VERIFIED FIXED 8298
REGRESSION: Crash occurs when attempting to drag selection into Depart/Return input fields at http://www.travelocity.com/ 
https://bugs.webkit.org/show_bug.cgi?id=8298
Summary REGRESSION: Crash occurs when attempting to drag selection into Depart/Return...
Chris Petersen
Reported 2006-04-10 10:29:27 PDT
When I attempt to drag a selection into one of the page's field ( Depart/Return), a crash will occur. 0 com.apple.WebCore 0x0117727b WebCore::CSSStyleDeclaration::copyPropertiesInSet(int const*, unsigned) const + 169 STEPS TO REPRODUCE 1. With TOT WebKit, go to http://www.travelocity.com/?Service=TRAVELOCITY 2. The best way to reproduce this issue is click travelocity logo image (at the top of the page) and drag it so that it hovers directly over Depart or Return fields. Mouse up when you see the caret appear in this field. 3. Crash occurs. * RESULTS No crash should occur when attempting to drag into a field. However, the application does crash. * REGRESSION Yes, this occurs with native text fields .
Attachments
back_trace (20.75 KB, text/plain)
2006-04-10 10:32 PDT, Chris Petersen 		no flags
Details
preliminary patch (17.34 KB, patch)
2006-04-14 19:30 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
reduction (146 bytes, text/html)
2006-04-14 19:31 PDT, Darin Adler 		no flags
Details
patch with detailed change log, manual test (20.66 KB, patch)
2006-04-15 19:16 PDT, Darin Adler 		adele: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Petersen
Comment 1 2006-04-10 10:32:12 PDT
Created attachment 7620 [details] back_trace
Chris Petersen
Comment 2 2006-04-10 10:33:19 PDT
This issue has been filed as <rdar://problem/4507874>
Darin Adler
Comment 3 2006-04-14 09:08:00 PDT
The cause of this is that the drag is targeted at the text node, and when the text field is emptied the text node is gone. So this has the same type of cause that bug 8111 did.
Darin Adler
Comment 4 2006-04-14 19:30:57 PDT
Created attachment 7721 [details] preliminary patch
Darin Adler
Comment 5 2006-04-14 19:31:24 PDT
Created attachment 7722 [details] reduction
Darin Adler
Comment 6 2006-04-15 19:16:19 PDT
Created attachment 7738 [details] patch with detailed change log, manual test
Justin Garcia
Comment 7 2006-04-16 18:21:42 PDT
Is replaceChild really an optimization? You could make the SelectionController& returned by dragCaret() non-const, like selection(). Typo in the changelog entry: + So this change along fixes the crash.
Darin Adler
Comment 8 2006-04-16 19:37:48 PDT
(In reply to comment #7) > Is replaceChild really an optimization? Only a slight one, I guess. It sends fewer mutation events. > You could make the SelectionController& returned by dragCaret() non-const, like > selection(). That's probably better than what I did. In general, I think we're still mixed up about SelectionController. If it's really a controller, then we should change selections by calling SelectionController functions. And we should not have setSelection or setDragCaret functions that take a SelectionController. > Typo in the changelog entry: > + So this change along fixes the crash. I'll fix that.
Chris Petersen
Comment 9 2006-04-20 22:56:25 PDT
Verified with latest TOT Webkit build (r13990).
Note You need to log in before you can comment on or make changes to this bug.