Bug 13557 - Crash when dragging selection over absolutely positioned generated content on block element
Summary: Crash when dragging selection over absolutely positioned generated content on...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 523.x (Safari 3)
Hardware: Macintosh OS X 10.4
: P1 Normal
Assignee: Nobody
URL:
Keywords: HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2007-04-30 23:49 PDT by Elliott Sprehn
Modified: 2007-05-09 11:11 PDT (History)
2 users (show)

See Also:


Attachments
Webkit Nightly Crash Log (19.63 KB, text/plain)
2007-04-30 23:50 PDT, Elliott Sprehn
no flags Details
Safari 2 Crash Log (19.45 KB, text/plain)
2007-04-30 23:51 PDT, Elliott Sprehn
no flags Details
Test Case (664 bytes, text/html)
2007-04-30 23:54 PDT, Elliott Sprehn
no flags Details
Return the enclosing element for positioned generated content (20.05 KB, patch)
2007-05-05 02:22 PDT, mitz
hyatt: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Elliott Sprehn 2007-04-30 23:49:50 PDT
If you drag the selection box over the absolutely positioned generated content of a block element Webkit crashes.

Reproducible with Safari 2 and latest Webkit Nightly (Mon Apr 30 11:37:42 GMT 2007).

Note that the crash reasons for Safari and Webkit are different, but the same actions can be taken to cause the crash.
Comment 1 Elliott Sprehn 2007-04-30 23:50:29 PDT
Created attachment 14285 [details]
Webkit Nightly Crash Log
Comment 2 Elliott Sprehn 2007-04-30 23:51:10 PDT
Created attachment 14286 [details]
Safari 2 Crash Log
Comment 3 Elliott Sprehn 2007-04-30 23:54:53 PDT
Created attachment 14287 [details]
Test Case

In the text case click below the red square and hold so you have a text selection I-beam and then drag over the red box up to the text.

This will cause the browser to crash.
Comment 4 Elliott Sprehn 2007-04-30 23:57:54 PDT
This occurs with both :before and :after.
Comment 5 Alexey Proskuryakov 2007-05-01 02:10:26 PDT
Confirmed with r21199.
Comment 6 Eric Seidel (no email) 2007-05-03 19:51:18 PDT
Neat bug.  This was printed to the console:

ERROR: No parent frame in transitionToCommitted:, FrameLoadTypeInternal
Comment 7 Eric Seidel (no email) 2007-05-04 00:51:14 PDT
This assert demonstrates the real problem here:

Index: rendering/RenderLayer.cpp
===================================================================
--- rendering/RenderLayer.cpp   (revision 21246)
+++ rendering/RenderLayer.cpp   (working copy)
@@ -1557,6 +1557,7 @@
     // Now determine if the result is inside an anchor; make sure an image map wins if
     // it already set URLElement and only use the innermost.
     Node* node = result.innerNode();
+    ASSERT(!!insideLayer == !!node);
     while (node) {
         // for imagemaps, URLElement is the associated area element not the image itself
         if (node->isLink() && !result.URLElement() && !node->hasTagName(imgTag))

I'm just not sure how to fix it yet.
Comment 8 Darin Adler 2007-05-04 22:19:26 PDT
<rdar://problem/5183693>
Comment 9 mitz 2007-05-05 02:22:26 PDT
Created attachment 14348 [details]
Return the enclosing element for positioned generated content
Comment 10 Dave Hyatt 2007-05-05 03:26:32 PDT
Comment on attachment 14348 [details]
Return the enclosing element for positioned generated content

r=me
Comment 11 Alexey Proskuryakov 2007-05-06 10:04:04 PDT
Committed revision 21276.