RESOLVED FIXED 42020
Crash beneath setSelection() during detach() 
https://bugs.webkit.org/show_bug.cgi?id=42020
Summary Crash beneath setSelection() during detach()
mitz
Reported 2010-07-09 22:06:53 PDT
<rdar://problem/7527532> Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 0 com.apple.WebCore 0x00007fff82fc4e1b WebCore::RenderBox::availableHeightUsing(WebCore::Length const&) const + 507 1 com.apple.WebCore 0x00007fff82fc4c0f WebCore::RenderBox::availableHeight() const + 31 2 com.apple.WebCore 0x00007fff82fc4c0f WebCore::RenderBox::availableHeight() const + 31 3 com.apple.WebCore 0x00007fff82fc4b41 WebCore::RenderBoxModelObject::relativePositionOffsetY() const + 129 4 com.apple.WebCore 0x00007fff82f47b05 WebCore::RenderBox::offsetFromContainer(WebCore::RenderObject*, WebCore::IntPoint const&) const + 261 5 com.apple.WebCore 0x00007fff82fc6643 WebCore::RenderBox::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const + 275 6 com.apple.WebCore 0x00007fff82fc67c8 WebCore::RenderBox::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const + 664 7 com.apple.WebCore 0x00007fff82fc67c8 WebCore::RenderBox::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const + 664 8 com.apple.WebCore 0x00007fff82fc67c8 WebCore::RenderBox::mapLocalToContainer(WebCore::RenderBoxModelObject*, bool, bool, WebCore::TransformState&) const + 664 9 com.apple.WebCore 0x00007fff83108873 WebCore::RenderBlock::selectionGapRectsForRepaint(WebCore::RenderBoxModelObject*) + 259 10 com.apple.WebCore 0x00007fff82ed9eb2 WebCore::RenderView::setSelection(WebCore::RenderObject*, int, WebCore::RenderObject*, int, WebCore::RenderView::SelectionRepaintMode) + 1298 11 com.apple.WebCore 0x00007fff82efc470 WebCore::RenderObjectChildList::removeChildNode(WebCore::RenderObject*, WebCore::RenderObject*, bool) + 592 12 com.apple.WebCore 0x00007fff830d4224 WebCore::RenderBlock::moveAllChildrenTo(WebCore::RenderObject*, WebCore::RenderObjectChildList*) + 68 13 com.apple.WebCore 0x00007fff82efbe2a WebCore::RenderBlock::removeChild(WebCore::RenderObject*) + 650 14 com.apple.WebCore 0x00007fff82efba79 WebCore::RenderObject::destroy() + 137 15 com.apple.WebCore 0x00007fff82efb947 WebCore::RenderBox::destroy() + 71 16 com.apple.WebCore 0x00007fff82efb6c3 WebCore::Node::detach() + 35 17 com.apple.WebCore 0x00007fff82efb57b WebCore::Element::detach() + 107 18 com.apple.WebCore 0x00007fff82fcf1d7 WebCore::ContainerNode::removeChild(WebCore::Node*, int&) + 263 … Patch forthcoming.
Attachments
Avoid calls to localToAbsolute() from clearSelection() (2.78 KB, patch)
2010-07-09 22:16 PDT, mitz 		simon.fraser: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2010-07-09 22:16:19 PDT
Created attachment 61142 [details] Avoid calls to localToAbsolute() from clearSelection()
mitz
Comment 2 2010-07-16 14:02:19 PDT
Fixed in <http://trac.webkit.org/projects/webkit/changeset/63579>.
Note You need to log in before you can comment on or make changes to this bug.