Bug 7398

Summary: Crash in setFocusNode if the old focus node has been detached
Product: WebKit Reporter: Graham Dennis <Graham.Dennis>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Major CC: mitz
Priority: P2    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
patch darin: review-

Graham Dennis
Reported 2006-02-20 22:58:03 PST
While running Sandvox with the latest WebKit ToT, if one deletes all the text in the site sub-title or 'parting words' editable divs, then the editing delegate (in Sandvox) removes the text element (it becomes detached) before setFocusNode() is called. When setFocusNode is called, there is a crash caused by the assumption that if the node exists, and it isn't currently being detached, that is must have a renderer. In this case, as it has been detached, it no longer has a renderer. I have a patch which I'll attach. The appropriate part of the crash report is below: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 com.apple.WebCore 0x019bcb50 WebCore::DocumentImpl::setFocusNode(KXMLCore::PassRefPtr<WebCore::NodeImpl>) + 400 (DocumentImpl.cpp:2058) 1 com.apple.WebCore 0x019b53a8 WebCore::FrameView::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::NodeImpl*, bool, int, QMouseEvent*, bool, int) + 1208 (FrameView.cpp:1038)
Attachments
patch (597 bytes, patch)
2006-02-20 22:59 PST, Graham Dennis 		darin: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Graham Dennis
Comment 1 2006-02-20 22:59:46 PST
Created attachment 6637 [details] patch This patch seems to fix the bug for me.
Darin Adler
Comment 2 2006-02-20 23:02:17 PST
Comment on attachment 6637 [details] patch Patch looks good. We need a layout test for regression-testing purposes and a change log entry. Also, did you run all the other layout tests to check that this didn't break anything?
mitz
Comment 3 2006-02-20 23:06:27 PST
Is this a duplicate of bug 7363?
Graham Dennis
Comment 4 2006-02-20 23:59:30 PST
The crash occurs on the same line as 7363, but this patch won't fix 7363 as in this case, the node is detached and so doesn't have a renderer. In the other case, the node is attached but still doesn't have a renderer. *** This bug has been marked as a duplicate of 7363 ***
Note You need to log in before you can comment on or make changes to this bug.