71737 2011-11-07 15:00:06 -0800 REGRESSION(r94822) Crash in moving text node from one bdi element into another bdi element 2011-11-25 12:21:45 -0800 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) Unspecified Unspecified RESOLVED DUPLICATE 73116 data:text/html,<!doctype html><div contenteditable><bdi></bdi><bdi>a</bdi></div> <script> document.querySelector("bdi") .appendChild(document.querySelector("bdi+bdi").firstChild) </script> InRadar P2 Normal --- 1 dominicc webkit-unassigned aestes ayg cevans eric jschuh mbarbella playmobil progame+wk rniwa tabatkins oldest_to_newest 497498 0 dominicc 2011-11-07 15:00:06 -0800 The following data: URL crashes WebKit nightly r98912 on Mac and Chromium Mac 17.0.932.0 (Official Build 108826) canary 535.8 (@99314) but not Safari Mac Version 5.1.1 (6534.51.22) nor Chromium Mac 15.0.874.106 (Official Build 107270) WebKit 535.2 (@98043). This is the content of the URL: data:text/html,<!doctype html> <div contenteditable><bdi></bdi><bdi>a</bdi></div> <script> document.querySelector("bdi") .appendChild(document.querySelector("bdi+bdi").firstChild) </script> This was first reported as Chromium issue: <http://code.google.com/p/chromium/issues/detail?id=101791> 497506 1 ayg 2011-11-07 15:04:35 -0800 If you look closely at the data URL, the crash is when moving a text node from one <bdi> to another, not moving a <bdi> into another. Changing summary accordingly. 497513 2 113938 dominicc 2011-11-07 15:17:24 -0800 Created attachment 113938 Repro I don’t think this has anything to do with contenteditable… crashes for me with attached repro. 497519 3 lforschler 2011-11-07 15:23:20 -0800 <rdar://problem/10409078> 497520 4 cevans 2011-11-07 15:23:56 -0800 FWIW, I don't think it's particularly security sensitive. Seems to be a clean NULL and valgrind doesn't report anything untoward. 497528 5 dominicc 2011-11-07 15:30:48 -0800 (In reply to comment #4) > FWIW, I don't think it's particularly security sensitive. Seems to be a clean NULL and valgrind doesn't report anything untoward. OK, guess I was over pessimistic; thanks for the feedback. 497993 6 ayg 2011-11-08 05:51:36 -0800 Right, contenteditable is a red herring. This crashes too: data:text/html,<!doctype html> <bdi></bdi><bdi>a</bdi> <script> document.querySelector("bdi") .appendChild(document.querySelector("bdi+bdi").firstChild) </script> But only with <bdi>, not any other element I tested. 503584 7 eric 2011-11-15 21:53:14 -0800 Given that it's bdi, I'm sure it's bidi-isolate related. I've been waiting for bidi-isolate issues to pile up before I take another crack at it. 503606 8 progame+wk 2011-11-15 22:45:53 -0800 i tracked it to this range http://trac.webkit.org/log/?action=stop_on_copy&mode=stop_on_copy&rev=94838&stop_rev=94821&limit=999&verbose=on but that's different than the one in the title (will test again but it should be correct, hmm...) 508999 9 rniwa 2011-11-25 00:04:33 -0800 Also see the bug 73116 509245 10 rniwa 2011-11-25 12:21:45 -0800 It turned out that there's even simpler repro for this bug. *** This bug has been marked as a duplicate of bug 73116 *** 113938 2011-11-07 15:17:24 -0800 2011-11-07 15:17:24 -0800 Repro bdi-crash.html text/html 213 dominicc PCFET0NUWVBFIEhUTUw+CjxkaXY+CjxiZGkgaWQ9InJlY2lwaWVudCI+PC9iZGk+CjxiZGkgaWQ9 ImRvbm9yIj5hPC9iZGk+CjwvZGl2Pgo8c2NyaXB0Pgp2YXIgb3JnYW4gPSBkb2N1bWVudC5xdWVy eVNlbGVjdG9yKCcjZG9ub3InKS5maXJzdENoaWxkOwpkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCcj cmVjaXBpZW50JykuYXBwZW5kQ2hpbGQob3JnYW4pOwo8L3NjcmlwdD4K