlineBox::logicalLeft
                webkit.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition
                webkit.dll!WebCore::RootInlineBox::closestLeafChildForPoint
                webkit.dll!WebCore::previousLinePosition
                webkit.dll!WebCore::previousParagraphPosition
                webkit.dll!WebCore::FrameSelection::modifyMovingBackward
                webkit.dll!WebCore::FrameSelection::modify
                webkit.dll!WebCore::DOMSelection::modify
                webkit.dll!WebCore::DOMSelectionInternal::modifyCallback
                ...

Not affected: 16.0.877.0-
Affected: 16.0.912.63+

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list