Bug 10126

Summary: REGRESSION: Reproducible crash in findNextLineBreak() while deleting text in textarea
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: bdakin, daniele.metilli, darin, justin.garcia, mitz
Priority: P1 Keywords: InRadar, Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Crash log
none
Reduction none

Description David Kilzer (:ddkilzer) 2006-07-27 03:21:05 PDT 
Steps to reproduce:

1. Open Bug 6390 Comment #8.  http://bugzilla.opendarwin.org/show_bug.cgi?id=6390#c8
2. Click the "[reply]" link for Bug 6390 Comment #8.
3. Hit Delete four times.  (Cursor should start at the end of the quoted reply text before deleting.)

Expected results:

Four characters should be deleted from the textarea.

Actual results:

WebKit crashes.

Regression:

Works as expected on production Safari 2.0.4 (419.3) in Mac OS X 10.4.7 (8J135/PowerPC).

Notes:

Tested on locally-built debug build of WebKit r15636 on OS X noted above.
Comment 1 David Kilzer (:ddkilzer) 2006-07-27 03:22:08 PDT 
Created attachment 9710 [details]
Crash log
Comment 2 David Kilzer (:ddkilzer) 2006-07-27 03:29:52 PDT 
I was also able to reproduce this on WebKit nightly r15636, a release build.
Comment 3 mitz 2006-07-27 09:53:17 PDT 
Created attachment 9717 [details]
Reduction
Comment 4 mitz 2006-07-27 10:41:00 PDT 
I noticed that the render tree for
<textarea>




</textarea>

is different from the render tree I get if I start with an empty textarea and press return several times (this may also relate to bug 10105).
Comment 5 David Kilzer (:ddkilzer) 2006-09-08 07:38:27 PDT 
*** Bug 10784 has been marked as a duplicate of this bug. ***
Comment 6 Stephanie Lewis 2006-11-06 19:02:02 PST 
radar 4787081
Comment 7 Beth Dakin 2006-11-09 22:31:34 PST 
Fixed with r17697. Of course, the crash still occurs in Debug builds because we still hit an assertion in editing. See http://bugs.webkit.org/show_bug.cgi?id=10144