Bug 200889

Summary: Clicking the search icon on ae.com hangs the web content process
Product: WebKit Reporter: Wenson Hsieh <wenson_hsieh>
Component: HTML EditingAssignee: Wenson Hsieh <wenson_hsieh>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, cdumez, commit-queue, dbates, esprehn+autocc, ews-watchlist, kangil.han, rniwa, thorton, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
WIP patch
none
Alternate approach
none
Patch
none
Patch none

Description Wenson Hsieh 2019-08-19 10:03:14 PDT 
<rdar://problem/54359330>
Comment 1 Wenson Hsieh 2019-08-19 10:07:28 PDT Comment hidden (obsolete)
Comment 2 Wenson Hsieh 2019-08-19 10:08:48 PDT 
Created attachment 376695 [details]
WIP patch
Comment 3 Wenson Hsieh 2019-08-19 20:56:35 PDT 
Created attachment 376740 [details]
Alternate approach
Comment 4 Ryosuke Niwa 2019-08-19 22:10:47 PDT 
Comment on attachment 376740 [details]
Alternate approach

View in context: https://bugs.webkit.org/attachment.cgi?id=376740&action=review

> Source/WebCore/dom/Position.cpp:636
> +    auto& renderer = *node->renderer();
> +    return is<RenderElement>(renderer) && !Position::hasRenderedNonAnonymousDescendantsWithHeight(downcast<RenderElement>(renderer));

This doesn't seem right. It's possible for a text node to appear as direct children of a document node.

> LayoutTests/ChangeLog:13
> +        * fast/events/focus-anchor-with-tabindex-hang-expected.txt: Added.
> +        * fast/events/focus-anchor-with-tabindex-hang.html: Added.

Please add another test which uses getSelection().modify(~) to reproduce the hang.
Comment 5 Wenson Hsieh 2019-08-20 09:23:36 PDT 
Comment on attachment 376740 [details]
Alternate approach

View in context: https://bugs.webkit.org/attachment.cgi?id=376740&action=review

>> Source/WebCore/dom/Position.cpp:636
>> +    return is<RenderElement>(renderer) && !Position::hasRenderedNonAnonymousDescendantsWithHeight(downcast<RenderElement>(renderer));
> 
> This doesn't seem right. It's possible for a text node to appear as direct children of a document node.

Hm…I’m a bit confused by this comment. This existing early return:

    if (!node->renderer()->isInline())
        return true;

…should ensure that we always consider the document element to have visually distinct ends, even in a page like this:

    <html>
        <style>
        html, body { display: inline; }
        </style>
        
    </html>

Perhaps I misunderstood something?

>> LayoutTests/ChangeLog:13
>> +        * fast/events/focus-anchor-with-tabindex-hang.html: Added.
> 
> Please add another test which uses getSelection().modify(~) to reproduce the hang.

Good call! Added a new test.
Comment 6 Wenson Hsieh 2019-08-20 09:25:53 PDT Comment hidden (obsolete)
Comment 7 Wenson Hsieh 2019-08-20 09:29:02 PDT 
Created attachment 376776 [details]
Patch
Comment 8 Ryosuke Niwa 2019-08-20 11:14:12 PDT 
(In reply to Wenson Hsieh from comment #5)
> Comment on attachment 376740 [details]
> Alternate approach
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=376740&action=review
> 
> >> Source/WebCore/dom/Position.cpp:636
> >> +    return is<RenderElement>(renderer) && !Position::hasRenderedNonAnonymousDescendantsWithHeight(downcast<RenderElement>(renderer));
> > 
> > This doesn't seem right. It's possible for a text node to appear as direct children of a document node.
> 
> Hm…I’m a bit confused by this comment. This existing early return:
> 
>     if (!node->renderer()->isInline())
>         return true;
> 
> …should ensure that we always consider the document element to have visually
> distinct ends, even in a page like this:

Oh, I missed that. Cool.
Comment 9 WebKit Commit Bot 2019-08-20 11:46:42 PDT 
Comment on attachment 376776 [details]
Patch

Clearing flags on attachment: 376776

Committed r248909: <https://trac.webkit.org/changeset/248909>
Comment 10 WebKit Commit Bot 2019-08-20 11:46:44 PDT 
All reviewed patches have been landed.  Closing bug.