Bug 8298 - REGRESSION: Crash occurs when attempting to drag selection into Depart/Return input fields at http://www.travelocity.com/
Summary: REGRESSION: Crash occurs when attempting to drag selection into Depart/Return...
Status: VERIFIED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 420+
Hardware: Macintosh OS X 10.4
: P1 Normal
Assignee: Darin Adler
URL:
Keywords: InRadar, Regression
Depends on:
Blocks:
 
Reported: 2006-04-10 10:29 PDT by Chris Petersen
Modified: 2006-04-20 22:56 PDT (History)
1 user (show)

See Also:


Attachments
back_trace (20.75 KB, text/plain)
2006-04-10 10:32 PDT, Chris Petersen
no flags Details
preliminary patch (17.34 KB, patch)
2006-04-14 19:30 PDT, Darin Adler
no flags Details | Formatted Diff | Diff
reduction (146 bytes, text/html)
2006-04-14 19:31 PDT, Darin Adler
no flags Details
patch with detailed change log, manual test (20.66 KB, patch)
2006-04-15 19:16 PDT, Darin Adler
adele: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Petersen 2006-04-10 10:29:27 PDT
When I attempt to drag a selection into one of the page's field ( Depart/Return), a crash will occur.

0   com.apple.WebCore        	0x0117727b WebCore::CSSStyleDeclaration::copyPropertiesInSet(int const*, unsigned) const + 169

STEPS TO REPRODUCE
1. With TOT WebKit, go to http://www.travelocity.com/?Service=TRAVELOCITY
2. The best way to reproduce this issue is click travelocity logo image (at the top of the page) and drag it so that it hovers directly over Depart or Return fields.  Mouse up when you see the caret appear in this field.
3. Crash occurs.

* RESULTS
No crash should occur when attempting to drag into a field. However, the application does crash.

* REGRESSION
Yes, this occurs with native text fields .
Comment 1 Chris Petersen 2006-04-10 10:32:12 PDT
Created attachment 7620 [details]
back_trace
Comment 2 Chris Petersen 2006-04-10 10:33:19 PDT
This issue has been filed as <rdar://problem/4507874>
Comment 3 Darin Adler 2006-04-14 09:08:00 PDT
The cause of this is that the drag is targeted at the text node, and when the text field is emptied the text node is gone. So this has the same type of cause that bug 8111 did.
Comment 4 Darin Adler 2006-04-14 19:30:57 PDT
Created attachment 7721 [details]
preliminary patch
Comment 5 Darin Adler 2006-04-14 19:31:24 PDT
Created attachment 7722 [details]
reduction
Comment 6 Darin Adler 2006-04-15 19:16:19 PDT
Created attachment 7738 [details]
patch with detailed change log, manual test
Comment 7 Justin Garcia 2006-04-16 18:21:42 PDT
Is replaceChild really an optimization?
You could make the SelectionController& returned by dragCaret() non-const, like selection().
Typo in the changelog entry:
+        So this change along fixes the crash.
Comment 8 Darin Adler 2006-04-16 19:37:48 PDT
(In reply to comment #7)
> Is replaceChild really an optimization?

Only a slight one, I guess. It sends fewer mutation events.

> You could make the SelectionController& returned by dragCaret() non-const, like
> selection().

That's probably better than what I did. In general, I think we're still mixed up about SelectionController. If it's really a controller, then we should change selections by calling SelectionController functions. And we should not have setSelection or setDragCaret functions that take a SelectionController.

> Typo in the changelog entry:
> +        So this change along fixes the crash.

I'll fix that.
Comment 9 Chris Petersen 2006-04-20 22:56:25 PDT
Verified with latest TOT Webkit build (r13990).