Bug 12780

Summary: REGRESSION (r19341-r19385): Reproducible crash in "onselectstart" event
Product: WebKit Reporter: Tom Brown <tom>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: ap, ddkilzer, eric, mitz, zimmermann
Priority: P1 Keywords: HasReduction, Regression
Version: 420+   
Hardware: All   
OS: OS X 10.4   
Attachments:
Description Flags
Reduced crash case
none
Don't bubble/capture across the shadow DOM boundary if not SVG darin: review+

Tom Brown
Reported 2007-02-15 16:45:08 PST
When the "HTML" tag contains the "XMLNS:CUSTOM" declaration, any click on the document causes an "onselectstart" event to fire. Within this event, the srcElement points to an element which has no parent node. If this element is appended to the DOM tree, and then removed from the DOM tree, webkit crashes.
Attachments
Reduced crash case (637 bytes, text/html)
2007-02-15 16:50 PST, Tom Brown 		no flags
Details
Don't bubble/capture across the shadow DOM boundary if not SVG (5.58 KB, patch)
2007-02-16 07:44 PST, mitz 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Tom Brown
Comment 1 2007-02-15 16:45:38 PST
Date/Time: 2007-02-15 17:39:15.231 -0700 OS Version: 10.4.8 (Build 8L2127) Report Version: 4 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: WindowServer [78] Version: ??? (19630) PID: 4095 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 com.apple.WebCore 0x01182aad WebCore::RenderTextControl::calcHeight() + 55 1 com.apple.WebCore 0x01184059 WebCore::RenderTextControl::layout() + 27 2 com.apple.WebCore 0x010cda5b WebCore::FrameView::layout(bool) + 439 3 com.apple.WebCore 0x010cf4d9 WebCore::Document::updateLayout() + 81 4 com.apple.WebCore 0x010d8d8b WebCore::Document::updateLayoutIgnorePendingStylesheets() + 87 5 com.apple.WebCore 0x011c649e WebCore::createMarkup(WebCore::Node const*, WebCore::EChildrenOnly, WTF::Vector<WebCore::Node*, (unsigned long)0>*, WebCore::EAnnotateForInterchange) + 70 6 com.apple.WebCore 0x0100e0fd WebCore::HTMLElement::outerHTML() const + 53 7 com.apple.WebCore 0x0123b45b KJS::JSHTMLElement::getValueProperty(KJS::ExecState*, int) const + 1097 8 com.apple.JavaScriptCore 0x0013ac8c KJS::JSObject::get(KJS::ExecState*, KJS::Identifier const&) const + 116 9 com.apple.JavaScriptCore 0x00130455 KJS::DotAccessorNode::evaluate(KJS::ExecState*) + 135 10 com.apple.JavaScriptCore 0x0012ee1e KJS::AddNode::evaluate(KJS::ExecState*) + 128 11 com.apple.JavaScriptCore 0x0012f462 KJS::ArgumentListNode::evaluateList(KJS::ExecState*) + 56 12 com.apple.JavaScriptCore 0x0012fd79 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 427 13 com.apple.JavaScriptCore 0x00133a83 KJS::ExprStatementNode::execute(KJS::ExecState*) + 117 14 com.apple.JavaScriptCore 0x00136849 KJS::SourceElementsNode::execute(KJS::ExecState*) + 421 15 com.apple.JavaScriptCore 0x001339a1 KJS::BlockNode::execute(KJS::ExecState*) + 67 16 com.apple.JavaScriptCore 0x0012245f KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 45 17 com.apple.JavaScriptCore 0x00121f28 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 338 18 com.apple.JavaScriptCore 0x0013b820 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 112 19 com.apple.WebCore 0x01232c42 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 1054 20 com.apple.WebCore 0x010d0bd8 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 166 21 com.apple.WebCore 0x011ffd6b WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 257 22 com.apple.WebCore 0x01200347 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool, WebCore::EventTarget*) + 161 23 com.apple.WebCore 0x012003ff WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 61 24 com.apple.WebCore 0x011ffa26 WebCore::EventTargetNode::dispatchHTMLEvent(WebCore::AtomicString const&, bool, bool) + 128 25 com.apple.WebCore 0x011683ce WebCore::RenderObject::shouldSelect() const + 60 26 com.apple.WebCore 0x013cdf98 WebCore::EventHandler::handleMousePressEventSingleClick(WebCore::MouseEventWithHitTestResults const&) + 78 27 com.apple.WebCore 0x013cedb8 WebCore::EventHandler::handleMousePressEvent(WebCore::MouseEventWithHitTestResults const&) + 