114745 2013-04-17 08:38:46 -0700 Browser crashes on shift-click when using -webkit-user-select: none; 2016-03-07 12:03:26 -0800 1 1 1 Unclassified WebKit UI Events 528+ (Nightly build) Mac OS X 10.8 RESOLVED DUPLICATE 104058 InRadar P1 Major --- 1 bjnortier webkit-unassigned ap bjonesbe enrica kling rniwa tonikitoo oldest_to_newest 877250 0 bjnortier 2013-04-17 08:38:46 -0700 I have an example where "-webkit-user-select: none;" interacts with a shift-click and crashes the browser (Webkit or Safari or Chrome). This happens if a focussed input field is deleted, and a subsequent shift-click is performed (normally a shift-click would select all text up to the cursor) Steps to reproduce: 1. Open the attached html file in Webkit/Safari/Chrome, or use the html below 2. Click in the input field to give it focus 3. Press any key (this event will remove the input element) 4. SHIFT + click anywhere in the window VERSIONS: Webkit 6.0.4 (8536.29.13, 537+), Chrome 28.0.1481.0 canary, Chrome 26.0.1410.65 PLATFORM: Mac OS: OS X 10.8.3 <!DOCTYPE html> <html > <head> <style type="text/css"> body { -webkit-user-select: none; } </style> </head> <body> 1. Click here to focus -> <input id="a"/><br/> 2. Press any key (the input will be deleted)<br/> 3. SHIFT + click anywhere<br/> <script type="text/javascript"> var a = document.getElementById('a'); a.addEventListener('keyup', function(event) { document.body.removeChild(a); }, false); </script> </body> 877251 1 198545 bjnortier 2013-04-17 08:40:11 -0700 Created attachment 198545 HTML file that produces crash 877267 2 bjnortier 2013-04-17 08:50:07 -0700 I discovered that if I do a.blur(); before document.body.removeChild(a); then the crash is avoided. 877384 3 kling 2013-04-17 11:08:25 -0700 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010a7d25e4 WebCore::textDistance(WebCore::Position const&, WebCore::Position const&) + 20 (Node.h:474) 1 com.apple.WebCore 0x000000010a7d2514 WebCore::EventHandler::handleMousePressEventSingleClick(WebCore::MouseEventWithHitTestResults const&) + 2132 (EventHandler.cpp:615) 2 com.apple.WebCore 0x000000010a7d2a0c WebCore::EventHandler::handleMousePressEvent(WebCore::MouseEventWithHitTestResults const&) + 604 (EventHandler.cpp:717) 3 com.apple.WebCore 0x000000010a7d61a4 WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 2388 (EventHandler.cpp:1642) 4 com.apple.WebKit2 0x0000000109a34bae WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) + 214 (WebPage.cpp:1552) 5 com.apple.WebKit2 0x0000000109a34aa6 WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) + 164 (WebPage.cpp:1498) 6 com.apple.WebKit2 0x0000000109a48516 void CoreIPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(CoreIPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) + 83 (HandleMessage.h:347) 7 com.apple.WebKit2 0x0000000109a45f96 WebKit::WebPage::didReceiveWebPageMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 1298 (WebPageMessageReceiver.cpp:130) 8 com.apple.WebKit2 0x00000001099829aa CoreIPC::MessageReceiverMap::dispatchMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 132 (MessageReceiverMap.cpp:86) 9 com.apple.WebKit2 0x0000000109a832a4 WebKit::WebProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&) + 28 (WebProcess.cpp:606) 10 com.apple.WebKit2 