Bug 13557

Summary: Crash when dragging selection over absolutely positioned generated content on block element
Product: WebKit Reporter: Elliott Sprehn <esprehn>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, mitz
Priority: P1 Keywords: HasReduction, InRadar
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Webkit Nightly Crash Log
none
Safari 2 Crash Log
none
Test Case
none
Return the enclosing element for positioned generated content hyatt: review+

Description Elliott Sprehn 2007-04-30 23:49:50 PDT 
If you drag the selection box over the absolutely positioned generated content of a block element Webkit crashes.

Reproducible with Safari 2 and latest Webkit Nightly (Mon Apr 30 11:37:42 GMT 2007).

Note that the crash reasons for Safari and Webkit are different, but the same actions can be taken to cause the crash.
Comment 1 Elliott Sprehn 2007-04-30 23:50:29 PDT 
Created attachment 14285 [details]
Webkit Nightly Crash Log
Comment 2 Elliott Sprehn 2007-04-30 23:51:10 PDT 
Created attachment 14286 [details]
Safari 2 Crash Log
Comment 3 Elliott Sprehn 2007-04-30 23:54:53 PDT 
Created attachment 14287 [details]
Test Case

In the text case click below the red square and hold so you have a text selection I-beam and then drag over the red box up to the text.

This will cause the browser to crash.
Comment 4 Elliott Sprehn 2007-04-30 23:57:54 PDT 
This occurs with both :before and :after.
Comment 5 Alexey Proskuryakov 2007-05-01 02:10:26 PDT 
Confirmed with r21199.
Comment 6 Eric Seidel (no email) 2007-05-03 19:51:18 PDT 
Neat bug.  This was printed to the console:

ERROR: No parent frame in transitionToCommitted:, FrameLoadTypeInternal
Comment 7 Eric Seidel (no email) 2007-05-04 00:51:14 PDT 
This assert demonstrates the real problem here:

Index: rendering/RenderLayer.cpp
===================================================================
--- rendering/RenderLayer.cpp   (revision 21246)
+++ rendering/RenderLayer.cpp   (working copy)
@@ -1557,6 +1557,7 @@
     // Now determine if the result is inside an anchor; make sure an image map wins if
     // it already set URLElement and only use the innermost.
     Node* node = result.innerNode();
+    ASSERT(!!insideLayer == !!node);
     while (node) {
         // for imagemaps, URLElement is the associated area element not the image itself
         if (node->isLink() && !result.URLElement() && !node->hasTagName(imgTag))

I'm just not sure how to fix it yet.
Comment 8 Darin Adler 2007-05-04 22:19:26 PDT 
<rdar://problem/5183693>
Comment 9 mitz 2007-05-05 02:22:26 PDT 
Created attachment 14348 [details]
Return the enclosing element for positioned generated content
Comment 10 Dave Hyatt 2007-05-05 03:26:32 PDT 
Comment on attachment 14348 [details]
Return the enclosing element for positioned generated content

r=me
Comment 11 Alexey Proskuryakov 2007-05-06 10:04:04 PDT 
Committed revision 21276.