254 28 com.apple.WebCore 0x013cf209 WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 997 29 com.apple.WebCore 0x013c9e66 WebCore::EventHandler::mouseDown(NSEvent*) + 456 30 com.apple.WebKit 0x0032e766 -[WebHTMLView mouseDown:] + 410 31 com.apple.AppKit 0x9334c3af -[NSWindow sendEvent:] + 5279 32 com.apple.Safari 0x0002338e 0x1000 + 140174 33 com.apple.AppKit 0x9333e350 -[NSApplication sendEvent:] + 5023 34 com.apple.Safari 0x00022f1e 0x1000 + 139038 35 com.apple.AppKit 0x93268dfe -[NSApplication run] + 547 36 com.apple.AppKit 0x9325cd2f NSApplicationMain + 573 37 com.apple.Safari 0x0005f7de 0x1000 + 387038 38 com.apple.Safari 0x0005f6f9 0x1000 + 386809 Thread 1: 0 libSystem.B.dylib 0x90009857 mach_msg_trap + 7 1 com.apple.CoreFoundation 0x9082969a CFRunLoopRunSpecific + 2014 2 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 3 com.apple.Foundation 0x9262aa9b +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 259 4 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 5 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 2: 0 libSystem.B.dylib 0x90009857 mach_msg_trap + 7 1 com.apple.CoreFoundation 0x9082969a CFRunLoopRunSpecific + 2014 2 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 3 com.apple.Foundation 0x92651c4e +[NSURLCache _diskCacheSyncLoop:] + 206 4 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 5 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 3: 0 libSystem.B.dylib 0x90024427 semaphore_wait_signal_trap + 7 1 com.apple.Foundation 0x9264b2f8 -[NSConditionLock lockWhenCondition:] + 39 2 com.apple.Syndication 0x9a47c052 -[AsyncDB _run:] + 181 3 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 4 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 4: 0 libSystem.B.dylib 0x90019d3c select + 12 1 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 5: 0 libSystem.B.dylib 0x90024427 semaphore_wait_signal_trap + 7 1 com.apple.Foundation 0x9264b2f8 -[NSConditionLock lockWhenCondition:] + 39 2 com.apple.AppKit 0x93346270 -[NSUIHeartBeat _heartBeatThread:] + 377 3 com.apple.Foundation 0x925f536c forkThreadForFunction + 123 4 libSystem.B.dylib 0x90023d87 _pthread_body + 84 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x00000000 ebx: 0x010cd8b2 ecx: 0x15999690 edx: 0x15999690 edi: 0x01843ee0 esi: 0x15999744 ebp: 0xbfffec48 esp: 0xbfffebd0 ss: 0x0000001f efl: 0x00010206 eip: 0x01182aad cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 Binary Images Description: 0x1000 - 0xdefff com.apple.Safari 2.0.4 (419.3) /Applications/Safari.app/Contents/MacOS/Safari 0x10e000 - 0x10ffff WebKitNightlyEnabler.dylib /Users/tom/Desktop/WebKit.app/Contents/Resources/WebKitNightlyEnabler.dylib 0x114000 - 0x193fff com.apple.JavaScriptCore 420+ /Users/tom/Desktop/WebKit.app/Contents/Resources/JavaScriptCore.framework/Versions/A/JavaScriptCore 0x305000 - 0x3a9fff com.apple.WebKit 420+ /Users/tom/Desktop/WebKit.app/Contents/Resources/WebKit.framework/Versions/A/WebKit 0x1008000 - 0x14fbfff com.apple.WebCore 420+ /Users/tom/Desktop/WebKit.app/Contents/Resources/WebCore.framework/Versions/A/WebCore 0x8fe00000 - 0x8fe49fff dyld 46.9 /usr/lib/dyld 0x90000000 - 0x9016ffff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x901bf000 - 0x901c1fff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib 0x901c3000 - 0x901fffff com.apple.CoreText 1.1.1 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText 0x90226000 - 0x902fcfff ATS /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x9031c000 - 0x90770fff com.apple.CoreGraphics 1.258.38 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics 0x90807000 - 0x908cffff com.apple.CoreFoundation 6.4.6 (368.27) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x9090d000 - 0x9090dfff com.apple.CoreServices 10.4 (???) