12780 – REGRESSION (r19341-r19385): Reproducible crash in "onselectstart" event

Bug 12780 - REGRESSION (r19341-r19385): Reproducible crash in "onselectstart" event

Summary: REGRESSION (r19341-r19385): Reproducible crash in "onselectstart" event

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	420+
Hardware:	All OS X 10.4

Importance:	P1 Critical
Assignee:	Nobody

URL:
Keywords:	HasReduction, Regression

Depends on:
Blocks:

Reported:	2007-02-15 16:45 PST by Tom Brown
Modified:	2007-02-17 10:46 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Reduced crash case (637 bytes, text/html) 2007-02-15 16:50 PST, Tom Brown	no flags	Details
Don't bubble/capture across the shadow DOM boundary if not SVG (5.58 KB, patch) 2007-02-16 07:44 PST, mitz	darin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tom Brown 2007-02-15 16:45:08 PST

When the "HTML" tag contains the "XMLNS:CUSTOM" declaration, any click on the document causes an "onselectstart" event to fire. Within this event, the srcElement points to an element which has no parent node. If this element is appended to the DOM tree, and then removed from the DOM tree, webkit crashes.

Comment 1 Tom Brown 2007-02-15 16:45:38 PST

Date/Time:      2007-02-15 17:39:15.231 -0700
OS Version:     10.4.8 (Build 8L2127)
Report Version: 4

Command: Safari
Path:    /Applications/Safari.app/Contents/MacOS/Safari
Parent:  WindowServer [78]

Version: ??? (19630)

PID:    4095
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   com.apple.WebCore        	0x01182aad WebCore::RenderTextControl::calcHeight() + 55
1   com.apple.WebCore        	0x01184059 WebCore::RenderTextControl::layout() + 27
2   com.apple.WebCore        	0x010cda5b WebCore::FrameView::layout(bool) + 439
3   com.apple.WebCore        	0x010cf4d9 WebCore::Document::updateLayout() + 81
4   com.apple.WebCore        	0x010d8d8b WebCore::Document::updateLayoutIgnorePendingStylesheets() + 87
5   com.apple.WebCore        	0x011c649e WebCore::createMarkup(WebCore::Node const*, WebCore::EChildrenOnly, WTF::Vector<WebCore::Node*, (unsigned long)0>*, WebCore::EAnnotateForInterchange) + 70
6   com.apple.WebCore        	0x0100e0fd WebCore::HTMLElement::outerHTML() const + 53
7   com.apple.WebCore        	0x0123b45b KJS::JSHTMLElement::getValueProperty(KJS::ExecState*, int) const + 1097
8   com.apple.JavaScriptCore 	0x0013ac8c KJS::JSObject::get(KJS::ExecState*, KJS::Identifier const&) const + 116
9   com.apple.JavaScriptCore 	0x00130455 KJS::DotAccessorNode::evaluate(KJS::ExecState*) + 135
10  com.apple.JavaScriptCore 	0x0012ee1e KJS::AddNode::evaluate(KJS::ExecState*) + 128
11  com.apple.JavaScriptCore 	0x0012f462 KJS::ArgumentListNode::evaluateList(KJS::ExecState*) + 56
12  com.apple.JavaScriptCore 	0x0012fd79 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 427
13  com.apple.JavaScriptCore 	0x00133a83 KJS::ExprStatementNode::execute(KJS::ExecState*) + 117
14  com.apple.JavaScriptCore 	0x00136849 KJS::SourceElementsNode::execute(KJS::ExecState*) + 421
15  com.apple.JavaScriptCore 	0x001339a1 KJS::BlockNode::execute(KJS::ExecState*) + 67
16  com.apple.JavaScriptCore 	0x0012245f KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 45
17  com.apple.JavaScriptCore 	0x00121f28 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 338
18  com.apple.JavaScriptCore 	0x0013b820 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 112
19  com.apple.WebCore        	0x01232c42 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 1054
20  com.apple.WebCore        	0x010d0bd8 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 166
21  com.apple.WebCore        	0x011ffd6b WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 257
22  com.apple.WebCore        	0x01200347 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool, WebCore::EventTarget*) + 161
23  com.apple.WebCore        	0x012003ff WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 61
24  com.apple.WebCore        	0x011ffa26 WebCore::EventTargetNode::dispatchHTMLEvent(WebCore::AtomicString const&, bool, bool) + 128
25  com.apple.WebCore        	0x011683ce WebCore::RenderObject::shouldSelect() const + 60
26  com.apple.WebCore        	0x013cdf98 WebCore::EventHandler::handleMousePressEventSingleClick(WebCore::MouseEventWithHitTestResults const&) + 78
27  com.apple.WebCore        	0x013cedb8 WebCore::EventHandler::handleMousePressEvent(WebCore::MouseEventWithHitTestResults const&) + 254
28  com.apple.WebCore        	0x013cf209 WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 997
29  com.apple.WebCore        	0x013c9e66 WebCore::EventHandler::mouseDown(NSEvent*) + 456
30  com.apple.WebKit         	0x0032e766 -[WebHTMLView mouseDown:] + 410
31  com.apple.AppKit         	0x9334c3af -[NSWindow sendEvent:] + 5279
32  com.apple.Safari         	0x0002338e 0x1000 + 140174
33  com.apple.AppKit         	0x9333e350 -[NSApplication sendEvent:] + 5023
34  com.apple.Safari         	0x00022f1e 0x1000 + 139038
35  com.apple.AppKit         	0x93268dfe -[NSApplication run] + 547
36  com.apple.AppKit         	0x9325cd2f NSApplicationMain + 573
37  com.apple.Safari         	0x0005f7de 0x1000 + 387038
38  com.apple.Safari         	0x0005f6f9 0x1000 + 386809

