When I attempt to drag a selection into one of the page's field ( Depart/Return), a crash will occur.
0 com.apple.WebCore 0x0117727b WebCore::CSSStyleDeclaration::copyPropertiesInSet(int const*, unsigned) const + 169
STEPS TO REPRODUCE
1. With TOT WebKit, go to http://www.travelocity.com/?Service=TRAVELOCITY
2. The best way to reproduce this issue is click travelocity logo image (at the top of the page) and drag it so that it hovers directly over Depart or Return fields. Mouse up when you see the caret appear in this field.
3. Crash occurs.
No crash should occur when attempting to drag into a field. However, the application does crash.
Yes, this occurs with native text fields .
Created attachment 7620 [details]
This issue has been filed as <rdar://problem/4507874>
The cause of this is that the drag is targeted at the text node, and when the text field is emptied the text node is gone. So this has the same type of cause that bug 8111 did.
Created attachment 7721 [details]
Created attachment 7722 [details]
Created attachment 7738 [details]
patch with detailed change log, manual test
Is replaceChild really an optimization?
You could make the SelectionController& returned by dragCaret() non-const, like selection().
Typo in the changelog entry:
+ So this change along fixes the crash.
(In reply to comment #7)
> Is replaceChild really an optimization?
Only a slight one, I guess. It sends fewer mutation events.
> You could make the SelectionController& returned by dragCaret() non-const, like
That's probably better than what I did. In general, I think we're still mixed up about SelectionController. If it's really a controller, then we should change selections by calling SelectionController functions. And we should not have setSelection or setDragCaret functions that take a SelectionController.
> Typo in the changelog entry:
> + So this change along fixes the crash.
I'll fix that.
Verified with latest TOT Webkit build (r13990).