Issue 58741 in chromium: Somewhat simple Javascript causes Chrome tab to crash ("Oh, Snap!")
chro...@googlecode.com
Owner: ----
Labels: Type-Bug Pri-2 Area-Undefined
New issue 58741 by vkouchna: Somewhat simple Javascript causes Chrome tab
to crash ("Oh, Snap!")
http://code.google.com/p/chromium/issues/detail?id=58741
Chrome Version : 6.0.472.63
URLs (if applicable) : http://tatianastomatobase.com/seed-order/html/tis/
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 4:
Firefox 3.x: OK
IE 7: OK
IE 8: OK
What steps will reproduce the problem?
1. Click on View Inventory
2. Click on a white table cell, to activate it
3. Hold down CTRL, and press the LEFT or RIGHT arrow key
4. Your browser tab should crash.
What is the expected result?
The cell to the LEFT or RIGHT of the activated cell should be activated,
while the original cell should be deactivated
What happens instead?
The tab crashes.
Please provide any additional information below. Attach a screenshot if
possible.
I've tracked the problem down to one specific method -
http://tatianastomatobase.com/seed-order/js/tis/view.js
The method code is as follows:
/**
* Deactivates a cell, hiding its input field, and showing its span field
*/
View.prototype.deactivateCell = function (cell){
//Show the span, hide the input
var label = cell.descendants()[0];
var input = cell.descendants()[1];
if(label){
label.show();
if(label.innerHTML == 0){
label.innerHTML = "";
}
}
if(input){
input.addClassName("hiddenInput");
input.hide();
if(input.value == 0){
input.value = "";
}
}
}
The method is invoked in other situations of the web-app, without causing
the tab to crash - it only crashes when invoked after a CTRL-LEFT or
CTRL-RIGHT event is processed.
The cell variable is not null, the input variable is not null, the input
variable points to the right input... That method should not crash the
browser.
I could not reproduce this by isolating that small piece of code - some
other part of the web-app puts the browser into a state that causes the
crash.
chro...@googlecode.com
Comment #1 on issue 58741 by temp01...@gmail.com: Somewhat simple
http://code.google.com/p/chromium/issues/detail?id=58741
I can confirm the tab crash with Chromium 8.0.550.0 (r62017) and Safari 5.
I'll try creating a reduced testcase for it.
chro...@googlecode.com
Labels: -Area-Undefined Area-WebKit WebKit-Core Crash
Comment #2 on issue 58741 by beverloo.peter: Somewhat simple Javascript
causes Chrome tab to crash ("Oh, Snap!")
http://code.google.com/p/chromium/issues/detail?id=58741
Thank you for reporting this issue. I can reproduce this on the given page,
which gives the following crash-dump.
The associated code can be found here: http://goo.gl/unuk
00000000()
chrome.dll!WebCore::Position::upstream(WebCore::Position::EditingBoundaryCrossingRule
rule=CannotCrossEditingBoundary)
Line 502 C++
chrome.dll!WebCore::VisiblePosition::canonicalPosition(const
WebCore::Position & passedPosition={...}) Line 462 C++
chrome.dll!WebCore::VisiblePosition::init(const WebCore::Position &
position={...}, WebCore::EAffinity affinity=DOWNSTREAM) Line 61 + 0x1c
bytes C++
chrome.dll!WebCore::VisiblePosition::VisiblePosition(WebCore::Node *
node=0x08e67bc0, int offset=0x00000000, WebCore::EAffinity
affinity=DOWNSTREAM) Line 54 + 0x46 bytes C++
chrome.dll!WebCore::RenderTextControl::selection(int start=0x00000000, int
end=0x00000000) Line 268 + 0x2d bytes C++
chrome.dll!WebCore::HTMLTextFormControlElement::selection() Line 599 +
0x2a bytes C++
chrome.dll!WebCore::Editor::selectionForCommand(WebCore::Event *
event=0x08aa52a0) Line 101 + 0xc bytes C++
chrome.dll!WebCore::enabledInEditableTextOrCaretBrowsing(WebCore::Frame *
frame=0x08ddd800, WebCore::Event * event=0x08aa52a0,
WebCore::EditorCommandSource __formal=CommandFromMenuOrKeyBinding) Line
1209 + 0x35 bytes C++
chrome.dll!WebCore::Editor::Command::execute(const WTF::String &
parameter={...}, WebCore::Event * triggeringEvent=0x08aa52a0) Line 1602 +
0x33 bytes C++
chrome.dll!WebCore::Editor::Command::execute(WebCore::Event *
triggeringEvent=0x08aa52a0) Line 1613 + 0x19 bytes C++