Thread 1:
0   libSystem.B.dylib        	0x90009857 mach_msg_trap + 7
1   com.apple.CoreFoundation 	0x9082969a CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation 	0x90828eb5 CFRunLoopRunInMode + 61
3   com.apple.Foundation     	0x9262aa9b +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 259
4   com.apple.Foundation     	0x925f536c forkThreadForFunction + 123
5   libSystem.B.dylib        	0x90023d87 _pthread_body + 84

Thread 2:
0   libSystem.B.dylib        	0x90009857 mach_msg_trap + 7
1   com.apple.CoreFoundation 	0x9082969a CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation 	0x90828eb5 CFRunLoopRunInMode + 61
3   com.apple.Foundation     	0x92651c4e +[NSURLCache _diskCacheSyncLoop:] + 206
4   com.apple.Foundation     	0x925f536c forkThreadForFunction + 123
5   libSystem.B.dylib        	0x90023d87 _pthread_body + 84

Thread 3:
0   libSystem.B.dylib        	0x90024427 semaphore_wait_signal_trap + 7
1   com.apple.Foundation     	0x9264b2f8 -[NSConditionLock lockWhenCondition:] + 39
2   com.apple.Syndication    	0x9a47c052 -[AsyncDB _run:] + 181
3   com.apple.Foundation     	0x925f536c forkThreadForFunction + 123
4   libSystem.B.dylib        	0x90023d87 _pthread_body + 84

Thread 4:
0   libSystem.B.dylib        	0x90019d3c select + 12
1   libSystem.B.dylib        	0x90023d87 _pthread_body + 84

Thread 5:
0   libSystem.B.dylib        	0x90024427 semaphore_wait_signal_trap + 7
1   com.apple.Foundation     	0x9264b2f8 -[NSConditionLock lockWhenCondition:] + 39
2   com.apple.AppKit         	0x93346270 -[NSUIHeartBeat _heartBeatThread:] + 377
3   com.apple.Foundation     	0x925f536c forkThreadForFunction + 123
4   libSystem.B.dylib        	0x90023d87 _pthread_body + 84

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x00000000    ebx: 0x010cd8b2 ecx: 0x15999690 edx: 0x15999690
  edi: 0x01843ee0    esi: 0x15999744 ebp: 0xbfffec48 esp: 0xbfffebd0
   ss: 0x0000001f    efl: 0x00010206 eip: 0x01182aad  cs: 0x00000017
   ds: 0x0000001f     es: 0x0000001f  fs: 0x00000000  gs: 0x00000037

