Bug 26557

Summary: Crash in WebCore::pushFullyClippedState due to BitStack size assert
Product: WebKit Reporter: Finnur Thorarinsson <finnur.webkit>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Major CC: darin
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   

Finnur Thorarinsson
Reported 2009-06-19 12:44:18 PDT
I have reduced the crash to this piece of HTML: <html> <body> <form><input type="text" id="search" /></form> <script type="text/javascript"> document.getElementById("search").setAttribute("type","search"); </script> </body> </html> If you call WebCore::findPlainText(...) specifying any text as parameter, you'll get an ASSERT here: static void pushFullyClippedState(BitStack& stack, Node* node) { ASSERT(stack.size() == depthCrossingShadowBoundaries(node)); ... snip ... } Stepping through this, I see that stack.size() returns 5 but depthCrossingShadowBoundaries returns 6, because it goes through this hierarchy of parent nodes: HTMLDocument HTMLHtmlElement HTMLBodyElement HTMLFormElement HTMLInputElement (shadow parent) TextControlInnerTextElement Darin, if you have something simple you'd like me to try, feel free to suggest changes and I can try it out, formulate a patch and submit it to WebKit.
Attachments
Add attachment proposed patch, testcase, etc.
Finnur Thorarinsson
Comment 1 2009-06-19 12:54:22 PDT
And, I should mention this bug fix is what seems to have triggered this: https://bugs.webkit.org/show_bug.cgi?id=26364
Mark Rowe (bdash)
Comment 2 2009-06-19 13:45:20 PDT
*** This bug has been marked as a duplicate of 26528 ***
Note You need to log in before you can comment on or make changes to this bug.