Bug 8298

Summary:

REGRESSION: Crash occurs when attempting to drag selection into Depart/Return input fields at http://www.travelocity.com/

Product:

WebKit

Reporter:

Chris Petersen <c.petersen87>

Component:

HTML Editing

Assignee:

Darin Adler <darin>

Status:

VERIFIED FIXED

Severity:

Normal

CC:

backlink788, justin.garcia

Priority:

Keywords:

InRadar, Regression

Version:

420+

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
back_trace	none
preliminary patch	none
reduction	none
patch with detailed change log, manual test	adele: review+

Chris Petersen

Reported 2006-04-10 10:29:27 PDT

When I attempt to drag a selection into one of the page's field ( Depart/Return), a crash will occur. 0 com.apple.WebCore 0x0117727b WebCore::CSSStyleDeclaration::copyPropertiesInSet(int const*, unsigned) const + 169 STEPS TO REPRODUCE 1. With TOT WebKit, go to http://www.travelocity.com/?Service=TRAVELOCITY 2. The best way to reproduce this issue is click travelocity logo image (at the top of the page) and drag it so that it hovers directly over Depart or Return fields. Mouse up when you see the caret appear in this field. 3. Crash occurs. * RESULTS No crash should occur when attempting to drag into a field. However, the application does crash. * REGRESSION Yes, this occurs with native text fields .

Attachments
back_trace (20.75 KB, text/plain) 2006-04-10 10:32 PDT, Chris Petersen	no flags	Details
preliminary patch (17.34 KB, patch) 2006-04-14 19:30 PDT, Darin Adler	no flags	Details Formatted Diff Diff
reduction (146 bytes, text/html) 2006-04-14 19:31 PDT, Darin Adler	no flags	Details
patch with detailed change log, manual test (20.66 KB, patch) 2006-04-15 19:16 PDT, Darin Adler	adele: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Chris Petersen

Comment 1 2006-04-10 10:32:12 PDT

Created attachment 7620 [details] back_trace

Chris Petersen

Comment 2 2006-04-10 10:33:19 PDT

This issue has been filed as <rdar://problem/4507874>

Darin Adler

Comment 3 2006-04-14 09:08:00 PDT

The cause of this is that the drag is targeted at the text node, and when the text field is emptied the text node is gone. So this has the same type of cause that bug 8111 did.

Darin Adler

Comment 4 2006-04-14 19:30:57 PDT

Created attachment 7721 [details] preliminary patch

Darin Adler

Comment 5 2006-04-14 19:31:24 PDT

Created attachment 7722 [details] reduction

Darin Adler

Comment 6 2006-04-15 19:16:19 PDT

Created attachment 7738 [details] patch with detailed change log, manual test

Justin Garcia

Comment 7 2006-04-16 18:21:42 PDT

Is replaceChild really an optimization? You could make the SelectionController& returned by dragCaret() non-const, like selection(). Typo in the changelog entry: + So this change along fixes the crash.

Darin Adler

Comment 8 2006-04-16 19:37:48 PDT

(In reply to comment #7) > Is replaceChild really an optimization? Only a slight one, I guess. It sends fewer mutation events. > You could make the SelectionController& returned by dragCaret() non-const, like > selection(). That's probably better than what I did. In general, I think we're still mixed up about SelectionController. If it's really a controller, then we should change selections by calling SelectionController functions. And we should not have setSelection or setDragCaret functions that take a SelectionController. > Typo in the changelog entry: > + So this change along fixes the crash. I'll fix that.

Chris Petersen

Comment 9 2006-04-20 22:56:25 PDT

Verified with latest TOT Webkit build (r13990).

Note You need to log in before you can comment on or make changes to this bug.