Binary Images Description:
    0x1000 -    0xdefff com.apple.Safari 2.0.4 (419.3)	/Applications/Safari.app/Contents/MacOS/Safari
  0x10e000 -   0x10ffff WebKitNightlyEnabler.dylib 	/Users/tom/Desktop/WebKit.app/Contents/Resources/WebKitNightlyEnabler.dylib
  0x114000 -   0x193fff com.apple.JavaScriptCore 420+	/Users/tom/Desktop/WebKit.app/Contents/Resources/JavaScriptCore.framework/Versions/A/JavaScriptCore
  0x305000 -   0x3a9fff com.apple.WebKit 420+	/Users/tom/Desktop/WebKit.app/Contents/Resources/WebKit.framework/Versions/A/WebKit
 0x1008000 -  0x14fbfff com.apple.WebCore 420+	/Users/tom/Desktop/WebKit.app/Contents/Resources/WebCore.framework/Versions/A/WebCore
0x8fe00000 - 0x8fe49fff dyld 46.9	/usr/lib/dyld
0x90000000 - 0x9016ffff libSystem.B.dylib 	/usr/lib/libSystem.B.dylib
0x901bf000 - 0x901c1fff libmathCommon.A.dylib 	/usr/lib/system/libmathCommon.A.dylib
0x901c3000 - 0x901fffff com.apple.CoreText 1.1.1 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
0x90226000 - 0x902fcfff ATS 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS
0x9031c000 - 0x90770fff com.apple.CoreGraphics 1.258.38 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
0x90807000 - 0x908cffff com.apple.CoreFoundation 6.4.6 (368.27)	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x9090d000 - 0x9090dfff com.apple.CoreServices 10.4 (???)	/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
0x9090f000 - 0x90a02fff libicucore.A.dylib 	/usr/lib/libicucore.A.dylib
0x90a52000 - 0x90ad1fff libobjc.A.dylib 	/usr/lib/libobjc.A.dylib
0x90afa000 - 0x90b5efff libstdc++.6.dylib 	/usr/lib/libstdc++.6.dylib
0x90bcd000 - 0x90bd4fff libgcc_s.1.dylib 	/usr/lib/libgcc_s.1.dylib
0x90bd9000 - 0x90c4cfff com.apple.framework.IOKit 1.4.6 (???)	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x90c61000 - 0x90c73fff libauto.dylib 	/usr/lib/libauto.dylib
0x90c79000 - 0x90f1ffff com.apple.CoreServices.CarbonCore 682.15	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
0x90f62000 - 0x90fcafff com.apple.CoreServices.OSServices 4.1	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
0x91002000 - 0x91040fff com.apple.CFNetwork 129.19	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x91053000 - 0x91063fff com.apple.WebServices 1.1.3 (1.1.0)	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore
0x9106e000 - 0x910ecfff com.apple.SearchKit 1.0.5	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x91121000 - 0x9113ffff com.apple.Metadata 10.4.4 (121.36)	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x9114b000 - 0x91159fff libz.1.dylib 	/usr/lib/libz.1.dylib
0x9115c000 - 0x912fbfff com.apple.security 4.5.2 (29774)	/System/Library/Frameworks/Security.framework/Versions/A/Security
0x913f9000 - 0x91401fff com.apple.DiskArbitration 2.1.1	/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
0x91408000 - 0x9142efff com.apple.SystemConfiguration 1.8.6	/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x91440000 - 0x91447fff libbsm.dylib 	/usr/lib/libbsm.dylib
0x9144b000 - 0x914c4fff com.apple.audio.CoreAudio 3.0.4	/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x91512000 - 0x91512fff com.apple.ApplicationServices 10.4 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x91514000 - 0x9153ffff com.apple.AE 314 (313)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x91552000 - 0x91626fff com.apple.ColorSync 4.4.8	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
0x91661000 - 0x916defff com.apple.print.framework.PrintCore 4.6 (177.13)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore
0x9170b000 - 0x917b4fff com.apple.QD 3.10.21 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
0x917da000 - 0x91825fff com.apple.HIServices 1.5.2 (???)	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
0x91844000 - 0x9185afff com.apple.LangAnalysis 1.6.3	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis
0x91866000 - 0x91880fff com.apple.FindByContent 1.5	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent
0x9188a000 - 0x918c7fff com.apple.LaunchServices 181	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
0x918db000 - 0x918e7fff com.apple.speech.synthesis.framework 3.5	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis
0x918ee000 - 0x91929fff com.apple.ImageIO.framework 1.5.0	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x9193b000 - 0x919edfff libcrypto.0.9.7.dylib 	/usr/lib/libcrypto.0.9.7.dylib
0x91a33000 - 0x91a49fff libcups.2.dylib 	/usr/lib/libcups.2.dylib
0x91a4e000 - 0x91a6cfff libJPEG.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib
0x91a71000 - 0x91acffff libJP2.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
0x91ae1000 - 0x91ae5fff libGIF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib
0x91ae7000 - 0x91b64fff libRaw.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib
0x91b68000 - 0x91ba5fff libTIFF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
0x91bab000 - 0x91bc5fff libPng.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0x91bca000 - 0x91bccfff libRadiance.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib
0x91bce000 - 0x91bcefff com.apple.Accelerate 1.3.1 (Accelerate 1.3.1)	/System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x91bd0000 - 0x91c5efff com.apple.vImage 2.5	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x91c65000 - 0x91c65fff com.apple.Accelerate.vecLib 3.3.1 (vecLib 3.3.1)	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib
