71737 – REGRESSION(r94822) Crash in moving text node from one bdi element into another bdi element

RESOLVED DUPLICATE of bug 73116 71737

REGRESSION(r94822) Crash in moving text node from one bdi element into another bdi element

https://bugs.webkit.org/show_bug.cgi?id=71737

Summary REGRESSION(r94822) Crash in moving text node from one bdi element into anothe...

Dominic Cooney

Reported 2011-11-07 15:00:06 PST

The following data: URL crashes WebKit nightly r98912 on Mac and Chromium Mac 17.0.932.0 (Official Build 108826) canary 535.8 (@99314) but not Safari Mac Version 5.1.1 (6534.51.22) nor Chromium Mac 15.0.874.106 (Official Build 107270) WebKit 535.2 (@98043). This is the content of the URL: data:text/html,<!doctype html> <div contenteditable><bdi></bdi><bdi>a</bdi></div> <script> document.querySelector("bdi") .appendChild(document.querySelector("bdi+bdi").firstChild) </script> This was first reported as Chromium issue: <http://code.google.com/p/chromium/issues/detail?id=101791>

Attachments
Repro (213 bytes, text/html) 2011-11-07 15:17 PST, Dominic Cooney	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Aryeh Gregor

Comment 1 2011-11-07 15:04:35 PST

If you look closely at the data URL, the crash is when moving a text node from one <bdi> to another, not moving a <bdi> into another. Changing summary accordingly.

Dominic Cooney

Comment 2 2011-11-07 15:17:24 PST

Created attachment 113938 [details] Repro I don’t think this has anything to do with contenteditable… crashes for me with attached repro.

Lucas Forschler

Comment 3 2011-11-07 15:23:20 PST

<rdar://problem/10409078>

Chris Evans

Comment 4 2011-11-07 15:23:56 PST

FWIW, I don't think it's particularly security sensitive. Seems to be a clean NULL and valgrind doesn't report anything untoward.

Dominic Cooney

Comment 5 2011-11-07 15:30:48 PST

(In reply to comment #4) > FWIW, I don't think it's particularly security sensitive. Seems to be a clean NULL and valgrind doesn't report anything untoward. OK, guess I was over pessimistic; thanks for the feedback.

Aryeh Gregor

Comment 6 2011-11-08 05:51:36 PST

Right, contenteditable is a red herring. This crashes too: data:text/html,<!doctype html> <bdi></bdi><bdi>a</bdi> <script> document.querySelector("bdi") .appendChild(document.querySelector("bdi+bdi").firstChild) </script> But only with <bdi>, not any other element I tested.

Eric Seidel (no email)

Comment 7 2011-11-15 21:53:14 PST

Given that it's bdi, I'm sure it's bidi-isolate related. I've been waiting for bidi-isolate issues to pile up before I take another crack at it.

Yair Yogev

Comment 8 2011-11-15 22:45:53 PST

i tracked it to this range http://trac.webkit.org/log/?action=stop_on_copy&mode=stop_on_copy&rev=94838&stop_rev=94821&limit=999&verbose=on but that's different than the one in the title (will test again but it should be correct, hmm...)

Ryosuke Niwa

Comment 9 2011-11-25 00:04:33 PST

Also see the bug 73116

Ryosuke Niwa

Comment 10 2011-11-25 12:21:45 PST

It turned out that there's even simpler repro for this bug. *** This bug has been marked as a duplicate of bug 73116 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 73116

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component DOM

Assignee

Nobody

Reported

2011-11-07 15:00 PST

Modified

2011-11-25 12:21 PST History

CC List

10 users Show

URL

data:text/html,<!doctype html><div contenteditable><bdi></bdi><bdi>a</bdi></div> <script> document.querySelector("bdi") .appendChild(document.querySelector("bdi+bdi").firstChild) </script>

Keywords InRadar

Depends on

Blocks