[Webkit-unassigned] [Bug 77192] New: NULL ptr in chrome.dll!WebCore..`anonymous namespace'..StyleAttributeMutationScope..StyleAttributeMutationScope

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 27 01:30:51 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=77192

           Summary: NULL ptr in chrome.dll!WebCore..`anonymous
                    namespace'..StyleAttributeMutationScope..StyleAttribut
                    eMutationScope
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: rniwa at webkit.org


Created an attachment (id=124275)
 --> (https://bugs.webkit.org/attachment.cgi?id=124275&action=review)
Repro

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=15758158

Uploader: skylined at chromium.org

Crash Type: UNKNOWN
Crash Address: 0x00000000000c
Crash State:
  - crash stack -
  WebCore::
  WebCore::CSSMutableStyleDeclaration::setProperty
  WebCore::EditCommandComposition::unapply

Regressed: https://cluster-fuzz.appspot.com/revisions?range=115632:115640

Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97UJ8iv6rs5OAJCOERe2xdXHiyiyVbB4cjJRx7m1546L2F6zjyzPZ-9lCsRtTFu6m4byFsQQiFDu8LMYsM8ViOKDKHqQrFom5AvVtRvJXMU5JRlmXWPXLmNFBVSz5h5jZS30tA4t-3j1UsbvTfovXOKKn9jEQ
Repro:
orphans:currentColor;
<script>
  var af = [], i = 0;
  function main(e){console.log(e);af[i++ % af.length]()}
af.push(function (){
  document.designMode="on";  })
af.push(function (){
  document.execCommand("Undo");  document.execCommand("InsertUnorderedList");  document.execCommand("Undo");  })
af.push(function (){
  document.execCommand("Subscript");  document.execCommand("SelectAll", false);  })
af.push(function (){
  document.execCommand("Unlink", false);  })
</script>

<script>
  document.addEventListener("DOMNodeInserted",main,true);
  document.addEventListener("DOMNodeRemoved",main,false);
  document.addEventListener("DOMSubtreeModified",main,true);
  setInterval(main, 1);
</script>

<input>
<hr>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list