0x91c67000 - 0x91cc0fff libvMisc.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x91cc9000 - 0x91cedfff libvDSP.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x91cf5000 - 0x920fefff libBLAS.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x92138000 - 0x924ecfff libLAPACK.dylib 	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x92519000 - 0x92597fff com.apple.DesktopServices 1.3.5	/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
0x925d8000 - 0x92808fff com.apple.Foundation 6.4.7 (567.28)	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x92914000 - 0x929f2fff libxml2.2.dylib 	/usr/lib/libxml2.2.dylib
0x92a0f000 - 0x92afcfff libiconv.2.dylib 	/usr/lib/libiconv.2.dylib
0x92b0c000 - 0x92b23fff libGL.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib
0x92b2e000 - 0x92b86fff libGLU.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib
0x92b9a000 - 0x92b9afff com.apple.Carbon 10.4 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
0x92b9c000 - 0x92bacfff com.apple.ImageCapture 3.0.4	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture
0x92bba000 - 0x92bc2fff com.apple.speech.recognition.framework 3.6	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition
0x92bc8000 - 0x92bcdfff com.apple.securityhi 2.0.1 (24742)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
0x92bd3000 - 0x92c64fff com.apple.ink.framework 101.2.1 (71)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink
0x92c78000 - 0x92c7bfff com.apple.help 1.0.3 (32.1)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help
0x92c7e000 - 0x92c9bfff com.apple.openscripting 1.2.5 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
0x92cab000 - 0x92cb1fff com.apple.print.framework.Print 5.2 (192.4)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print
0x92cb7000 - 0x92d1afff com.apple.htmlrendering 66.1 (1.1.3)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering
0x92d3e000 - 0x92d7ffff com.apple.NavigationServices 3.4.4 (3.4.3)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices
0x92da6000 - 0x92db3fff com.apple.audio.SoundManager 3.9.1	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound
0x92dba000 - 0x92dbffff com.apple.CommonPanels 1.2.3 (73)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels
0x92dc4000 - 0x930b6fff com.apple.HIToolbox 1.4.8 (???)	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
0x931bb000 - 0x931c6fff com.apple.opengl 1.4.12	/System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL
0x931cb000 - 0x931e6fff com.apple.DirectoryService.Framework 3.2	/System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService
0x93256000 - 0x93256fff com.apple.Cocoa 6.4 (???)	/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0x93258000 - 0x9390efff com.apple.AppKit 6.4.8 (824.42)	/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0x93c8f000 - 0x93d09fff com.apple.CoreData 90	/System/Library/Frameworks/CoreData.framework/Versions/A/CoreData
0x93d42000 - 0x93e03fff com.apple.audio.toolbox.AudioToolbox 1.4.3	/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x93e43000 - 0x93e43fff com.apple.audio.units.AudioUnit 1.4.2	/System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x93e45000 - 0x94017fff com.apple.QuartzCore 1.4.9	/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
0x94068000 - 0x940a9fff libsqlite3.0.dylib 	/usr/lib/libsqlite3.0.dylib
0x940b1000 - 0x940ebfff libGLImage.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib
0x94179000 - 0x941b7fff com.apple.vmutils 4.0.2 (93.1)	/System/Library/PrivateFrameworks/vmutils.framework/Versions/A/vmutils
0x941fb000 - 0x9420bfff com.apple.securityfoundation 2.2.1 (28150)	/System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation
0x94218000 - 0x94255fff com.apple.securityinterface 2.2.1 (27695)	/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
0x94271000 - 0x94280fff libCGATS.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib
0x94287000 - 0x94292fff libCSync.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib
0x942de000 - 0x942f8fff libRIP.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
0x9471a000 - 0x94863fff com.apple.AddressBook.framework 4.0.4 (485.1)	/System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook
0x948ef000 - 0x948fefff com.apple.DSObjCWrappers.Framework 1.1	/System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers
0x94905000 - 0x9492efff com.apple.LDAPFramework 1.4.2 (69.1.1)	/System/Library/Frameworks/LDAP.framework/Versions/A/LDAP
0x94934000 - 0x94943fff libsasl2.2.dylib 	/usr/lib/libsasl2.2.dylib
0x94947000 - 0x9496cfff libssl.0.9.7.dylib 	/usr/lib/libssl.0.9.7.dylib
0x94978000 - 0x94995fff libresolv.9.dylib 	/usr/lib/libresolv.9.dylib
0x95744000 - 0x95767fff libxslt.1.dylib 	/usr/lib/libxslt.1.dylib
0x9707d000 - 0x97082fff com.apple.agl 2.5.9 (AGL-2.5.9)	/System/Library/Frameworks/AGL.framework/Versions/A/AGL
0x9a479000 - 0x9a4b0fff com.apple.Syndication 1.0.6 (54)	/System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Syndication
0x9a4cc000 - 0x9a4defff com.apple.SyndicationUI 1.0.6 (54)	/System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI

