| Summary: | Crash in WebCore::pushFullyClippedState due to BitStack size assert | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Finnur Thorarinsson <finnur.webkit> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Major | CC: | darin |
| Priority: | P1 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | All | ||
And, I should mention this bug fix is what seems to have triggered this: https://bugs.webkit.org/show_bug.cgi?id=26364 |
I have reduced the crash to this piece of HTML: <html> <body> <form><input type="text" id="search" /></form> <script type="text/javascript"> document.getElementById("search").setAttribute("type","search"); </script> </body> </html> If you call WebCore::findPlainText(...) specifying any text as parameter, you'll get an ASSERT here: static void pushFullyClippedState(BitStack& stack, Node* node) { ASSERT(stack.size() == depthCrossingShadowBoundaries(node)); ... snip ... } Stepping through this, I see that stack.size() returns 5 but depthCrossingShadowBoundaries returns 6, because it goes through this hierarchy of parent nodes: HTMLDocument HTMLHtmlElement HTMLBodyElement HTMLFormElement HTMLInputElement (shadow parent) TextControlInnerTextElement Darin, if you have something simple you'd like me to try, feel free to suggest changes and I can try it out, formulate a patch and submit it to WebKit.