[Webkit-unassigned] [Bug 63908] New: chrome.dll!WebCore::firstPositionInNode ReadAV at NULL (b1c286808dfae0c5027c71627f71b962)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 4 07:50:28 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=63908

           Summary: chrome.dll!WebCore::firstPositionInNode ReadAV at NULL
                    (b1c286808dfae0c5027c71627f71b962)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Created an attachment (id=99631)
 --> (https://bugs.webkit.org/attachment.cgi?id=99631&action=review)
Repro

Chromium: https://code.google.com/p/chromium/issues/detail?id=88389

Repro:
<script>
  var oSelection = window.getSelection();
  document.removeChild(document.documentElement);
  oSelection.collapse(document);
  oSelection.modify("move","backward","documentboundary");
</script>

id:             chrome.dll!WebCore::firstPositionInNode ReadAV at NULL (b1c286808dfae0c5027c71627f71b962)
description:    Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::firstPositionInNode
stack:          chrome.dll!WebCore::firstPositionInNode
                chrome.dll!WebCore::startOfDocument
                chrome.dll!WebCore::startOfDocument
                chrome.dll!WebCore::FrameSelection::modifyMovingBackward
                chrome.dll!WebCore::FrameSelection::modify
                chrome.dll!WebCore::DOMSelection::modify
                chrome.dll!WebCore::DOMSelectionInternal::modifyCallback
                ...

// 1) In the repro, the HTML element has been removed from the document.
// 2) Next, the entire document is selected and moved, causing the code to try to determine the start of the document:
// 3) startOfDocument assumes a document ALWAYS has a documentElement in webkit\source\webcore\editing\visible_units.cpp:989:
VisiblePosition startOfDocument(const Node* node)
{
    if (!node)
        return VisiblePosition();

    return VisiblePosition(firstPositionInNode(node->document()->documentElement()), DOWNSTREAM);
}
// 4) anchorNode is NULL in webkit\source\webcore\dom\position.h:270, leading to the crash:
inline Position firstPositionInNode(Node* anchorNode)
{
    if (anchorNode->isTextNode())
        return Position(anchorNode, 0, Position::PositionIsOffsetInAnchor);
    return Position(anchorNode, Position::PositionIsBeforeChildren);
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list