Bug 11111

Summary:	Crash when dragging fixed position ::after pseudo-element
Product:	WebKit	Reporter:	Jan Van Boghout <misc>
Component:	WebCore Misc.	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED WORKSFORME
Severity:	Normal	CC:	ggaren, mitz
Priority:	P1	Keywords:	HasReduction, InRadar
Version:	420+
Hardware:	Mac
OS:	OS X 10.4
URL:	http://macrabbit.com/misc/webkit-drag-after-crash.html

Jan Van Boghout

Reported 2006-10-01 16:18:55 PDT

Crash occurs with Tiger Safari 419.3 and the latest nightly. 1. Open the page at http://macrabbit.com/misc/webkit-drag-after-crash.html 2. Hold down the mouse on the red rectangle 3. Drag around 4. Crash every time Crash only seems to occur if the pseudo-element has position:fixed.

Attachments
Add attachment proposed patch, testcase, etc.

mitz

Comment 1 2006-10-01 16:42:00 PDT

This is very similar to bug 8521. Here, however, FrameView::handleMousePressEvent is the one assuming that targetNode is not 0. Thread 0 Crashed: 0 com.apple.WebCore 0x01de9164 WebCore::Node::renderer() const + 20 (Node.h:319) 1 com.apple.WebCore 0x01a1d7d0 WebCore::FrameView::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 456 (FrameView.cpp:596) 2 com.apple.WebCore 0x01a0a2e0 WebCore::FrameMac::mouseDown(NSEvent*) + 744 (FrameMac.mm:1988) 3 com.apple.WebCore 0x01a3e1f0 -[WebCoreFrameBridge mouseDown:] + 52 (WebCoreFrameBridge.mm:1062) 4 com.apple.WebKit 0x0036978c -[WebHTMLView mouseDown:] + 492 (WebHTMLView.m:2826) 5 com.apple.AppKit 0x93767890 -[NSWindow sendEvent:] + 4616 6 com.apple.Safari 0x00021734 0x1000 + 132916 7 com.apple.AppKit 0x937108d4 -[NSApplication sendEvent:] + 4172 8 com.apple.Safari 0x00021238 0x1000 + 131640 9 com.apple.AppKit 0x93707d10 -[NSApplication run] + 508 10 com.apple.AppKit 0x937f887c NSApplicationMain + 452 11 com.apple.Safari 0x0005c77c 0x1000 + 374652 12 com.apple.Safari 0x0005c624 0x1000 + 374308

Stephanie Lewis

Comment 2 2006-11-08 14:14:30 PST

radar 4173996

Stephanie Lewis

Comment 3 2006-11-08 15:21:29 PST

*** Bug 11435 has been marked as a duplicate of this bug. ***

Stephanie Lewis

Comment 4 2006-11-08 15:37:54 PST

actually radar 4827027

Geoffrey Garen

Comment 5 2006-12-18 09:38:04 PST

Can't reproduce with latest nightly.

mitz

Comment 6 2006-12-18 10:06:52 PST

I get a very similar crash in TOT if I start dragging in the blue div and enter the red rect (crash log below). Geoff, is it OK to reopen this bug or do you want a new one? #0 0x015df950 in WebCore::Node::renderer (this=0x0) at Node.h:321 #1 0x011f9348 in WebCore::RenderLayer::autoscroll (this=0x6be430c) at /WebKit/WebCore/rendering/RenderLayer.cpp:874 #2 0x011fd50c in WebCore::RenderObject::autoscroll (this=0x6be69fc) at /WebKit/WebCore/rendering/RenderObject.cpp:701 #3 0x014e648c in WebCore::EventHandler::autoscrollTimerFired (this=0x2864310) at /WebKit/WebCore/page/EventHandler.cpp:413 #4 0x017e7558 in WebCore::Timer<WebCore::EventHandler>::fired (this=0x286434c) at Timer.h:96 #5 0x012ab2f4 in WebCore::TimerBase::fireTimers (fireTime=1166464534.121614, firingTimers=@0xbfffe6c0) at WebCore/platform/Timer.cpp:336 #6 0x012ab3c0 in WebCore::TimerBase::sharedTimerFired () at WebCore/platform/Timer.cpp:353 #7 0x012aa76c in timerFired () at WebCore/platform/mac/SharedTimerMac.cpp:46 #8 0x907f0550 in __CFRunLoopDoTimer () #9 0x907dcec8 in __CFRunLoopRun () #10 0x907dc47c in CFRunLoopRunSpecific () #11 0x93208740 in RunCurrentEventLoopInMode () #12 0x93207dd4 in ReceiveNextEventCommon () #13 0x93207c40 in BlockUntilNextEventMatchingListInMode () #14 0x9370bae4 in _DPSNextEvent () #15 0x9370b7a8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #16 0x00006740 in ?? () #17 0x93707cec in -[NSApplication run] () #18 0x937f887c in NSApplicationMain () #19 0x0005c77c in ?? () #20 0x0005c624 in ?? ()

Note You need to log in before you can comment on or make changes to this bug.