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices 0x9090f000 - 0x90a02fff libicucore.A.dylib /usr/lib/libicucore.A.dylib 0x90a52000 - 0x90ad1fff libobjc.A.dylib /usr/lib/libobjc.A.dylib 0x90afa000 - 0x90b5efff libstdc++.6.dylib /usr/lib/libstdc++.6.dylib 0x90bcd000 - 0x90bd4fff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib 0x90bd9000 - 0x90c4cfff com.apple.framework.IOKit 1.4.6 (???) /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit 0x90c61000 - 0x90c73fff libauto.dylib /usr/lib/libauto.dylib 0x90c79000 - 0x90f1ffff com.apple.CoreServices.CarbonCore 682.15 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore 0x90f62000 - 0x90fcafff com.apple.CoreServices.OSServices 4.1 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices 0x91002000 - 0x91040fff com.apple.CFNetwork 129.19 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork 0x91053000 - 0x91063fff com.apple.WebServices 1.1.3 (1.1.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore 0x9106e000 - 0x910ecfff com.apple.SearchKit 1.0.5 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit 0x91121000 - 0x9113ffff com.apple.Metadata 10.4.4 (121.36) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata 0x9114b000 - 0x91159fff libz.1.dylib /usr/lib/libz.1.dylib 0x9115c000 - 0x912fbfff com.apple.security 4.5.2 (29774) /System/Library/Frameworks/Security.framework/Versions/A/Security 0x913f9000 - 0x91401fff com.apple.DiskArbitration 2.1.1 /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration 0x91408000 - 0x9142efff com.apple.SystemConfiguration 1.8.6 /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration 0x91440000 - 0x91447fff libbsm.dylib /usr/lib/libbsm.dylib 0x9144b000 - 0x914c4fff com.apple.audio.CoreAudio 3.0.4 /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio 0x91512000 - 0x91512fff com.apple.ApplicationServices 10.4 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices 0x91514000 - 0x9153ffff com.apple.AE 314 (313) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE 0x91552000 - 0x91626fff com.apple.ColorSync 4.4.8 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync 0x91661000 - 0x916defff com.apple.print.framework.PrintCore 4.6 (177.13) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore 0x9170b000 - 0x917b4fff com.apple.QD 3.10.21 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x917da000 - 0x91825fff com.apple.HIServices 1.5.2 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x91844000 - 0x9185afff com.apple.LangAnalysis 1.6.3 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis 0x91866000 - 0x91880fff com.apple.FindByContent 1.5 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent 0x9188a000 - 0x918c7fff com.apple.LaunchServices 181 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices 0x918db000 - 0x918e7fff com.apple.speech.synthesis.framework 3.5 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis 0x918ee000 - 0x91929fff com.apple.ImageIO.framework 1.5.0 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO 0x9193b000 - 0x919edfff libcrypto.0.9.7.dylib /usr/lib/libcrypto.0.9.7.dylib 0x91a33000 - 0x91a49fff libcups.2.dylib /usr/lib/libcups.2.dylib 0x91a4e000 - 0x91a6cfff libJPEG.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib 0x91a71000 - 0x91acffff libJP2.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib 0x91ae1000 - 0x91ae5fff libGIF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib 0x91ae7000 - 0x91b64fff libRaw.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib 0x91b68000 - 0x91ba5fff libTIFF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib 0x91bab000 - 0x91bc5fff libPng.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib 0x91bca000 - 0x91bccfff libRadiance.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib 0x91bce000 - 0x91bcefff com.apple.Accelerate 1.3.1 (Accelerate 1.3.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate 0x91bd0000 - 0x91c5efff com.apple.vImage 2.5 /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage 0x91c65000 - 0x91c65fff com.apple.Accelerate.vecLib 3.3.1 (vecLib 3.3.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib 0x91c67000 - 0x91cc0fff libvMisc.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib 0x91cc9000 - 0x91cedfff libvDSP.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib 0x91cf5000 - 0x920fefff libBLAS.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib 0x92138000 - 0x924ecfff libLAPACK.