Open the URL above in either Chrome or Safari on OS X and double click on one of the populated cells (to enter edit mode - think spreadsheet). Then, shift-click into another cell and the browser crashes. Our web application (Smartsheet) leaves the DOM in a perfectly valid state and this works just as expected on FF (any OS) as well as Chrome and IE on Windows. The browser crashes even before a mousedown JS event is triggered, so there is no way for our web application to work around this bug. We have tried to recreate a simplified scenario with minimal HTML, but (so far) have been unable to do so.
Crashes both Safari 6.0.2 and ToT. <rdar://problem/12279599>
Stack in Google Chrome 23: Thread 0 *CRASHED* ( EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x00000014 ) 0x01e9231a [Google Chrome Framework] - ../dom/Node.h:752] WebCore::textDistance 0x01e921b8 [Google Chrome Framework] - EventHandler.cpp:547] WebCore::EventHandler::handleMousePressEventSingleClick 0x01e925fb [Google Chrome Framework] - EventHandler.cpp:642] WebCore::EventHandler::handleMousePressEvent 0x01e9552f [Google Chrome Framework] - EventHandler.cpp:1615] WebCore::EventHandler::handleMousePressEvent 0x013a14e8 [Google Chrome Framework] - PageWidgetDelegate.cpp:207] WebKit::PageWidgetEventHandler::handleMouseDown 0x013e4561 [Google Chrome Framework] - WebViewImpl.cpp:558] WebKit::WebViewImpl::handleMouseDown
Why was this downgraded from Critical to Normal? It's a crashing bug, and has a severe impact for our customers using Macs. They will lose any unsaved data from our app when the crash occurs. I understand that the circumstances aren't all that common in terms of the entire browser audience, but they're not uncommon for our tens of thousands of paying customers, as we've had several reports to our support personnel regarding this.
The bug was upgraded from P2 to P1, being a reproducible crasher. I don't know of any WebKit engineers who prioritize bugs based on them being marked Critical.
I will try to fix it.
Created attachment 198809 [details] proposal fix
Comment on attachment 198809 [details] proposal fix LGTM. Maybe it's better to mention the original test case was fixed by this patch, too, in the ChangeLog.
The commit-queue encountered the following flaky tests while processing attachment 198809 [details]: svg/as-image/img-relative-height.html bug 114140 (author: zimmermann@kde.org) The commit-queue is continuing to process your patch.
Comment on attachment 198809 [details] proposal fix Clearing flags on attachment: 198809 Committed r148894: <http://trac.webkit.org/changeset/148894>
All reviewed patches have been landed. Closing bug.
*** Bug 114745 has been marked as a duplicate of this bug. ***