Model: Macmini1,1, BootROM MM11.0055.B08, 2 processors, Intel Core Duo, 1.66 GHz, 1 GB
Graphics: Intel GMA 950, GMA 950, Built-In, spdisplays_integrated_vram
Memory Module: BANK 0/DIMM0, 512 MB, DDR2 SDRAM, 667 MHz
Memory Module: BANK 1/DIMM1, 512 MB, DDR2 SDRAM, 667 MHz
AirPort: spairport_wireless_card_type_airport_extreme (0x168C, 0x86), 0.1.30
Bluetooth: Version 1.7.9f12, 2 service, 1 devices, 1 incoming serial ports
Network Service: Built-in Ethernet, Ethernet, en0
Serial ATA Device: FUJITSU MHV2080BHPL, 74.53 GB
Parallel ATA Device: MATSHITADVD-R   UJ-846
USB Device: Microsoft Wheel Mouse Optical®, Microsoft, Up to 1.5 Mb/sec, 500 mA
USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mA
USB Device: IR Receiver, Apple Computer, Inc., Up to 12 Mb/sec, 500 mA
USB Device: DELL USB Keyboard, DELL, Up to 1.5 Mb/sec, 500 mA

Comment 2 Tom Brown 2007-02-15 16:50:57 PST

Created attachment 13191 [details]
Reduced crash case

1. Open the test case.
2. Click on the input box.
3. Crash.

An invalid "event.srcElement" is only sent when an INPUT element is the cause of the event.

Comment 3 Alexey Proskuryakov 2007-02-15 22:31:57 PST

I think the XMLNS part is red herring - it doesn't mean anything at all in HTML, and would just be a syntax error in XML. I'm getting a crash with a debug build of r19653 with or without it (in both cases, with a different stack trace).

Thread 0 Crashed:
0   com.apple.WebCore        	0x01645668 WebCore::RenderObject::positionForPoint(WebCore::IntPoint const&) + 40 (RenderObject.h:536)
1   com.apple.WebCore        	0x01525c64 WebCore::EventHandler::handleMousePressEventSingleClick(WebCore::MouseEventWithHitTestResults const&) + 588 (EventHandler.cpp:228)
2   com.apple.WebCore        	0x01527c9c WebCore::EventHandler::handleMousePressEvent(WebCore::MouseEventWithHitTestResults const&) + 572 (EventHandler.cpp:297)
3   com.apple.WebCore        	0x0152ac44 WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 1628 (EventHandler.cpp:820)
4   com.apple.WebCore        	0x01522f9c WebCore::EventHandler::mouseDown(NSEvent*) + 476 (EventHandlerMac.mm:602)
5   com.apple.WebKit         	0x003511c8 -[WebHTMLView mouseDown:] + 544 (WebHTMLView.mm:2870)
6   com.apple.AppKit         	0x93762890 -[NSWindow sendEvent:] + 4616
7   com.apple.Safari         	0x00021734 0x1000 + 132916
8   com.apple.AppKit         	0x9370b8d4 -[NSApplication sendEvent:] + 4172
9   com.apple.Safari         	0x00021238 0x1000 + 131640
10  com.apple.AppKit         	0x93702d10 -[NSApplication run] + 508

Comment 4 mitz 2007-02-16 06:28:53 PST

>  if (event.srcElement.parentNode == null)

The event.srcElement in that case is the text field's inner DIV. I don't think a shadow node should ever be exposed through the DOM like that!

Comment 5 mitz 2007-02-16 06:47:27 PST

Using nightly builds I narrowed down the regression to somewhere between r19341 and r19385. Among the changes in that range, <http://trac.webkit.org/projects/webkit/changeset/19378> is the prime suspect.

Comment 6 mitz 2007-02-16 07:44:14 PST

Created attachment 13200 [details]
Don't bubble/capture across the shadow DOM boundary if not SVG

Includes layout test and change log. No layout test regressions, but I don't know if the SVG <use> tests cover this (I expect they do).

Comment 7 Darin Adler 2007-02-16 08:01:26 PST

Comment on attachment 13200 [details]
Don't bubble/capture across the shadow DOM boundary if not SVG

r=me

Comment 8 Adele Peterson 2007-02-17 10:46:36 PST

Committed revision 19681.