Bug 26557 - Crash in WebCore::pushFullyClippedState due to BitStack size assert
Summary: Crash in WebCore::pushFullyClippedState due to BitStack size assert
Status: RESOLVED DUPLICATE of bug 26528
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC All
: P1 Major
Assignee: Nobody
Depends on:
Reported: 2009-06-19 12:44 PDT by Finnur Thorarinsson
Modified: 2009-06-19 13:45 PDT (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Finnur Thorarinsson 2009-06-19 12:44:18 PDT
I have reduced the crash to this piece of HTML:

  <form><input type="text" id="search" /></form> 
  <script type="text/javascript"> 

If you call WebCore::findPlainText(...) specifying any text as parameter, you'll get an ASSERT here:

static void pushFullyClippedState(BitStack& stack, Node* node)
    ASSERT(stack.size() == depthCrossingShadowBoundaries(node));

    ... snip ...

Stepping through this, I see that stack.size() returns 5 but depthCrossingShadowBoundaries returns 6, because it goes through this hierarchy of parent nodes:

HTMLInputElement (shadow parent)

Darin, if you have something simple you'd like me to try, feel free to suggest changes and I can try it out, formulate a patch and submit it to WebKit.
Comment 1 Finnur Thorarinsson 2009-06-19 12:54:22 PDT
And, I should mention this bug fix is what seems to have triggered this:
Comment 2 Mark Rowe (bdash) 2009-06-19 13:45:20 PDT

*** This bug has been marked as a duplicate of 26528 ***