89170 – [Shadow] Deleting list distributed to Shadow DOM does not work correctly.

Bug 89170 - [Shadow] Deleting list distributed to Shadow DOM does not work correctly.

Summary: [Shadow] Deleting list distributed to Shadow DOM does not work correctly.

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Shinya Kawanaka

URL:
Keywords:

Depends on:
Blocks:	82697
	Show dependency tree / graph

Reported:	2012-06-14 22:47 PDT by Shinya Kawanaka
Modified:	2012-06-25 18:49 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Repro (3.39 KB, text/html) 2012-06-14 22:47 PDT, Shinya Kawanaka	no flags	Details
Patch (4.21 KB, patch) 2012-06-25 15:02 PDT, Shinya Kawanaka	no flags	Details \| Formatted Diff \| Diff
Patch for landing (4.63 KB, patch) 2012-06-25 15:38 PDT, Shinya Kawanaka	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Shinya Kawanaka 2012-06-14 22:47:50 PDT

Created attachment 147736 [details]
Repro

Selects from LIST 1 to LIST 3, then press 'delete'.

render_widget_host_view_gtk.cc(929): pos + n <= text.length()

This is actual DCHECK in chromium, but WebKit might (or might not) have a bug. So file this bug here anyway.

Comment 1 Shinya Kawanaka 2012-06-25 14:53:05 PDT

Though DRT does not crash in this test, but it behaves weird.

Comment 2 Shinya Kawanaka 2012-06-25 15:02:35 PDT

Created attachment 149364 [details]
Patch

Comment 3 Shinya Kawanaka 2012-06-25 15:04:04 PDT

Indeed it was a bug in WebCore not in chromium.

Comment 4 Ryosuke Niwa 2012-06-25 15:06:39 PDT

Comment on attachment 149364 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=149364&action=review

> LayoutTests/editing/shadow/delete-list-in-shadow-expected.txt:5
> +AB345

Can we replace this by PASS?

Comment 5 Ryosuke Niwa 2012-06-25 15:08:07 PDT

Maybe we should just replace all these rendererIsEditable by isContentEditable because we keep hitting these crashes. There are 64 other places where we call rendererIsEditable instead of isContentEditable according to shinyak, and I'm not certain if it's really productive for us to wait until fuzzer finds a reduction for us.

Comment 6 Shinya Kawanaka 2012-06-25 15:38:37 PDT

Created attachment 149373 [details]
Patch for landing

Comment 7 WebKit Review Bot 2012-06-25 18:49:27 PDT

Comment on attachment 149373 [details]
Patch for landing

Clearing flags on attachment: 149373

Committed r121211: <http://trac.webkit.org/changeset/121211>

Comment 8 WebKit Review Bot 2012-06-25 18:49:32 PDT

All reviewed patches have been landed.  Closing bug.