[Webkit-unassigned] [Bug 74585] Crash when navigating with arrow key into empty anchor block with padding

Fri Dec 30 12:55:25 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=74585

--- Comment #12 from Daniel Jalkut <jalkut at red-sweater.com>  2011-12-30 12:55:25 PST ---
Thanks, I am naive about the layout tests and assumed you couldn't test crashes. I've developed a test case that uses the technique of updating the body innerHTML to a "not crashed" content.

(In reply to comment #11)
> > Source/WebCore/editing/visible_units.cpp:716
> > +        InlineBox* leafChild = root->closestLeafChildForPoint(pointInLine, isEditablePosition(p));
> > +        if (leafChild) {
> 
> It's odd that we can get null here. What is box in line 702 then? Is it a root inline box? We should probably check that root box as at least line leaf in line 700 immediately after pos.getInlineBoxAndOffset(DOWNSTREAM, box, ignoredCaretOffset); and fall back to return VisiblePosition(pos, DOWNSTREAM); because that's the code path we normally use for an empty block.

In the crashing scenario, line 702 is not reached.  The root is established at line 677:

    if (box) {
        root = box->root()->nextRootBox();
        // We want to skip zero height boxes.
        // This could happen in case it is a TrailingFloatsRootInlineBox.
        if (!root || !root->logicalHeight())
            root = 0;
    }

box is an InlineBox and root is established as a RootInlineBox

(gdb) p box
$1 = ('WebCore::InlineBox' *) 0x106d84118
(gdb) p box->root()
$2 = (const 'WebCore::RootInlineBox' *) 0x106dcfef8
(gdb) p box->root()->nextRootBox()
$3 = ('WebCore::RootInlineBox' *) 0x106de5648

It is this RootInlineBox that has one child, but no "leaf" children.

(gdb) p root->m_firstChild
$3 = ('WebCore::InlineBox' *) 0x1082d42b8
(gdb) p root->m_firstChild->isLeaf()
$4 = false
(gdb) p root->m_lastChild
$5 = ('WebCore::InlineBox' *) 0x1082d42b8

I'm in over my head here with the box stuff, so I'm not sure how much more I can do on my own. But if you have a better idea for how to protect against this I'm happy to execute it in the patch and test it.

Since the code at line 700 is never reached in this case, I'm guessing you think we should be doing some test around line 676 to see if the first getInlineBoxAndOffset() box returned is suitable for further examination?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.