While running Sandvox with the latest WebKit ToT, if one deletes all the text in the site sub-title or 'parting words' editable divs, then the editing delegate (in Sandvox) removes the text element (it becomes detached) before setFocusNode() is called. When setFocusNode is called, there is a crash caused by the assumption that if the node exists, and it isn't currently being detached, that is must have a renderer. In this case, as it has been detached, it no longer has a renderer. I have a patch which I'll attach.
The appropriate part of the crash report is below:
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
Thread 0 Crashed:
0 com.apple.WebCore 0x019bcb50 WebCore::DocumentImpl::setFocusNode(KXMLCore::PassRefPtr<WebCore::NodeImpl>) + 400 (DocumentImpl.cpp:2058)
1 com.apple.WebCore 0x019b53a8 WebCore::FrameView::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::NodeImpl*, bool, int, QMouseEvent*, bool, int) + 1208 (FrameView.cpp:1038)
Created attachment 6637 [details]
This patch seems to fix the bug for me.
Comment on attachment 6637 [details]
Patch looks good. We need a layout test for regression-testing purposes and a change log entry.
Also, did you run all the other layout tests to check that this didn't break anything?
Is this a duplicate of bug 7363?
The crash occurs on the same line as 7363, but this patch won't fix 7363 as in this case, the node is detached and so doesn't have a renderer. In the other case, the node is attached but still doesn't have a renderer.
*** This bug has been marked as a duplicate of 7363 ***