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib 0x92519000 - 0x92597fff com.apple.DesktopServices 1.3.5 /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv 0x925d8000 - 0x92808fff com.apple.Foundation 6.4.7 (567.28) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x92914000 - 0x929f2fff libxml2.2.dylib /usr/lib/libxml2.2.dylib 0x92a0f000 - 0x92afcfff libiconv.2.dylib /usr/lib/libiconv.2.dylib 0x92b0c000 - 0x92b23fff libGL.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib 0x92b2e000 - 0x92b86fff libGLU.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib 0x92b9a000 - 0x92b9afff com.apple.Carbon 10.4 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon 0x92b9c000 - 0x92bacfff com.apple.ImageCapture 3.0.4 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture 0x92bba000 - 0x92bc2fff com.apple.speech.recognition.framework 3.6 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition 0x92bc8000 - 0x92bcdfff com.apple.securityhi 2.0.1 (24742) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI 0x92bd3000 - 0x92c64fff com.apple.ink.framework 101.2.1 (71) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink 0x92c78000 - 0x92c7bfff com.apple.help 1.0.3 (32.1) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help 0x92c7e000 - 0x92c9bfff com.apple.openscripting 1.2.5 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting 0x92cab000 - 0x92cb1fff com.apple.print.framework.Print 5.2 (192.4) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print 0x92cb7000 - 0x92d1afff com.apple.htmlrendering 66.1 (1.1.3) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering 0x92d3e000 - 0x92d7ffff com.apple.NavigationServices 3.4.4 (3.4.3) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices 0x92da6000 - 0x92db3fff com.apple.audio.SoundManager 3.9.1 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound 0x92dba000 - 0x92dbffff com.apple.CommonPanels 1.2.3 (73) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels 0x92dc4000 - 0x930b6fff com.apple.HIToolbox 1.4.8 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x931bb000 - 0x931c6fff com.apple.opengl 1.4.12 /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL 0x931cb000 - 0x931e6fff com.apple.DirectoryService.Framework 3.2 /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService 0x93256000 - 0x93256fff com.apple.Cocoa 6.4 (???) /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa 0x93258000 - 0x9390efff com.apple.AppKit 6.4.8 (824.42) /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit 0x93c8f000 - 0x93d09fff com.apple.CoreData 90 /System/Library/Frameworks/CoreData.framework/Versions/A/CoreData 0x93d42000 - 0x93e03fff com.apple.audio.toolbox.AudioToolbox 1.4.3 /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox 0x93e43000 - 0x93e43fff com.apple.audio.units.AudioUnit 1.4.2 /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit 0x93e45000 - 0x94017fff com.apple.QuartzCore 1.4.9 /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore 0x94068000 - 0x940a9fff libsqlite3.0.dylib /usr/lib/libsqlite3.0.dylib 0x940b1000 - 0x940ebfff libGLImage.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib 0x94179000 - 0x941b7fff com.apple.vmutils 4.0.2 (93.1) /System/Library/PrivateFrameworks/vmutils.framework/Versions/A/vmutils 0x941fb000 - 0x9420bfff com.apple.securityfoundation 2.2.1 (28150) /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation 0x94218000 - 0x94255fff com.apple.securityinterface 2.2.1 (27695) /System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface 0x94271000 - 0x94280fff libCGATS.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib 0x94287000 - 0x94292fff libCSync.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib 0x942de000 - 0x942f8fff libRIP.A.