0x0000000109958149 CoreIPC::Connection::dispatchMessage(WTF::PassOwnPtr<CoreIPC::MessageDecoder>) + 101 (ArgumentDecoder.h:47) 11 com.apple.WebKit2 0x0000000109959d74 CoreIPC::Connection::dispatchOneMessage() + 106 (PassOwnPtr.h:56) 12 com.apple.WebCore 0x000000010b0191bf WebCore::RunLoop::performWork() + 159 (RunLoop.cpp:93) 13 com.apple.WebCore 0x000000010b01984f WebCore::RunLoop::performWork(void*) + 63 (RunLoopCF.cpp:67) 14 com.apple.CoreFoundation 0x00007fff81ee7b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 15 com.apple.CoreFoundation 0x00007fff81ee7455 __CFRunLoopDoSources0 + 245 16 com.apple.CoreFoundation 0x00007fff81f0a7f5 __CFRunLoopRun + 789 17 com.apple.CoreFoundation 0x00007fff81f0a0e2 CFRunLoopRunSpecific + 290 18 com.apple.HIToolbox 0x00007fff87571eb4 RunCurrentEventLoopInMode + 209 19 com.apple.HIToolbox 0x00007fff87571c52 ReceiveNextEventCommon + 356 20 com.apple.HIToolbox 0x00007fff87571ae3 BlockUntilNextEventMatchingListInMode + 62 21 com.apple.AppKit 0x00007fff8c720563 _DPSNextEvent + 685 22 com.apple.AppKit 0x00007fff8c71fe22 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 23 com.apple.AppKit 0x00007fff8c7171d3 -[NSApplication run] + 517 24 com.apple.WebCore 0x000000010b019e2c WebCore::RunLoop::run() + 76 (RunLoopMac.mm:43) 25 com.apple.WebKit2 0x00000001099f1bec int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 702 (ChildProcessEntryPoint.h:100) 26 com.apple.WebProcess 0x000000010990edf7 main + 228 (ChildProcessMain.mm:73) 27 libdyld.dylib 0x00007fff823177e1 start + 1 877399 4 rniwa 2013-04-17 11:28:20 -0700 <rdar://problem/12279599> 877400 5 rniwa 2013-04-17 11:29:03 -0700 All crashes are P1. 919466 6 ap 2013-08-21 09:29:22 -0700 This isn’t fixed in bug 104058, is it? For Apple employees, see also: <rdar://problem/8533388>, <rdar://problem/12279599>. 1102006 7 bjonesbe 2015-06-15 12:32:37 -0700 (In reply to comment #6) > This isn’t fixed in bug 104058, is it? > > For Apple employees, see also: <rdar://problem/8533388>, > <rdar://problem/12279599>. I cam across this while looking into something else, but it does look like this isn't an issue anymore. Any reason it shouldn't be closed? 1171695 8 tonikitoo 2016-03-07 12:03:26 -0800 (In reply to comment #6) > This isn’t fixed in bug 104058, is it? > > For Apple employees, see also: <rdar://problem/8533388>, > <rdar://problem/12279599>. Yes. *** This bug has been marked as a duplicate of bug 104058 *** 198545 2013-04-17 08:40:11 -0700 2013-04-17 08:40:11 -0700 HTML file that produces crash bug.html text/html 513 bjnortier PCFET0NUWVBFIGh0bWw+CjxodG1sID4KPGhlYWQ+CgogICAgPHN0eWxlIHR5cGU9InRleHQvY3Nz Ij4KICAgICAgICBib2R5IHsKICAgICAgICAgICAgLXdlYmtpdC11c2VyLXNlbGVjdDogbm9uZTsK ICAgICAgICB9CiAgICA8L3N0eWxlPgoKPC9oZWFkPgo8Ym9keT4KCiAgICAxLiBDbGljayBoZXJl IHRvIGZvY3VzIC0+IDxpbnB1dCBpZD0iYSIvPjxici8+CiAgICAyLiBQcmVzcyBhbnkga2V5ICh0 aGUgaW5wdXQgd2lsbCBiZSBkZWxldGVkKTxici8+CiAgICAzLiBTSElGVCArIGNsaWNrIGFueXdo ZXJlPGJyLz4KCiAgICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgICAgICAgdmFy IGEgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnYScpOwogICAgICAgIGEuYWRkRXZlbnRMaXN0 ZW5lcigna2V5dXAnLCBmdW5jdGlvbihldmVudCkgewogICAgICAgICAgIGRvY3VtZW50LmJvZHku cmVtb3ZlQ2hpbGQoYSk7CiAgICAgICAgfSwgZmFsc2UpOwogICAgPC9zY3JpcHQ+Cgo8L2JvZHk+