Bug 11111 - Crash when dragging fixed position ::after pseudo-element
Summary: Crash when dragging fixed position ::after pseudo-element
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 420+
Hardware: Macintosh OS X 10.4
: P1 Normal
Assignee: Nobody
URL: http://macrabbit.com/misc/webkit-drag...
Keywords: HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2006-10-01 16:18 PDT by Jan Van Boghout
Modified: 2006-12-18 10:06 PST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Van Boghout 2006-10-01 16:18:55 PDT
Crash occurs with Tiger Safari 419.3 and the latest nightly.

1. Open the page at http://macrabbit.com/misc/webkit-drag-after-crash.html
2. Hold down the mouse on the red rectangle
3. Drag around
4. Crash every time

Crash only seems to occur if the pseudo-element has position:fixed.
Comment 1 mitz 2006-10-01 16:42:00 PDT
This is very similar to bug 8521. Here, however, FrameView::handleMousePressEvent is the one assuming that targetNode is not 0.

Thread 0 Crashed:
0   com.apple.WebCore        	0x01de9164 WebCore::Node::renderer() const + 20 (Node.h:319)
1   com.apple.WebCore        	0x01a1d7d0 WebCore::FrameView::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 456 (FrameView.cpp:596)
2   com.apple.WebCore        	0x01a0a2e0 WebCore::FrameMac::mouseDown(NSEvent*) + 744 (FrameMac.mm:1988)
3   com.apple.WebCore        	0x01a3e1f0 -[WebCoreFrameBridge mouseDown:] + 52 (WebCoreFrameBridge.mm:1062)
4   com.apple.WebKit         	0x0036978c -[WebHTMLView mouseDown:] + 492 (WebHTMLView.m:2826)
5   com.apple.AppKit         	0x93767890 -[NSWindow sendEvent:] + 4616
6   com.apple.Safari         	0x00021734 0x1000 + 132916
7   com.apple.AppKit         	0x937108d4 -[NSApplication sendEvent:] + 4172
8   com.apple.Safari         	0x00021238 0x1000 + 131640
9   com.apple.AppKit         	0x93707d10 -[NSApplication run] + 508
10  com.apple.AppKit         	0x937f887c NSApplicationMain + 452
11  com.apple.Safari         	0x0005c77c 0x1000 + 374652
12  com.apple.Safari         	0x0005c624 0x1000 + 374308

Comment 2 Stephanie Lewis 2006-11-08 14:14:30 PST
radar 4173996
Comment 3 Stephanie Lewis 2006-11-08 15:21:29 PST
*** Bug 11435 has been marked as a duplicate of this bug. ***
Comment 4 Stephanie Lewis 2006-11-08 15:37:54 PST
actually radar 4827027
Comment 5 Geoffrey Garen 2006-12-18 09:38:04 PST
Can't reproduce with latest nightly.
Comment 6 mitz 2006-12-18 10:06:52 PST
I get a very similar crash in TOT if I start dragging in the blue div and enter the red rect (crash log below). Geoff, is it OK to reopen this bug or do you want a new one?

#0  0x015df950 in WebCore::Node::renderer (this=0x0) at Node.h:321
#1  0x011f9348 in WebCore::RenderLayer::autoscroll (this=0x6be430c) at /WebKit/WebCore/rendering/RenderLayer.cpp:874
#2  0x011fd50c in WebCore::RenderObject::autoscroll (this=0x6be69fc) at /WebKit/WebCore/rendering/RenderObject.cpp:701
#3  0x014e648c in WebCore::EventHandler::autoscrollTimerFired (this=0x2864310) at /WebKit/WebCore/page/EventHandler.cpp:413
#4  0x017e7558 in WebCore::Timer<WebCore::EventHandler>::fired (this=0x286434c) at Timer.h:96
#5  0x012ab2f4 in WebCore::TimerBase::fireTimers (fireTime=1166464534.121614, firingTimers=@0xbfffe6c0) at WebCore/platform/Timer.cpp:336
#6  0x012ab3c0 in WebCore::TimerBase::sharedTimerFired () at WebCore/platform/Timer.cpp:353
#7  0x012aa76c in timerFired () at WebCore/platform/mac/SharedTimerMac.cpp:46
#8  0x907f0550 in __CFRunLoopDoTimer ()
#9  0x907dcec8 in __CFRunLoopRun ()
#10 0x907dc47c in CFRunLoopRunSpecific ()
#11 0x93208740 in RunCurrentEventLoopInMode ()
#12 0x93207dd4 in ReceiveNextEventCommon ()
#13 0x93207c40 in BlockUntilNextEventMatchingListInMode ()
#14 0x9370bae4 in _DPSNextEvent ()
#15 0x9370b7a8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#16 0x00006740 in ?? ()
#17 0x93707cec in -[NSApplication run] ()
#18 0x937f887c in NSApplicationMain ()
#19 0x0005c77c in ?? ()
#20 0x0005c624 in ?? ()