Created attachment 56037 [details] core dump file Open the attached test case, following instructions in the page. Safari crashes when changing the writing directions to right-to-left. Stack overflow. Attached the core dump. Might be caused by http://trac.webkit.org/changeset/53085/trunk/WebCore/dom/Position.cpp
Created attachment 56038 [details] test case
Chromium bug: http://crbug.com/43734
note: if the div was RTLed by default, doing the same steps to change the direction to LTR would have the same results
<rdar://problem/7984158>
I looked at the code a bit. Since I do not have much knowledge of the background, I do not have much idea on in which condition the recursive call should exit. The original intention was to focus on empty "span" inside non-editable "div". But the code seems does it in more broader scope. I am wondering 1. why focus on empty inline element in the first place? currently, moving cursor within that element cause coredump too. Refer bug 38923. 2. in which element/inline-element pair should the focus be allowed? Thanks, xiaomei
I'm looking into this as well. I'm not an expert here, but I'm trying to understand what's going on.
From looking at the history here, it seems that the case in Position::getInlineBoxAndOffset that deals with inlines (line 1033) was added before the rest of the method crossed editable boundaries correctly. So I think when Dan added the use of downstreamIgnoringEditingBoundaries and upstreamIgnoringEditingBoundaries earlier in the method, then we no longer need that case. So I'm testing a fix that just removes that, and so far so good. It fixes the test case.
Created attachment 56134 [details] patch I talked about this briefly with Enrica, and she thought it made sense. I'm not 100% confident, but it seems ok.
also, the name of my test is not great. suggestions welcome!
Comment on attachment 56134 [details] patch r=me
Committed revision 59516.
Thanks for the fix, especially during the weekend. Appreciated! Also I learned how to create JS test case (from where to look for those execCommand).