Bug 10126 - REGRESSION: Reproducible crash in findNextLineBreak() while deleting text in textarea
Summary: REGRESSION: Reproducible crash in findNextLineBreak() while deleting text in ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Critical
Assignee: Nobody
URL:
Keywords: InRadar, Regression
: 10784 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-07-27 03:21 PDT by David Kilzer (:ddkilzer)
Modified: 2006-11-09 22:31 PST (History)
5 users (show)

See Also:


Attachments
Crash log (25.70 KB, text/plain)
2006-07-27 03:22 PDT, David Kilzer (:ddkilzer)
no flags Details
Reduction (261 bytes, text/html)
2006-07-27 09:53 PDT, mitz
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2006-07-27 03:21:05 PDT
Steps to reproduce:

1. Open Bug 6390 Comment #8.  http://bugzilla.opendarwin.org/show_bug.cgi?id=6390#c8
2. Click the "[reply]" link for Bug 6390 Comment #8.
3. Hit Delete four times.  (Cursor should start at the end of the quoted reply text before deleting.)

Expected results:

Four characters should be deleted from the textarea.

Actual results:

WebKit crashes.

Regression:

Works as expected on production Safari 2.0.4 (419.3) in Mac OS X 10.4.7 (8J135/PowerPC).

Notes:

Tested on locally-built debug build of WebKit r15636 on OS X noted above.
Comment 1 David Kilzer (:ddkilzer) 2006-07-27 03:22:08 PDT
Created attachment 9710 [details]
Crash log
Comment 2 David Kilzer (:ddkilzer) 2006-07-27 03:29:52 PDT
I was also able to reproduce this on WebKit nightly r15636, a release build.
Comment 3 mitz 2006-07-27 09:53:17 PDT
Created attachment 9717 [details]
Reduction
Comment 4 mitz 2006-07-27 10:41:00 PDT
I noticed that the render tree for
<textarea>




</textarea>

is different from the render tree I get if I start with an empty textarea and press return several times (this may also relate to bug 10105).
Comment 5 David Kilzer (:ddkilzer) 2006-09-08 07:38:27 PDT
*** Bug 10784 has been marked as a duplicate of this bug. ***
Comment 6 Stephanie Lewis 2006-11-06 19:02:02 PST
radar 4787081
Comment 7 Beth Dakin 2006-11-09 22:31:34 PST
Fixed with r17697. Of course, the crash still occurs in Debug builds because we still hit an assertion in editing. See http://bugs.webkit.org/show_bug.cgi?id=10144