[Webkit-unassigned] [Bug 26557] New: Crash in WebCore::pushFullyClippedState due to BitStack size assert
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 19 12:44:19 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=26557
Summary: Crash in WebCore::pushFullyClippedState due to BitStack
size assert
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: All
Status: UNCONFIRMED
Severity: Major
Priority: P1
Component: New Bugs
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: finnur.webkit at gmail.com
CC: darin at apple.com
I have reduced the crash to this piece of HTML:
<html>
<body>
<form><input type="text" id="search" /></form>
<script type="text/javascript">
document.getElementById("search").setAttribute("type","search");
</script>
</body>
</html>
If you call WebCore::findPlainText(...) specifying any text as parameter,
you'll get an ASSERT here:
static void pushFullyClippedState(BitStack& stack, Node* node)
{
ASSERT(stack.size() == depthCrossingShadowBoundaries(node));
... snip ...
}
Stepping through this, I see that stack.size() returns 5 but
depthCrossingShadowBoundaries returns 6, because it goes through this hierarchy
of parent nodes:
HTMLDocument
HTMLHtmlElement
HTMLBodyElement
HTMLFormElement
HTMLInputElement (shadow parent)
TextControlInnerTextElement
Darin, if you have something simple you'd like me to try, feel free to suggest
changes and I can try it out, formulate a patch and submit it to WebKit.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list