chrome.dll!WebKit::EditorClientImpl::handleEditingKeyboardEvent(WebCore::KeyboardEvent
*
evt=0x08a6f2a0) Line 571 + 0xa bytes C++
chrome.dll!WebKit::EditorClientImpl::handleKeyboardEvent(WebCore::KeyboardEvent
*
evt=0x08aa52a0) Line 640 + 0x22 bytes C++
chrome.dll!WebCore::EventHandler::defaultKeyboardEventHandler(WebCore::KeyboardEvent
*
event=0x08aa52a0) Line 2370 C++
chrome.dll!WebCore::Node::defaultEventHandler(WebCore::Event *
event=0x08aa52a0) Line 2982 C++
chrome.dll!WebCore::HTMLFormControlElementWithState::defaultEventHandler(WebCore::Event
*
event=0x08aa52a0) Line 471 + 0x8 bytes C++
chrome.dll!WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event *
evt=0x08aa5200) Line 1600 C++
chrome.dll!WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>
prpEvent={...})
Line 2670 C++
chrome.dll!WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>
prpEvent={...}) Line 2577 + 0xc bytes C++
chrome.dll!WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>
event={...},
int & ec=0x04d3f698) Line 278 + 0x1a bytes C++
chrome.dll!WebCore::EventHandler::keyEvent(const
WebCore::PlatformKeyboardEvent & initialKeyEvent={...}) Line 2290 C++
chrome.dll!WebKit::WebViewImpl::keyEvent(const WebKit::WebKeyboardEvent &
event={...}) Line 579 + 0xc bytes C++
chrome.dll!WebKit::WebViewImpl::handleInputEvent(const
WebKit::WebInputEvent & inputEvent={...}) Line 1123 + 0x8 bytes C++
chrome.dll!RenderWidget::OnHandleInputEvent(const IPC::Message &
message={...}) Line 351 + 0x8 bytes C++
chrome.dll!IPC::Message::Dispatch<RenderWidget>(const IPC::Message *
msg=0x08b3bb20, RenderWidget * obj=0x08d55b00, void (const IPC::Message &)*
func=0x69179ea0) Line 149 C++
chrome.dll!RenderWidget::OnMessageReceived(const IPC::Message & msg={...})
Line 175 + 0x1d bytes C++
chrome.dll!RenderView::OnMessageReceived(const IPC::Message &
message={...}) Line 806 C++
chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...})
Line 46 + 0xa bytes C++
chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message &
msg={...}) Line 37 + 0x5 bytes C++
chrome.dll!ChildThread::OnMessageReceived(const IPC::Message & msg={...})
Line 163 + 0xb bytes C++
chrome.dll!RunnableMethod<UserStyleSheetLoader,void (__thiscall
UserStyleSheetLoader::*)(GURL const &),Tuple1<GURL> >::Run() Line 330 +
0xf bytes C++
chrome.dll!MessageLoop::RunTask(Task * task=0x08b3bb10) Line 411 C++
chrome.dll!MessageLoop::DoWork() Line 526 + 0x8 bytes C++
chrome.dll!base::MessagePumpForUI::DoRunLoop() Line 203 C++
chrome.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate *
delegate=0x04d3fb6c) Line 80 + 0x42 bytes C++
chrome.dll!MessageLoop::RunInternal() Line 258 + 0xb bytes C++
chrome.dll!MessageLoop::Run() Line 209 C++
chrome.dll!base::Thread::Run(MessageLoop * message_loop=0x04d3fb6c) Line
141 C++
chrome.dll!base::Thread::ThreadMain() Line 167 C++
chrome.dll!`anonymous namespace'::ThreadFunc(void * closure=0x04012a20)
Line 27 C++
kernel32.dll!757deccb()
[Frames below may be incorrect and/or missing, no symbols loaded for
kernel32.dll]
ntdll.dll!77bad24d()
chrome.dll!xsltParseStylesheetImport(_xsltStylesheet * style=, _xmlNode *
cur=) Line 143 + 0x16 bytes C
Issue 33106 crashed in the same method (WebCore::Position::upstream) and
has been marked as fixed, but noting it for reference. I'll try to create a
reduced test-case later on unless temp01 can create one.
chro...@googlecode.com
Status: Untriaged
Comment #3 on issue 58741 by beverloo.peter: Somewhat simple Javascript
causes Chrome tab to crash ("Oh, Snap!")
http://code.google.com/p/chromium/issues/detail?id=58741
This should be untriaged, excuse me.
chro...@googlecode.com
Comment #7 on issue 58741 by vkouchna: Somewhat simple Javascript causes
http://code.google.com/p/chromium/issues/detail?id=58741
I've done some more testing, and it seems that this crash occurs when the
Key press event has the "keydown" type.
It does not occur when the event's type is keyup.
It does not occur when the event keypress an alphanumerical character,
Space, or Return.
It occurs with the Right, left, up, down arrow keys, Page Up, Page Down,
End, Home, Delete, Backspace keys.
It does not require the CTRL key modifier to be active.