Bug 62544 - REGRESSION (r81518): Crash in makeRange() when invoking the dictionary panel over a file input
Summary: REGRESSION (r81518): Crash in makeRange() when invoking the dictionary panel ...
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Normal
Assignee: Ryosuke Niwa
URL: data:text/html,%3Cinput%20type=file%3E
Keywords: InRadar, Regression
Depends on:
Reported: 2011-06-13 09:19 PDT by mitz
Modified: 2011-06-13 14:01 PDT (History)
6 users (show)

See Also:

fixes the crash (2.94 KB, patch)
2011-06-13 12:05 PDT, Ryosuke Niwa
mitz: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description mitz 2011-06-13 09:19:44 PDT

To reproduce: open the URL, move the mouse cursor over the Choose File button and press Command-Control-D (the default Dictionary panel shortcut).

Results: crash with this backtrace:

0   com.apple.WebCore             	0x00007fff89bb9585 WebCore::makeRange(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&) + 277
1   com.apple.WebCore             	0x00007fff89f8d4ff WebCore::Frame::rangeForPoint(WebCore::IntPoint const&) + 243
2   com.apple.WebKit2             	0x00007fff88509ad1 WebKit::WebPage::performDictionaryLookupAtLocation(WebCore::FloatPoint const&) + 249

In a debug build, an assertion failure occurs in positionInParentAfterNode(), since nonShadowBoundaryParentNode() returns 0 (the parent of the button is a shadow root).
Comment 1 mitz 2011-06-13 09:52:18 PDT
While the details of the crash in its current incarnation have to do with r87067, the crash itself probably predates that revision.
Comment 2 mitz 2011-06-13 11:06:10 PDT
Caused by <http://trac.webkit.org/changeset/81518>
Comment 3 Ryosuke Niwa 2011-06-13 11:43:37 PDT
Do you know how I can open up dictionary panel in DRT?  Or is that even supported?
Comment 4 mitz 2011-06-13 11:50:31 PDT
I don’t think you can open the dictionary panel, but the TextInputController characterIndexForPoint function may trigger the same code path.
Comment 5 Ryosuke Niwa 2011-06-13 12:05:33 PDT
Created attachment 96986 [details]
fixes the crash
Comment 6 Ryosuke Niwa 2011-06-13 13:46:30 PDT
Committed r88685: <http://trac.webkit.org/changeset/88685>
Comment 7 mitz 2011-06-13 13:50:44 PDT
Comment 8 Ryosuke Niwa 2011-06-13 14:01:17 PDT
(In reply to comment #7)
> Thanks!

Nope.  Thanks for the timely review!