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib 0x9471a000 - 0x94863fff com.apple.AddressBook.framework 4.0.4 (485.1) /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook 0x948ef000 - 0x948fefff com.apple.DSObjCWrappers.Framework 1.1 /System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers 0x94905000 - 0x9492efff com.apple.LDAPFramework 1.4.2 (69.1.1) /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP 0x94934000 - 0x94943fff libsasl2.2.dylib /usr/lib/libsasl2.2.dylib 0x94947000 - 0x9496cfff libssl.0.9.7.dylib /usr/lib/libssl.0.9.7.dylib 0x94978000 - 0x94995fff libresolv.9.dylib /usr/lib/libresolv.9.dylib 0x95744000 - 0x95767fff libxslt.1.dylib /usr/lib/libxslt.1.dylib 0x9707d000 - 0x97082fff com.apple.agl 2.5.9 (AGL-2.5.9) /System/Library/Frameworks/AGL.framework/Versions/A/AGL 0x9a479000 - 0x9a4b0fff com.apple.Syndication 1.0.6 (54) /System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Syndication 0x9a4cc000 - 0x9a4defff com.apple.SyndicationUI 1.0.6 (54) /System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI Model: Macmini1,1, BootROM MM11.0055.B08, 2 processors, Intel Core Duo, 1.66 GHz, 1 GB Graphics: Intel GMA 950, GMA 950, Built-In, spdisplays_integrated_vram Memory Module: BANK 0/DIMM0, 512 MB, DDR2 SDRAM, 667 MHz Memory Module: BANK 1/DIMM1, 512 MB, DDR2 SDRAM, 667 MHz AirPort: spairport_wireless_card_type_airport_extreme (0x168C, 0x86), 0.1.30 Bluetooth: Version 1.7.9f12, 2 service, 1 devices, 1 incoming serial ports Network Service: Built-in Ethernet, Ethernet, en0 Serial ATA Device: FUJITSU MHV2080BHPL, 74.53 GB Parallel ATA Device: MATSHITADVD-R UJ-846 USB Device: Microsoft Wheel Mouse OpticalĀ®, Microsoft, Up to 1.5 Mb/sec, 500 mA USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mA USB Device: IR Receiver, Apple Computer, Inc., Up to 12 Mb/sec, 500 mA USB Device: DELL USB Keyboard, DELL, Up to 1.5 Mb/sec, 500 mA
Tom Brown
Comment 2 2007-02-15 16:50:57 PST
Created attachment 13191 [details] Reduced crash case 1. Open the test case. 2. Click on the input box. 3. Crash. An invalid "event.srcElement" is only sent when an INPUT element is the cause of the event.
Alexey Proskuryakov
Comment 3 2007-02-15 22:31:57 PST
I think the XMLNS part is red herring - it doesn't mean anything at all in HTML, and would just be a syntax error in XML. I'm getting a crash with a debug build of r19653 with or without it (in both cases, with a different stack trace). Thread 0 Crashed: 0 com.apple.WebCore 0x01645668 WebCore::RenderObject::positionForPoint(WebCore::IntPoint const&) + 40 (RenderObject.h:536) 1 com.apple.WebCore 0x01525c64 WebCore::EventHandler::handleMousePressEventSingleClick(WebCore::MouseEventWithHitTestResults const&) + 588 (EventHandler.cpp:228) 2 com.apple.WebCore 0x01527c9c WebCore::EventHandler::handleMousePressEvent(WebCore::MouseEventWithHitTestResults const&) + 572 (EventHandler.cpp:297) 3 com.apple.WebCore 0x0152ac44 WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 1628 (EventHandler.cpp:820) 4 com.apple.WebCore 0x01522f9c WebCore::EventHandler::mouseDown(NSEvent*) + 476 (EventHandlerMac.mm:602) 5 com.apple.WebKit 0x003511c8 -[WebHTMLView mouseDown:] + 544 (WebHTMLView.mm:2870) 6 com.apple.AppKit 0x93762890 -[NSWindow sendEvent:] + 4616 7 com.apple.Safari 0x00021734 0x1000 + 132916 8 com.apple.AppKit 0x9370b8d4 -[NSApplication sendEvent:] + 4172 9 com.apple.Safari 0x00021238 0x1000 + 131640 10 com.apple.AppKit 0x93702d10 -[NSApplication run] + 508
mitz
Comment 4 2007-02-16 06:28:53 PST
> if (event.srcElement.parentNode == null) The event.srcElement in that case is the text field's inner DIV. I don't think a shadow node should ever be exposed through the DOM like that!
mitz
Comment 5 2007-02-16 06:47:27 PST
Using nightly builds I narrowed down the regression to somewhere between r19341 and r19385. Among the changes in that range, <http://trac.webkit.org/projects/webkit/changeset/19378> is the prime suspect.
mitz
Comment 6 2007-02-16 07:44:14 PST
Created attachment 13200 [details] Don't bubble/capture across the shadow DOM boundary if not SVG Includes layout test and change log. No layout test regressions, but I don't know if the SVG <use> tests cover this (I expect they do).
Darin Adler
Comment 7 2007-02-16 08:01:26 PST
Comment on attachment 13200 [details] Don't bubble/capture across the shadow DOM boundary if not SVG r=me
Adele Peterson
Comment 8 2007-02-17 10:46:36 PST
Committed revision 19681.
Note You need to log in before you can comment on or make changes to this bug.