Bug 104058

Summary: Crash on OS X when shift clicking outside of input
Product: WebKit Reporter: Mark Kristensson <mkbitbucket>
Component: HTML EditingAssignee: Yi Shen <max.hong.shen>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, bjnortier, brian.harper, commit-queue, enrica, max.hong.shen, mkbitbucket, rniwa, tkent
Priority: P1 Keywords: InRadar
Version: 525.x (Safari 3.2)   
Hardware: Mac   
OS: All   
URL: https://www.smartsheet.com/b/publish?EQBCT=b1db535e9e0e4a25aad4f4dce00ee475
Attachments:
Description Flags
proposal fix none

Description Mark Kristensson 2012-12-04 16:20:21 PST
Open the URL above in either Chrome or Safari on OS X and double click on one of the populated cells (to enter edit mode - think spreadsheet). Then, shift-click into another cell and the browser crashes. 

Our web application (Smartsheet) leaves the DOM in a perfectly valid state and this works just as expected on FF (any OS) as well as Chrome and IE on Windows. The browser crashes even before a mousedown JS event is triggered, so there is no way for our web application to work around this bug.

We have tried to recreate a simplified scenario with minimal HTML, but (so far) have been unable to do so.
Comment 1 Alexey Proskuryakov 2012-12-05 11:57:53 PST
Crashes both Safari 6.0.2 and ToT.

<rdar://problem/12279599>
Comment 2 Kent Tamura 2012-12-05 20:36:22 PST
Stack in Google Chrome 23:

Thread 0 *CRASHED* ( EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x00000014 )

0x01e9231a	 [Google Chrome Framework]	 - ../dom/Node.h:752]	WebCore::textDistance
0x01e921b8	 [Google Chrome Framework]	 - EventHandler.cpp:547]	WebCore::EventHandler::handleMousePressEventSingleClick
0x01e925fb	 [Google Chrome Framework]	 - EventHandler.cpp:642]	WebCore::EventHandler::handleMousePressEvent
0x01e9552f	 [Google Chrome Framework]	 - EventHandler.cpp:1615]	WebCore::EventHandler::handleMousePressEvent
0x013a14e8	 [Google Chrome Framework]	 - PageWidgetDelegate.cpp:207]	WebKit::PageWidgetEventHandler::handleMouseDown
0x013e4561	 [Google Chrome Framework]	 - WebViewImpl.cpp:558]	WebKit::WebViewImpl::handleMouseDown
Comment 3 Brian Harper 2013-02-26 09:33:21 PST
Why was this downgraded from Critical to Normal? It's a crashing bug, and has a severe impact for our customers using Macs. They will lose any unsaved data from our app when the crash occurs. I understand that the circumstances aren't all that common in terms of the entire browser audience, but they're not uncommon for our tens of thousands of paying customers, as we've had several reports to our support personnel regarding this.
Comment 4 Alexey Proskuryakov 2013-02-26 10:09:17 PST
The bug was upgraded from P2 to P1, being a reproducible crasher. I don't know of any WebKit engineers who prioritize bugs based on them being marked Critical.
Comment 5 Yi Shen 2013-04-18 14:48:47 PDT
I will try to fix it.
Comment 6 Yi Shen 2013-04-18 23:27:46 PDT
Created attachment 198809 [details]
proposal fix
Comment 7 Chang Shu 2013-04-22 10:19:29 PDT
Comment on attachment 198809 [details]
proposal fix

LGTM. Maybe it's better to mention the original test case was fixed by this patch, too, in the ChangeLog.
Comment 8 WebKit Commit Bot 2013-04-22 10:53:49 PDT
The commit-queue encountered the following flaky tests while processing attachment 198809 [details]:

svg/as-image/img-relative-height.html bug 114140 (author: zimmermann@kde.org)
The commit-queue is continuing to process your patch.
Comment 9 WebKit Commit Bot 2013-04-22 10:55:15 PDT
Comment on attachment 198809 [details]
proposal fix

Clearing flags on attachment: 198809

Committed r148894: <http://trac.webkit.org/changeset/148894>
Comment 10 WebKit Commit Bot 2013-04-22 10:55:17 PDT
All reviewed patches have been landed.  Closing bug.
Comment 11 Antonio Gomes 2016-03-07 12:03:26 PST
*** Bug 114745 has been marked as a duplicate of this bug. ***