Bug 13557

Summary: Crash when dragging selection over absolutely positioned generated content on block element
Product: WebKit Reporter: Elliott Sprehn <esprehn>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, mitz
Priority: P1 Keywords: HasReduction, InRadar
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Webkit Nightly Crash Log
none
Safari 2 Crash Log
none
Test Case
none
Return the enclosing element for positioned generated content hyatt: review+

Elliott Sprehn
Reported 2007-04-30 23:49:50 PDT
If you drag the selection box over the absolutely positioned generated content of a block element Webkit crashes. Reproducible with Safari 2 and latest Webkit Nightly (Mon Apr 30 11:37:42 GMT 2007). Note that the crash reasons for Safari and Webkit are different, but the same actions can be taken to cause the crash.
Attachments
Webkit Nightly Crash Log (19.63 KB, text/plain)
2007-04-30 23:50 PDT, Elliott Sprehn 		no flags
Details
Safari 2 Crash Log (19.45 KB, text/plain)
2007-04-30 23:51 PDT, Elliott Sprehn 		no flags
Details
Test Case (664 bytes, text/html)
2007-04-30 23:54 PDT, Elliott Sprehn 		no flags
Details
Return the enclosing element for positioned generated content (20.05 KB, patch)
2007-05-05 02:22 PDT, mitz 		hyatt: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Elliott Sprehn
Comment 1 2007-04-30 23:50:29 PDT
Created attachment 14285 [details] Webkit Nightly Crash Log
Elliott Sprehn
Comment 2 2007-04-30 23:51:10 PDT
Created attachment 14286 [details] Safari 2 Crash Log
Elliott Sprehn
Comment 3 2007-04-30 23:54:53 PDT
Created attachment 14287 [details] Test Case In the text case click below the red square and hold so you have a text selection I-beam and then drag over the red box up to the text. This will cause the browser to crash.
Elliott Sprehn
Comment 4 2007-04-30 23:57:54 PDT
This occurs with both :before and :after.
Alexey Proskuryakov
Comment 5 2007-05-01 02:10:26 PDT
Confirmed with r21199.
Eric Seidel (no email)
Comment 6 2007-05-03 19:51:18 PDT
Neat bug. This was printed to the console: ERROR: No parent frame in transitionToCommitted:, FrameLoadTypeInternal
Eric Seidel (no email)
Comment 7 2007-05-04 00:51:14 PDT
This assert demonstrates the real problem here: Index: rendering/RenderLayer.cpp =================================================================== --- rendering/RenderLayer.cpp (revision 21246) +++ rendering/RenderLayer.cpp (working copy) @@ -1557,6 +1557,7 @@ // Now determine if the result is inside an anchor; make sure an image map wins if // it already set URLElement and only use the innermost. Node* node = result.innerNode(); + ASSERT(!!insideLayer == !!node); while (node) { // for imagemaps, URLElement is the associated area element not the image itself if (node->isLink() && !result.URLElement() && !node->hasTagName(imgTag)) I'm just not sure how to fix it yet.
Darin Adler
Comment 8 2007-05-04 22:19:26 PDT
<rdar://problem/5183693>
mitz
Comment 9 2007-05-05 02:22:26 PDT
Created attachment 14348 [details] Return the enclosing element for positioned generated content
Dave Hyatt
Comment 10 2007-05-05 03:26:32 PDT
Comment on attachment 14348 [details] Return the enclosing element for positioned generated content r=me
Alexey Proskuryakov
Comment 11 2007-05-06 10:04:04 PDT
Committed revision 21276.
Note You need to log in before you can comment on or make changes to this bug.