[Webkit-unassigned] [Bug 53267] New: NULL pointer crash in TextIterator::handleTextBox()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 27 16:39:43 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=53267

           Summary: NULL pointer crash in TextIterator::handleTextBox()
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tsepez at chromium.org


The following test case triggers a crash (or an assert in the debug version):
}
<style>
 *:nth-child(2):first-letter {float: left;direction: rtl;
</style>


Error is:ASSERTION FAILED: i < size()
(../../JavaScriptCore/wtf/Vector.h:534 T& WTF::Vector<T, inlineCapacity>::at(size_t) [with T = WebCore::InlineTextBox*, long unsigned int inlineCapacity = 0ul])

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
[Switching to process 19707]
0x026790c7 in WTF::Vector<WebCore::InlineTextBox*, 0ul>::at (this=0xb49b7b44, i=0) at Vector.h:534
534                ASSERT(i < size());
(gdb) where
#0  0x026790c7 in WTF::Vector<WebCore::InlineTextBox*, 0ul>::at (this=0xb49b7b44, i=0) at Vector.h:534
#1  0x0267910c in WTF::Vector<WebCore::InlineTextBox*, 0ul>::operator[] (this=0xb49b7b44, i=0) at Vector.h:543
#2  0x0267514d in WebCore::TextIterator::handleTextBox (this=0xb49b7ad8) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:545
#3  0x02675a97 in WebCore::TextIterator::handleTextNode (this=0xb49b7ad8) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:526
#4  0x02675c72 in WebCore::TextIterator::advance (this=0xb49b7ad8) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:403
#5  0x02676c37 in WebCore::TextIterator::TextIterator (this=0xb49b7ad8, r=0x2ed1cb30, behavior=WebCore::TextIteratorDefaultBehavior) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/TextIterator.cpp:344
#6  0x01f34394 in WebKit::frameContentAsPlainText (maxChars=65535, frame=0xb863600, output=0xb49b7bb0) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebKit/chromium/src/WebFrameImpl.cpp:204
#7  0x01f346a7 in WebKit::WebFrameImpl::contentAsText (this=0xc0489f0, maxChars=65535) at /Volumes/MacintoshHD2/c1/src/third_party/WebKit/WebKit/chromium/src/WebFrameImpl.cpp:1701


Appears similar to http://trac.webkit.org/changeset/58153 ;  the same fix also needs to be applied a few lines lower where that logic is repeated.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list