Assertion when manipulating selection ranges |
||||||||
Issue descriptionReceived signal 11 SEGV_MAPERR 0000fbadbeef #0 0x7fd4b10ada2b base::debug::(anonymous namespace)::StackDumpSignalHandler() #1 0x7fd4aaf03340 <unknown> #2 0x7fd4b331747d blink::NoExceptionStateAssertionChecker::throwTypeError() #3 0x7fd4b2a8f61e blink::Range::setStart() #4 0x7fd4b2a8eeba blink::Range::Range() #5 0x7fd4b2a8eda9 blink::Range::create() #6 0x7fd4b2d556df blink::DOMSelection::getRangeAt() #7 0x7fd4b33ac10a blink::DOMSelectionV8Internal::getRangeAtMethodCallback() #8 0x7fd4b228bddb v8::internal::FunctionCallbackArguments::Call() #9 0x7fd4b1e04641 v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #10 0x7fd4b1e37aa7 v8::internal::Builtin_Impl_HandleApiCall() #11 0x7fd4b1e15209 v8::internal::Builtin_HandleApiCall() Simply running DevTools for some time with assertions enabled surfaces this.
,
Mar 22 2016
,
Mar 22 2016
I am seeing "0000fbadbeef" in the trace which is poisoned memory access. But regardless, the renderer process should not crash.
,
Apr 6 2016
Sorry, I've been unable to work with the builds w/ assert enabled for more than year because of this one. I'm going to remove the assertion.
,
Apr 7 2016
... or we can actually fix it?
,
Apr 7 2016
Investigation notes: - DOMSelection::getRangeAt is to blame - shadowAdjustedNode(anchor) returns nullptr - anchor is not null - position.computeContainerNode() is not null - m_treeScope->ancestorInThisScope(containerNode) is null and we are using it to create the selection. things explode there.
,
Apr 7 2016
,
Apr 7 2016
,
Apr 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a53caae5ed9ec598cfa1851bbc72bbc886ed04d2 commit a53caae5ed9ec598cfa1851bbc72bbc886ed04d2 Author: pfeldman <pfeldman@chromium.org> Date: Thu Apr 07 21:18:18 2016 DevTools: allow builds with asserions when using DevTools front-end. BUG= 595100 Review URL: https://codereview.chromium.org/1867703002 Cr-Commit-Position: refs/heads/master@{#385858} [modify] https://crrev.com/a53caae5ed9ec598cfa1851bbc72bbc886ed04d2/third_party/WebKit/Source/core/editing/DOMSelection.cpp
,
Apr 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7eb9fc98d4038fc256ab580bb7f61ce796117d68 commit 7eb9fc98d4038fc256ab580bb7f61ce796117d68 Author: lushnikov <lushnikov@chromium.org> Date: Wed Apr 13 22:21:51 2016 DevTools: workaround bug in Blink selection API The patch works around the bug in the blink selection API, when the selection.rangeCount returns 1, but selection.getRangeAt(0) still returns null. BUG= 602541 , 595100 R=dgozman, pfeldman_ooo Review URL: https://codereview.chromium.org/1881233002 Cr-Commit-Position: refs/heads/master@{#387121} [modify] https://crrev.com/7eb9fc98d4038fc256ab580bb7f61ce796117d68/third_party/WebKit/Source/devtools/front_end/platform/DOMExtension.js
,
Apr 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/03c78a1961eb22e25ed8f2f136a35b6fb8098a2b commit 03c78a1961eb22e25ed8f2f136a35b6fb8098a2b Author: lushnikov <lushnikov@chromium.org> Date: Thu Apr 14 01:35:37 2016 DevTools: cleanup occurences of selection.getRangeAt to avoid NPE This is a follow-up patch to https://crrev.com/1881233002/ which cleans up the rest of selection.getRangeAt occurences in the front-end. BUG= 595100 R=dgozman, pfeldman_ooo Review URL: https://codereview.chromium.org/1879163003 Cr-Commit-Position: refs/heads/master@{#387199} [modify] https://crrev.com/03c78a1961eb22e25ed8f2f136a35b6fb8098a2b/third_party/WebKit/Source/devtools/front_end/platform/DOMExtension.js [modify] https://crrev.com/03c78a1961eb22e25ed8f2f136a35b6fb8098a2b/third_party/WebKit/Source/devtools/front_end/ui/TextPrompt.js [modify] https://crrev.com/03c78a1961eb22e25ed8f2f136a35b6fb8098a2b/third_party/WebKit/Source/devtools/front_end/ui/ViewportControl.js
,
Apr 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fd81d5ade7fec37084a344302667df257eb25993 commit fd81d5ade7fec37084a344302667df257eb25993 Author: Andrey Lushnikov <lushnikov@chromium.org> Date: Mon Apr 18 22:25:50 2016 DevTools: workaround bug in Blink selection API The patch works around the bug in the blink selection API, when the selection.rangeCount returns 1, but selection.getRangeAt(0) still returns null. BUG= 602541 , 595100 R=dgozman, pfeldman_ooo Review URL: https://codereview.chromium.org/1881233002 (cherry picked from commit 7eb9fc98d4038fc256ab580bb7f61ce796117d68) Cr-Original-Commit-Position: refs/heads/master@{#387121} Cr-Commit-Position: refs/branch-heads/2704@{#114} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/fd81d5ade7fec37084a344302667df257eb25993/third_party/WebKit/Source/devtools/front_end/platform/DOMExtension.js
,
Jun 20 2016
,
Oct 12 2016
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by yosin@chromium.org
, Mar 16 2016Status: Unconfirmed (was: Assigned)
Summary: NEEDS_FEEDBACK: Use after free when manipulating selection ranges (was: Use after free when manipulating selection ranges)